Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp

1
Managing your Apache HTTP Web Server Content with
mod_dav and mod_ftp

• William A. Rowe, Jr.ASF Member, httpd and APR
  projectsSr. Software Engineer, Covalent
  Technologies

2
The Choices

• upload scripts
• content management applications
• ssh (scp) or nfs/samba filesystems
• WebDAV (mod_dav)
• ftpd (strictly using ssl/tls), or mod_ftp

3
Upload scripts

• Mostly, they suck
• Notorious (bugtraq / vuln-dev notoriety)
• Quite possibly ideal for narrow-focus, tightly
  controlled applications such as media, photos,
  web 2.0 updates etc.

4
CMS Applications

• Single purposed (not a solution for a diverse
  author base).
• Deploy corresponding CMS server agent required by
  each of the authoring tools.
• As secure as the design paradigm.

5
ssh (scp)

• Secure (Very)
• Requires 11 system accounts to web
  administrators
• Keys strongly recommended over password access
• One more service to administer

6
nfs/samba

• Requires 11 userauthor accounts
• On the locally deployed server ideal
• Sub-par solution for remotely co-located web
  server infrastructure
• One more service to administer

7
WebDAV / mod_dav

• Does not require 11 users to authors
• Easily secured with https (ssl/tls)
• Short of ftp, the mostly widely deployed and
  flexible authoring solution(no lock-in!)

8
ftpd for Content

• Requires 11 accounts per web admin
• (Unless anonymous, which is the worse of two
  evils)
• Non-SSL security is worse than no security
  (packet sniffers, anyone?)
• One more service to administer

9
ftp using mod_ftp tls/ssl

• Does -not- require 11 users / authors.
• All content is written with the ownership of the
  user which httpd is running as (same as mod_dav).
• Passwords and content, are all secured on the
  wire with implicit or explicit ssl.

10
The Criteria

• Single administrative solution
• Secure / Encrypted transactions (ssl/tls)
• Apache HTTP security context (httpd managed
  users, not system accounts)

11
The bottom line our Authors

• Lenya, Slide, Vignette many more clients,
  including MS Web Folders and MS Office all
  support WebDAV
• More ancient clients will support ftp
• Flexibility without frequent server-side
  installation churn

12
The Solutions

• mod_dav the modern connector
• mod_ftp the legacy connector
• Add mod_ssl avoid plaintext over the wire for
  either protocol
• Single security-context for content

13
mod_dav_fs

• mod_dav is simply a protocol
• mod_dav_fs does the heavy 'filesystem' lifting of
  file content and locking
• You must leverage both modules!
• See conf/extras/httpd-dav.conf

14
mod_ftp

• Here but not yet here
• http//httpd.apache.org/modules/ will keep you up
  to date with it's first release
• Not for the timid, but for the impatient
• http//svn.apache.org/repos/asf/httpd/mod_ftp/trun
  k/STATUS

15
Authorization Options

• For few authors, mod_authz_username
• For many, mod_authz_dbd/dbm/ldaphelp manage the
  users

16
Permissions and Ownership

• Apache defaults to User Nobody
• For authoring, use a generally low-privilege
  account e.g. webauthor
• Must have read/write to the web contents

17
More Secure Permissions

• Consider two httpd instances, author and user
  instances, two separate Users
• Short of 'perchild' MPM these must be physical
  (IP-based) vhosts. (For SSL, they must be IP
  based vhosts anyways).

18
Trouble for Authors

• GET is not GET, for authors
• lt!--include virtual"/header.shtml" --gt
• Options Includes, and Set/AddHandler
• GET /doc.shtml produces the combined document
  not what the author wants!

19
A real GET

• EITHER
• Create a ltVirtualHostgt, e.g. http//author.example
  .com/
• Create an Alias/ltLocation gt, e.g.http//author.ex
  ample.com/author/

20
GETting true files

• In either case
• ltVirtualHost Location ...gt
• SetHandler default-handler
• This provides a true GET, but for ScriptAlias
• hint - Don't use ScriptAlias

21
Trouble Incompatibilies

• Client incompatibility
• Some hints are in httpd.conf, others are found in
  extra/httpd-dav.conf
• Google is your friend new releases mean newly
  incompatible behaviors

22
ltLimit gt considered harmful

• Two ltLimitgt's will not be aggregated!
• ltLimit gt is not a proper container, it is for a
  limited subset of auth directives
• You may have only one ltLimitgt
• But when you violate the rules httpd is ...

23
A ltVirtualHost gt surprise

• Named hosts are looking at ServerName and
  ServerAlias. IP Based hosts are looking at port
  and number.
• When not matched, the content is served by the
  first vhost ... so make it a stub

24
Ports and Host Names

• DAV is simply http/https usual port 80/443
• mod_ftp typically listens on 21 or 990 for pure
  Implicit TLS
• BUT mod_ftp requires a second port!

25
Data Connections for FTP

• Apache running as Nobody/Untrusted user can't use
  the default port 20 data!

26
Good References

• http//www.webdav.org/
• http//www.apache.org/docs/2.2/
• http//httpd.apache.org/modules/
• http//wiki.apache.org/httpd/

27
Educational Links

• http//en.wikipedia.org/wiki/Ftp_client
• http//en.wikipedia.org/wiki/Comparison_of_FTP_cli
  ents
• http//en.wikipedia.org/wiki/WebDAV

28
Contact and Followup

• http//www.rowe-clan.net/wrowe/
• http//people.apache.org/wrowe/
• wrowe_at_rowe-clan.net
• IRC help at irc.freenode.net apache
• Peer help at users_at_httpd.apache.org