Return-Path: Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 20554 invoked by uid 500); 21 Apr 2003 15:12:59 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 20543 invoked by uid 500); 21 Apr 2003 15:12:59 -0000 Delivered-To: apmail-httpd-2.0-cvs@apache.org Date: 21 Apr 2003 15:12:58 -0000 Message-ID: <20030421151258.83048.qmail@icarus.apache.org> From: slive@apache.org To: httpd-2.0-cvs@apache.org Subject: cvs commit: httpd-2.0/docs/manual/mod core.html.en mod_dav.html.en X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N slive 2003/04/21 08:12:58 Modified: docs/manual/mod Tag: APACHE_2_0_BRANCH core.html.en mod_dav.html.en Log: Update transformations. Revision Changes Path No revision No revision 1.46.2.19 +15 -3 httpd-2.0/docs/manual/mod/core.html.en Index: core.html.en =================================================================== RCS file: /home/cvs/httpd-2.0/docs/manual/mod/core.html.en,v retrieving revision 1.46.2.18 retrieving revision 1.46.2.19 diff -u -d -b -u -r1.46.2.18 -r1.46.2.19 --- core.html.en 14 Apr 2003 18:44:35 -0000 1.46.2.18 +++ core.html.en 21 Apr 2003 15:12:58 -0000 1.46.2.19 @@ -1740,9 +1740,21 @@ order they appear in the configuration file, after the <Directory> sections and .htaccess files are read, and after the <Files> sections.

-

Note that URLs do not have to line up with the filesystem at - all, it should be emphasized that <Location> operates completely - outside the filesystem.

+

<Location> sections operate + completely outside the filesystem. This has several consequences. + Most importantly, <Location> + directives should not be used to control access to filesystem + locations. Since several different URLs may map to the same + filesystem location, such access controls may by circumvented.

+ +

When to use <Location>

+ +

Use <Location> to apply + directives to content that lives outside the filesystem. For + content that lives in the filesystem, use <Directory> and <Files>. An exception is + <Location />, which is an easy way to + apply a configuration to the entire server.

+

For all origin (non-proxy) requests, the URL to be matched is a URL-path of the form /path/. No scheme, hostname, 1.12.2.2 +87 -16 httpd-2.0/docs/manual/mod/mod_dav.html.en Index: mod_dav.html.en =================================================================== RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_dav.html.en,v retrieving revision 1.12.2.1 retrieving revision 1.12.2.2 diff -u -d -b -u -r1.12.2.1 -r1.12.2.2 --- mod_dav.html.en 11 Dec 2002 22:08:41 -0000 1.12.2.1 +++ mod_dav.html.en 21 Apr 2003 15:12:58 -0000 1.12.2.2 @@ -42,6 +42,8 @@

Topics

See also

  • DavLockDB
    • @@ -56,19 +58,29 @@

    Dav On

    -

    This enables the DAV file system provider, which is implemented by - the mod_dav_fs module. Therefore that module has to - be compiled into the server or has to be loaded at runtime using the +

    This enables the DAV file system provider, which is implemented + by the mod_dav_fs module. Therefore, that module + must be compiled into the server or loaded at runtime using the LoadModule directive.

    -

    In order to make it work you have to specify a web-server writable - filename for the DAV lock database by adding the following to the - global section in your httpd.conf file:

    +

    In addition, a location for the DAV lock database must be + specified in the global section of your httpd.conf + file:

    - DavLockDB /tmp/DavLock + DavLockDB /usr/local/apache2/var/DavLock

    +

    The directory containing the lock database file must be + writable by the User + and Group under which + Apache is running. For security reasons, you should create a + directory for this purpose rather than changing the permissions on + an existing directory. In the above example, Apache will create + files in the /usr/local/apache2/var/ directory + with the base filename DavLock and extension name + chosen by the server.

    +

    You may wish to add a <Limit> clause inside the <Location> directive to limit access to DAV-enabled locations. If you want to set the maximum amount of bytes that a DAV client can send at one request, you have to use @@ -87,7 +99,7 @@ AuthName DAV
    AuthUserFile user.passwd

    - <LimitExcept GET HEAD OPTIONS>
    + <LimitExcept GET OPTIONS>
    require user admin
     @@ -96,14 +108,73 @@ </Location>

    -

    Security

    -

    The use of HTTP Basic Authentication is not recommended. You - should use at least HTTP Digest Authentication, which is provided by - the mod_auth_digest module. Nearly all WebDAV clients - support this authentication method. Of course, Basic Authentication - over an SSL enabled connection is secure, - too.

    -
    +

    mod_dav is a descendent of Greg Stein's mod_dav for Apache 1.3. More + information about the module is available from that site.

    +
    top
    +
    +

    Security Issues

    + +

    Since DAV access methods allow remote clients to manipulate + files on the server, you must take particular care to assure that + your server is secure before enabling mod_dav.

    + +

    Any location on the server where DAV is enabled should be + protected by authentication. The use of HTTP Basic Authentication + is not recommended. You should use at least HTTP Digest + Authentication, which is provided by the + mod_auth_digest module. Nearly all WebDAV clients + support this authentication method. An alternative is Basic + Authentication over an SSL enabled + connection.

    + +

    In order for mod_dav to manage files, it must + be able to write to the directories and files under its control + using the User and + Group under which + Apache is running. New files created will also be owned by this + User and Group. For this reason, it is + important to control access to this account. The DAV repository + is considered private to Apache; modifying files outside of Apache + (for example using FTP or filesystem-level tools) should not be + allowed.

    + +

    mod_dav may be subject to various kinds of + denial-of-service attacks. The LimitXMLRequestBody directive can be + used to limit the amount of memory consumed in parsing large DAV + requests. The DavDepthInfinity directive can be + used to prevent PROPFIND requests on a very large + repository from consuming large amounts of memory. Another + possible denial-of-service attack involves a client simply filling + up all available disk space with many large files. There is no + direct way to prevent this in Apache, so you should avoid giving + DAV access to untrusted users.

    +
    top
    +
    +

    Complex Configurations

    + +

    One common request is to use mod_dav to + manipulate dynamic files (PHP scripts, CGI scripts, etc). This is + difficult because a GET request will always run the + script, rather than downloading its contents. One way to avoid + this is to map two different URLs to the content, one of which + will run the script, and one of which will allow it to be + downloaded and manipulated with DAV.

    + +

    +Alias /phparea /home/gstein/php_files
    +Alias /php-source /home/gstein/php_files
    +<Location /php-source> + + DAV On
    + ForceType text/plain
    +     +</Location> +

    + +

    With this setup, http://example.com/phparea can be + used to access the output of the PHP scripts, and + http://example.com/php-source can be used with a DAV + client to manipulate them.

    top

    Dav Directive