Managing your Apache HTTP

Web Server Content with

mod_dav and mod_ftp

William A. Rowe, Jr.ASF Member, httpd and APR projects

Sr. Software Engineer, Covalent Technologies

The Choices

• upload scripts

• content management applications

• ssh (scp) or nfs/samba filesystems

• WebDAV (mod_dav)

• ftpd (strictly using ssl/tls), or mod_ftp

Upload scripts

• Mostly, they suck

• Notorious (bugtraq / vuln-dev notoriety)

• Quite possibly ideal for narrow-focus,

tightly controlled applications such as

media, photos, web 2.0 updates etc.

CMS Applications

• Single purposed (not a solution for a

diverse author base).

• Deploy corresponding CMS server agent

required by each of the authoring tools.

• As secure as the design paradigm.

ssh (scp)

• Secure (Very)

• Requires 1:1 system accounts to web

administrators

• Keys strongly recommended over

password access

• One more service to administer

nfs/samba

• Requires 1:1 user:author accounts

• On the locally deployed server – ideal

• Sub-par solution for remotely co-located

web server infrastructure

• One more service to administer

WebDAV / mod_dav

• Does not require 1:1 users to authors

• Easily secured with https: (ssl/tls)

• Short of ftp, the mostly widely deployed

and flexible authoring solution

(no lock-in!)

ftpd for Content

• Requires 1:1 accounts per web admin

• (Unless anonymous, which is the worse

of two evils)

• Non-SSL security is worse than no

security (packet sniffers, anyone?)

• One more service to administer

ftp using mod_ftp + tls/ssl

• Does -not- require 1:1 users / authors.

• All content is written with the ownership

of the user which httpd is running as

(same as mod_dav).

• Passwords and content, are all secured

on the wire with implicit or explicit ssl.

The Criteria

• Single administrative solution

• Secure / Encrypted transactions (ssl/tls)

• Apache HTTP security context (httpd

managed users, not system accounts)

The bottom line – our Authors

• Lenya, Slide, Vignette & many more

clients, including MS Web Folders and

MS Office all support WebDAV

• More ancient clients will support ftp

• Flexibility without frequent server-side

installation churn

The Solutions

• mod_dav – the modern connector

• mod_ftp – the legacy connector

• Add mod_ssl – avoid plaintext over the

wire for either protocol

• Single security-context for content

mod_dav_fs

• mod_dav is simply a protocol

• mod_dav_fs does the heavy 'filesystem'

lifting of file content – and locking

• You must leverage both modules!

• See conf/extras/httpd-dav.conf

mod_ftp

• Here – but not yet here

• http://httpd.apache.org/modules/ will

keep you up to date with it's first release

• Not for the timid, but for the impatient:

http://svn.apache.org/repos/asf/httpd/mod_ftp/trunk/STATUS

Authorization Options

• For few authors, mod_authz_username

• For many, mod_authz_dbd/dbm/ldap

help manage the users

Permissions and Ownership

• Apache defaults to User Nobody

• For authoring, use a generally low-

privilege account e.g. “webauthor”

• Must have read/write to the web contents

More Secure Permissions

• Consider two httpd instances, author and

user instances, two separate Users

• Short of 'perchild' MPM – these must be

physical (IP-based) vhosts. (For SSL,

they must be IP based vhosts anyways).

Trouble for Authors

GET is not GET, for authors

• <!--#include virtual="/header.shtml" -->

• Options Includes, and Set/AddHandler

• GET /doc.shtml produces the combined

document – not what the author wants!

A real GET

EITHER

• Create a <VirtualHost>, e.g.

http://author.example.com/

• Create an Alias/<Location >, e.g.

http://author.example.com/author/

GETting true files

In either case

<VirtualHost | Location ...>

SetHandler default-handler

This provides a true GET, but for ScriptAlias

hint - Don't use ScriptAlias

Trouble : Incompatibilies

Client incompatibility

• Some hints are in httpd.conf, others are

found in extra/httpd-dav.conf

• Google is your friend; new releases

mean newly incompatible behaviors

<Limit > considered harmful

• Two <Limit>'s will not be aggregated!

• <Limit > is not a proper container, it is

for a limited subset of auth directives

• You may have only one <Limit>

• But when you violate the rules – httpd

is ...

A <VirtualHost > surprise

• Named hosts are looking at ServerName

and ServerAlias. IP Based hosts are

looking at port and number.

• When not matched, the content is served

by the first vhost ... so make it a stub

Ports and Host Names

• DAV is simply http/https – usual port

80/443

• mod_ftp typically listens on 21 – or 990

for pure Implicit TLS

• BUT – mod_ftp requires a second port!

Data Connections for FTP

• Apache running as Nobody/Untrusted

user can't use the default port 20 data!

Good References

http://www.webdav.org/

http://www.apache.org/docs/2.2/

http://httpd.apache.org/modules/

http://wiki.apache.org/httpd/

Educational Links

• http://en.wikipedia.org/wiki/Ftp_client

• http://en.wikipedia.org/wiki/

Comparison_of_FTP_clients

• http://en.wikipedia.org/wiki/WebDAV

Contact and Followup

http://www.rowe-clan.net/wrowe/

http://people.apache.org/~wrowe/

wrowe@rowe-clan.net

IRC help at irc.freenode.net #apache

Peer help at users@httpd.apache.org