Return-Path:
<Directory>
sections and
.htaccess
files are read, and after the <Files>
sections.
Note that URLs do not have to line up with the filesystem at
- all, it should be emphasized that <Location>
operates completely
- outside the filesystem.
<Location>
sections operate
+ completely outside the filesystem. This has several consequences.
+ Most importantly, <Location>
+ directives should not be used to control access to filesystem
+ locations. Since several different URLs may map to the same
+ filesystem location, such access controls may by circumvented.
<Location>
Use <Location>
to apply
+ directives to content that lives outside the filesystem. For
+ content that lives in the filesystem, use <Directory>
and <Files>
. An exception is
+ <Location />
, which is an easy way to
+ apply a configuration to the entire server.
For all origin (non-proxy) requests, the URL to be matched is a
URL-path of the form /path/
. No scheme, hostname,
1.12.2.2 +87 -16 httpd-2.0/docs/manual/mod/mod_dav.html.en
Index: mod_dav.html.en
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_dav.html.en,v
retrieving revision 1.12.2.1
retrieving revision 1.12.2.2
diff -u -d -b -u -r1.12.2.1 -r1.12.2.2
--- mod_dav.html.en 11 Dec 2002 22:08:41 -0000 1.12.2.1
+++ mod_dav.html.en 21 Apr 2003 15:12:58 -0000 1.12.2.2
@@ -42,6 +42,8 @@
DavLockDB
Dav On
This enables the DAV file system provider, which is implemented by
- the mod_dav_fs
module. Therefore that module has to
- be compiled into the server or has to be loaded at runtime using the
+
This enables the DAV file system provider, which is implemented
+ by the mod_dav_fs
module. Therefore, that module
+ must be compiled into the server or loaded at runtime using the
LoadModule
directive.
In order to make it work you have to specify a web-server writable
- filename for the DAV lock database by adding the following to the
- global section in your httpd.conf
file:
In addition, a location for the DAV lock database must be
+ specified in the global section of your httpd.conf
+ file:
- DavLockDB /tmp/DavLock
+ DavLockDB /usr/local/apache2/var/DavLock
The directory containing the lock database file must be
+ writable by the User
+ and Group
under which
+ Apache is running. For security reasons, you should create a
+ directory for this purpose rather than changing the permissions on
+ an existing directory. In the above example, Apache will create
+ files in the /usr/local/apache2/var/
directory
+ with the base filename DavLock
and extension name
+ chosen by the server.
You may wish to add a <Limit>
clause inside the <Location>
directive to limit access to
DAV-enabled locations. If you want to set the maximum amount of
bytes that a DAV client can send at one request, you have to use
@@ -87,7 +99,7 @@
AuthName DAV
AuthUserFile user.passwd
- <LimitExcept GET HEAD OPTIONS>
+ <LimitExcept GET OPTIONS>
require user admin
@@ -96,14 +108,73 @@
</Location>
The use of HTTP Basic Authentication is not recommended. You
- should use at least HTTP Digest Authentication, which is provided by
- the mod_auth_digest
module. Nearly all WebDAV clients
- support this authentication method. Of course, Basic Authentication
- over an SSL enabled connection is secure,
- too.
mod_dav
is a descendent of Greg Stein's mod_dav for Apache 1.3. More
+ information about the module is available from that site.
Since DAV access methods allow remote clients to manipulate
+ files on the server, you must take particular care to assure that
+ your server is secure before enabling mod_dav
.
Any location on the server where DAV is enabled should be
+ protected by authentication. The use of HTTP Basic Authentication
+ is not recommended. You should use at least HTTP Digest
+ Authentication, which is provided by the
+ mod_auth_digest
module. Nearly all WebDAV clients
+ support this authentication method. An alternative is Basic
+ Authentication over an SSL enabled
+ connection.
In order for mod_dav
to manage files, it must
+ be able to write to the directories and files under its control
+ using the User
and
+ Group
under which
+ Apache is running. New files created will also be owned by this
+ User
and Group
. For this reason, it is
+ important to control access to this account. The DAV repository
+ is considered private to Apache; modifying files outside of Apache
+ (for example using FTP or filesystem-level tools) should not be
+ allowed.
mod_dav
may be subject to various kinds of
+ denial-of-service attacks. The LimitXMLRequestBody
directive can be
+ used to limit the amount of memory consumed in parsing large DAV
+ requests. The DavDepthInfinity
directive can be
+ used to prevent PROPFIND
requests on a very large
+ repository from consuming large amounts of memory. Another
+ possible denial-of-service attack involves a client simply filling
+ up all available disk space with many large files. There is no
+ direct way to prevent this in Apache, so you should avoid giving
+ DAV access to untrusted users.
One common request is to use mod_dav
to
+ manipulate dynamic files (PHP scripts, CGI scripts, etc). This is
+ difficult because a GET
request will always run the
+ script, rather than downloading its contents. One way to avoid
+ this is to map two different URLs to the content, one of which
+ will run the script, and one of which will allow it to be
+ downloaded and manipulated with DAV.
+Alias /phparea /home/gstein/php_files
+Alias /php-source /home/gstein/php_files
+<Location /php-source>
+
+ DAV On
+ ForceType text/plain
+
+</Location>
+
With this setup, http://example.com/phparea
can be
+ used to access the output of the PHP scripts, and
+ http://example.com/php-source
can be used with a DAV
+ client to manipulate them.