| <?xml version="1.0"?> |
| <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> |
| <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> |
| <!-- $LastChangedRevision$ --> |
| |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <modulesynopsis metafile="mod_dav.xml.meta"> |
| |
| <name>mod_dav</name> |
| <description>Distributed Authoring and Versioning |
| (<a href="http://www.webdav.org/">WebDAV</a>) functionality</description> |
| <status>Extension</status> |
| <sourcefile>mod_dav.c</sourcefile> |
| <identifier>dav_module</identifier> |
| |
| <summary> |
| <p>This module provides class 1 and class 2 <a |
| href="http://www.webdav.org">WebDAV</a> ('Web-based Distributed |
| Authoring and Versioning') functionality for Apache. This |
| extension to the HTTP protocol allows creating, moving, |
| copying, and deleting resources and collections on a remote web |
| server.</p> |
| </summary> |
| <seealso><module>mod_dav_fs</module></seealso> |
| <seealso><directive module="core">LimitXMLRequestBody</directive></seealso> |
| |
| <section id="example"><title>Enabling WebDAV</title> |
| <p>To enable <module>mod_dav</module>, add the following to a |
| container in your <code>httpd.conf</code> file:</p> |
| |
| <highlight language="config"> |
| Dav On |
| </highlight> |
| |
| <p>This enables the DAV file system provider, which is implemented |
| by the <module>mod_dav_fs</module> module. Therefore, that module |
| must be compiled into the server or loaded at runtime using the |
| <directive module="mod_so">LoadModule</directive> directive.</p> |
| |
| <p>You may wish to add a <directive module="core" type="section" |
| >Limit</directive> clause inside the <directive module="core" |
| type="section">Location</directive> directive to limit access to |
| DAV-enabled locations. If you want to set the maximum amount of |
| bytes that a DAV client can send at one request, you have to use |
| the <directive module="core">LimitXMLRequestBody</directive> |
| directive. The "normal" <directive module="core" |
| >LimitRequestBody</directive> directive has no effect on DAV |
| requests.</p> |
| |
| <example><title>Full Example</title> |
| <highlight language="config"> |
| <Directory "/usr/local/apache2/htdocs/foo"> |
| Require all granted |
| Dav On |
| |
| AuthType Basic |
| AuthName "DAV" |
| AuthUserFile "user.passwd" |
| |
| <LimitExcept GET POST OPTIONS> |
| Require user admin |
| </LimitExcept> |
| </Directory> |
| </highlight> |
| </example> |
| |
| </section> |
| |
| <section id="security"><title>Security Issues</title> |
| |
| <p>Since DAV access methods allow remote clients to manipulate |
| files on the server, you must take particular care to assure that |
| your server is secure before enabling <module>mod_dav</module>.</p> |
| |
| <p>Any location on the server where DAV is enabled should be |
| protected by authentication. The use of HTTP Basic Authentication |
| is not recommended. You should use at least HTTP Digest |
| Authentication, which is provided by the |
| <module>mod_auth_digest</module> module. Nearly all WebDAV clients |
| support this authentication method. An alternative is Basic |
| Authentication over an <a href="../ssl/">SSL</a> enabled |
| connection.</p> |
| |
| <p>In order for <module>mod_dav</module> to manage files, it must |
| be able to write to the directories and files under its control |
| using the <directive module="mod_unixd">User</directive> and |
| <directive module="mod_unixd">Group</directive> under which |
| Apache is running. New files created will also be owned by this |
| <directive module="mod_unixd">User</directive> and <directive |
| module="mod_unixd">Group</directive>. For this reason, it is |
| important to control access to this account. The DAV repository |
| is considered private to Apache; modifying files outside of Apache |
| (for example using FTP or filesystem-level tools) should not be |
| allowed.</p> |
| |
| <p><module>mod_dav</module> may be subject to various kinds of |
| denial-of-service attacks. The <directive |
| module="core">LimitXMLRequestBody</directive> directive can be |
| used to limit the amount of memory consumed in parsing large DAV |
| requests. The <directive |
| module="mod_dav">DavDepthInfinity</directive> directive can be |
| used to prevent <code>PROPFIND</code> requests on a very large |
| repository from consuming large amounts of memory. Another |
| possible denial-of-service attack involves a client simply filling |
| up all available disk space with many large files. There is no |
| direct way to prevent this in Apache, so you should avoid giving |
| DAV access to untrusted users.</p> |
| </section> |
| |
| <section id="complex"><title>Complex Configurations</title> |
| |
| <p>One common request is to use <module>mod_dav</module> to |
| manipulate dynamic files (PHP scripts, CGI scripts, etc). This is |
| difficult because a <code>GET</code> request will always run the |
| script, rather than downloading its contents. One way to avoid |
| this is to map two different URLs to the content, one of which |
| will run the script, and one of which will allow it to be |
| downloaded and manipulated with DAV.</p> |
| |
| <highlight language="config"> |
| Alias "/phparea" "/home/gstein/php_files" |
| Alias "/php-source" "/home/gstein/php_files" |
| <Location "/php-source"> |
| Dav On |
| ForceType text/plain |
| </Location> |
| </highlight> |
| |
| <p>With this setup, <code>http://example.com/phparea</code> can be |
| used to access the output of the PHP scripts, and |
| <code>http://example.com/php-source</code> can be used with a DAV |
| client to manipulate them.</p> |
| </section> |
| |
| <directivesynopsis> |
| <name>Dav</name> |
| <description>Enable WebDAV HTTP methods</description> |
| <syntax>Dav On|Off|<var>provider-name</var></syntax> |
| <default>Dav Off</default> |
| <contextlist><context>directory</context></contextlist> |
| |
| <usage> |
| <p>Use the <directive>Dav</directive> directive to enable the |
| WebDAV HTTP methods for the given container:</p> |
| |
| <highlight language="config"> |
| <Location "/foo"> |
| Dav On |
| </Location> |
| </highlight> |
| |
| <p>The value <code>On</code> is actually an alias for the default |
| provider <code>filesystem</code> which is served by the <module |
| >mod_dav_fs</module> module. Note, that once you have DAV enabled |
| for some location, it <em>cannot</em> be disabled for sublocations. |
| For a complete configuration example have a look at the <a |
| href="#example">section above</a>.</p> |
| |
| <note type="warning"> |
| Do not enable WebDAV until you have secured your server. Otherwise |
| everyone will be able to distribute files on your system. |
| </note> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>DavBasePath</name> |
| <description>Configure repository root path</description> |
| <syntax>DavBasePath <var>root-path</var></syntax> |
| <default>None</default> |
| <contextlist><context>directory</context></contextlist> |
| <compatibility>Available in version 2.4.58 and later</compatibility> |
| |
| <usage> |
| <p>If a DAV repository is configured using a regular expression |
| match (such as <directive module="core">LocationMatch</directive>) |
| then <module>mod_dav</module> will not be able to find the root of |
| the repository from the pathname alone. Third-party providers (for |
| example, Subversion's <a |
| href="https://svnbook.red-bean.com/en/1.7/svn.ref.mod_dav_svn.conf.html">mod_dav_svn</a>) |
| may fail to handle requests without the correct repository root.</p> |
| |
| <p>To allow providers to work correctly in such a configuration, |
| <directive>DavBasePath</directive> must be used.</p> |
| |
| <example><title>Example</title> |
| <highlight language="config"> |
| <LocationMatch "^/repos/"> |
| Dav svn |
| DavBasePath /repos |
| SVNParentPath /var/svn |
| </LocationMatch> |
| </highlight> |
| </example> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>DavMinTimeout</name> |
| <description>Minimum amount of time the server holds a lock on |
| a DAV resource</description> |
| <syntax>DavMinTimeout <var>seconds</var></syntax> |
| <default>DavMinTimeout 0</default> |
| <contextlist><context>server config</context><context>virtual host</context> |
| <context>directory</context></contextlist> |
| |
| <usage> |
| <p>When a client requests a DAV resource lock, it can also |
| specify a time when the lock will be automatically removed by |
| the server. This value is only a request, and the server can |
| ignore it or inform the client of an arbitrary value.</p> |
| |
| <p>Use the <directive>DavMinTimeout</directive> directive to specify, in |
| seconds, the minimum lock timeout to return to a client. |
| Microsoft Web Folders defaults to a timeout of 120 seconds; the |
| <directive>DavMinTimeout</directive> can override this to a higher value |
| (like 600 seconds) to reduce the chance of the client losing |
| the lock due to network latency.</p> |
| |
| <example><title>Example</title> |
| <highlight language="config"> |
| <Location "/MSWord"> |
| DavMinTimeout 600 |
| </Location> |
| </highlight> |
| </example> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>DavDepthInfinity</name> |
| <description>Allow PROPFIND, Depth: Infinity requests</description> |
| <syntax>DavDepthInfinity on|off</syntax> |
| <default>DavDepthInfinity off</default> |
| <contextlist><context>server config</context><context>virtual host</context> |
| <context>directory</context></contextlist> |
| |
| <usage> |
| <p>Use the <directive>DavDepthInfinity</directive> directive to |
| allow the processing of <code>PROPFIND</code> requests containing the |
| header 'Depth: Infinity'. Because this type of request could constitute |
| a denial-of-service attack, by default it is not allowed.</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>DavMSext</name> |
| <description>Enable support for Microsoft extensions</description> |
| <syntax>DavMSext None | [+|-]WDV | All</syntax> |
| <default>DavMSext None</default> |
| <contextlist><context>server config</context><context>virtual host</context> |
| <context>directory</context></contextlist> |
| |
| <usage> |
| <p>The <directive>DavMSext</directive> directive enables support |
| for Microsoft extensions. Possible values are:</p> |
| <ul> |
| <li><code>None</code> No Microsoft extension is enabled.</li> |
| <li><code>WDV</code> Enable support for |
| <a href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wdv">MS-WDV</a>. |
| </li> |
| <li><code>All</code> All implemented Microsoft extension |
| are enabled. Currently, this is means <code>WDV</code> as |
| it is the only Microsoft extension implemented.</li> |
| </ul> |
| |
| </usage> |
| </directivesynopsis> |
| |
| </modulesynopsis> |
| |
| |