diff options
author | Joshua Slive <slive@apache.org> | 2003-04-21 15:12:58 +0000 |
---|---|---|
committer | Joshua Slive <slive@apache.org> | 2003-04-21 15:12:58 +0000 |
commit | b7a12ecc439a4c519a17edb7171205b85c8d3676 (patch) | |
tree | b06de41cb48fd8dfa8a0cbba5c42e9de01e93dc0 /docs/manual/mod/mod_dav.html.en | |
parent | 56055dacd364377abca61060e38db1a0aa5701b8 (diff) | |
download | httpd-b7a12ecc439a4c519a17edb7171205b85c8d3676.tar.gz |
Update transformations.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@99476 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/mod/mod_dav.html.en')
-rw-r--r-- | docs/manual/mod/mod_dav.html.en | 103 |
1 files changed, 87 insertions, 16 deletions
diff --git a/docs/manual/mod/mod_dav.html.en b/docs/manual/mod/mod_dav.html.en index fdd23e65aa..3f077610de 100644 --- a/docs/manual/mod/mod_dav.html.en +++ b/docs/manual/mod/mod_dav.html.en @@ -42,6 +42,8 @@ <h3>Topics</h3> <ul id="topics"> <li><img alt="" src="../images/down.gif" /> <a href="#example">Enabling WebDAV</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#security">Security Issues</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#complex">Complex Configurations</a></li> </ul><h3>See also</h3> <ul class="seealso"> <li><code class="directive"><a href="../mod/mod_dav_fs.html#davlockdb">DavLockDB</a></code></li> @@ -56,19 +58,29 @@ <div class="example"><p><code>Dav On</code></p></div> - <p>This enables the DAV file system provider, which is implemented by - the <code class="module"><a href="../mod/mod_dav_fs.html">mod_dav_fs</a></code> module. Therefore that module has to - be compiled into the server or has to be loaded at runtime using the + <p>This enables the DAV file system provider, which is implemented + by the <code class="module"><a href="../mod/mod_dav_fs.html">mod_dav_fs</a></code> module. Therefore, that module + must be compiled into the server or loaded at runtime using the <code class="directive"><a href="../mod/mod_so.html#loadmodule">LoadModule</a></code> directive.</p> - <p>In order to make it work you have to specify a web-server writable - filename for the DAV lock database by adding the following to the - global section in your <code>httpd.conf</code> file:</p> + <p>In addition, a location for the DAV lock database must be + specified in the global section of your <code>httpd.conf</code> + file:</p> <div class="example"><p><code> - DavLockDB /tmp/DavLock + DavLockDB /usr/local/apache2/var/DavLock </code></p></div> + <p>The directory containing the lock database file must be + writable by the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> + and <code class="directive"><a href="../mod/mpm_common.html#group">Group</a></code> under which + Apache is running. For security reasons, you should create a + directory for this purpose rather than changing the permissions on + an existing directory. In the above example, Apache will create + files in the <code>/usr/local/apache2/var/</code> directory + with the base filename <code>DavLock</code> and extension name + chosen by the server.</p> + <p>You may wish to add a <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code> clause inside the <code class="directive"><a href="../mod/core.html#location"><Location></a></code> directive to limit access to DAV-enabled locations. If you want to set the maximum amount of bytes that a DAV client can send at one request, you have to use @@ -87,7 +99,7 @@ AuthName DAV<br /> AuthUserFile user.passwd<br /> <br /> - <LimitExcept GET HEAD OPTIONS><br /> + <LimitExcept GET OPTIONS><br /> <span class="indent"> require user admin<br /> </span> @@ -96,14 +108,73 @@ </Location><br /> </code></p></div> - <div class="warning"><h3>Security</h3> - <p>The use of HTTP Basic Authentication is not recommended. You - should use at least HTTP Digest Authentication, which is provided by - the <code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code> module. Nearly all WebDAV clients - support this authentication method. Of course, Basic Authentication - over an <a href="../ssl/">SSL</a> enabled connection is secure, - too.</p> - </div> + <p><code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code> is a descendent of Greg Stein's <a href="http://www.webdav.org/mod_dav/">mod_dav for Apache 1.3</a>. More + information about the module is available from that site.</p> +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="security" id="security">Security Issues</a></h2> + + <p>Since DAV access methods allow remote clients to manipulate + files on the server, you must take particular care to assure that + your server is secure before enabling <code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code>.</p> + + <p>Any location on the server where DAV is enabled should be + protected by authentication. The use of HTTP Basic Authentication + is not recommended. You should use at least HTTP Digest + Authentication, which is provided by the + <code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code> module. Nearly all WebDAV clients + support this authentication method. An alternative is Basic + Authentication over an <a href="../ssl/">SSL</a> enabled + connection.</p> + + <p>In order for <code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code> to manage files, it must + be able to write to the directories and files under its control + using the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> and + <code class="directive"><a href="../mod/mpm_common.html#group">Group</a></code> under which + Apache is running. New files created will also be owned by this + <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> and <code class="directive"><a href="../mod/mpm_common.html#group">Group</a></code>. For this reason, it is + important to control access to this account. The DAV repository + is considered private to Apache; modifying files outside of Apache + (for example using FTP or filesystem-level tools) should not be + allowed.</p> + + <p><code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code> may be subject to various kinds of + denial-of-service attacks. The <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code> directive can be + used to limit the amount of memory consumed in parsing large DAV + requests. The <code class="directive"><a href="#davdepthinfinity">DavDepthInfinity</a></code> directive can be + used to prevent <code>PROPFIND</code> requests on a very large + repository from consuming large amounts of memory. Another + possible denial-of-service attack involves a client simply filling + up all available disk space with many large files. There is no + direct way to prevent this in Apache, so you should avoid giving + DAV access to untrusted users.</p> +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="complex" id="complex">Complex Configurations</a></h2> + + <p>One common request is to use <code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code> to + manipulate dynamic files (PHP scripts, CGI scripts, etc). This is + difficult because a <code>GET</code> request will always run the + script, rather than downloading its contents. One way to avoid + this is to map two different URLs to the content, one of which + will run the script, and one of which will allow it to be + downloaded and manipulated with DAV.</p> + +<div class="example"><p><code> +Alias /phparea /home/gstein/php_files<br /> +Alias /php-source /home/gstein/php_files<br /> +<Location /php-source> +<span class="indent"> + DAV On<br /> + ForceType text/plain<br /> +</span> +</Location> +</code></p></div> + + <p>With this setup, <code>http://example.com/phparea</code> can be + used to access the output of the PHP scripts, and + <code>http://example.com/php-source</code> can be used with a DAV + client to manipulate them.</p> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="Dav" id="Dav">Dav</a> <a name="dav" id="dav">Directive</a></h2> |