managing your apache http web server content with mod_dav and mod_ftp william a. rowe, jr. asf...
TRANSCRIPT
Managing your Apache HTTP
Web Server Content with
mod_dav and mod_ftp
William A. Rowe, Jr.ASF Member, httpd and APR projects
Sr. Software Engineer, Covalent Technologies
The Choices
• upload scripts
• content management applications
• ssh (scp) or nfs/samba filesystems
• WebDAV (mod_dav)
• ftpd (strictly using ssl/tls), or mod_ftp
Upload scripts
• Mostly, they suck
• Notorious (bugtraq / vuln-dev notoriety)
• Quite possibly ideal for narrow-focus,
tightly controlled applications such as
media, photos, web 2.0 updates etc.
CMS Applications
• Single purposed (not a solution for a
diverse author base).
• Deploy corresponding CMS server agent
required by each of the authoring tools.
• As secure as the design paradigm.
ssh (scp)
• Secure (Very)
• Requires 1:1 system accounts to web
administrators
• Keys strongly recommended over
password access
• One more service to administer
nfs/samba
• Requires 1:1 user:author accounts
• On the locally deployed server – ideal
• Sub-par solution for remotely co-located
web server infrastructure
• One more service to administer
WebDAV / mod_dav
• Does not require 1:1 users to authors
• Easily secured with https: (ssl/tls)
• Short of ftp, the mostly widely deployed
and flexible authoring solution
(no lock-in!)
ftpd for Content
• Requires 1:1 accounts per web admin
• (Unless anonymous, which is the worse
of two evils)
• Non-SSL security is worse than no
security (packet sniffers, anyone?)
• One more service to administer
ftp using mod_ftp + tls/ssl
• Does -not- require 1:1 users / authors.
• All content is written with the ownership
of the user which httpd is running as
(same as mod_dav).
• Passwords and content, are all secured
on the wire with implicit or explicit ssl.
The Criteria
• Single administrative solution
• Secure / Encrypted transactions (ssl/tls)
• Apache HTTP security context (httpd
managed users, not system accounts)
The bottom line – our Authors
• Lenya, Slide, Vignette & many more
clients, including MS Web Folders and
MS Office all support WebDAV
• More ancient clients will support ftp
• Flexibility without frequent server-side
installation churn
The Solutions
• mod_dav – the modern connector
• mod_ftp – the legacy connector
• Add mod_ssl – avoid plaintext over the
wire for either protocol
• Single security-context for content
mod_dav_fs
• mod_dav is simply a protocol
• mod_dav_fs does the heavy 'filesystem'
lifting of file content – and locking
• You must leverage both modules!
• See conf/extras/httpd-dav.conf
mod_ftp
• Here – but not yet here
• http://httpd.apache.org/modules/ will
keep you up to date with it's first release
• Not for the timid, but for the impatient:
http://svn.apache.org/repos/asf/httpd/mod_ftp/trunk/STATUS
Authorization Options
• For few authors, mod_authz_username
• For many, mod_authz_dbd/dbm/ldap
help manage the users
Permissions and Ownership
• Apache defaults to User Nobody
• For authoring, use a generally low-
privilege account e.g. “webauthor”
• Must have read/write to the web contents
More Secure Permissions
• Consider two httpd instances, author and
user instances, two separate Users
• Short of 'perchild' MPM – these must be
physical (IP-based) vhosts. (For SSL,
they must be IP based vhosts anyways).
Trouble for Authors
GET is not GET, for authors
• <!--#include virtual="/header.shtml" -->
• Options Includes, and Set/AddHandler
• GET /doc.shtml produces the combined
document – not what the author wants!
A real GET
EITHER
• Create a <VirtualHost>, e.g.
http://author.example.com/
• Create an Alias/<Location >, e.g.
http://author.example.com/author/
GETting true files
In either case
<VirtualHost | Location ...>
SetHandler default-handler
This provides a true GET, but for ScriptAlias
hint - Don't use ScriptAlias
Trouble : Incompatibilies
Client incompatibility
• Some hints are in httpd.conf, others are
found in extra/httpd-dav.conf
• Google is your friend; new releases
mean newly incompatible behaviors
<Limit > considered harmful
• Two <Limit>'s will not be aggregated!
• <Limit > is not a proper container, it is
for a limited subset of auth directives
• You may have only one <Limit>
• But when you violate the rules – httpd
is ...
A <VirtualHost > surprise
• Named hosts are looking at ServerName
and ServerAlias. IP Based hosts are
looking at port and number.
• When not matched, the content is served
by the first vhost ... so make it a stub
Ports and Host Names
• DAV is simply http/https – usual port
80/443
• mod_ftp typically listens on 21 – or 990
for pure Implicit TLS
• BUT – mod_ftp requires a second port!
Data Connections for FTP
• Apache running as Nobody/Untrusted
user can't use the default port 20 data!
Good References
http://www.webdav.org/
http://www.apache.org/docs/2.2/
http://httpd.apache.org/modules/
http://wiki.apache.org/httpd/
Educational Links
• http://en.wikipedia.org/wiki/Ftp_client
• http://en.wikipedia.org/wiki/
Comparison_of_FTP_clients
• http://en.wikipedia.org/wiki/WebDAV
Contact and Followup
http://www.rowe-clan.net/wrowe/
http://people.apache.org/~wrowe/
IRC help at irc.freenode.net #apache
Peer help at [email protected]