Never Ending Security

It starts all here

How To Get Started With WebDAV on Linux

How To: WebDAV

WebDAV is an extension of the HTTP protocol that allows users to manage files on servers. There are many ways to use a WebDAV server. For example, you can share Word or Excel documents with your colleagues by uploading them to your WebDAV server. You can even share your music collection with your family and friends by simply giving them a URL. All this can be achieved without them installing anything.

There are many ways to manage files on a remote server. WebDAV has several benefits over other solutions such as FTP or Samba.

WebDAV offers several advantages:

  • Native integration on all major operating systems(Windows, Mac, Linux); there is no need to install third party software to use WebDAV.
  • Support for partial transfers.
  • More choices for authentication. Being on HTTP means NTLMKerberosLDAP, etc. are all possible.

Depending on your situation, WebDAV may be the best solution for your needs.

There are many web servers around that support WebDAV on Linux. However, Apache has the most compliant implementation of the WebDAV protocol out there. At the time of writing, WebDAV on Nginx and Lighttpd works, but only partially.

Creating a User

First add a user called cyberpunk.

adduser cyberpunk

You will be prompted to create a password for the user cyberpunk as shown below. There will be further prompts for information about the user cyberpunk. You may enter them if you wish.

Adding user `cyberpunk' ...
Adding new group `cyberpunk' (1000) ...
Adding new user `cyberpunk' (1000) with group `cyberpunk' ...
Creating home directory `/home/cyberpunk' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for cyberpunk
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y

Granting sudo Privileges to the User

After creating a new user, the next step is to grant the user cyberpunk sudo privileges. Assuming you are still logged in as root, add the user cyberpunk to the sudo group by typing in the following command.

usermod -aG sudo cyberpunk

Users in the sudo group are granted sudo privileges. Now you can log out and log in as the user cyberpunk.

Installing Apache

sudo apt-get update
sudo apt-get install apache2

The Apache web server should be installed and running.

Setting Up WebDAV

There are three steps to set up WebDAV. We designate a location, enable the necessary modules, and configure it.

Preparing the Directory

We need to designate a folder for serving WebDAV. We’ll create the new directory/var/www/webdav for this. You will also need to change the owner to www-data (your Apache user) in order to allow Apache to write to it.

sudo mkdir /var/www/webdav
sudo chown -R www-data:www-data /var/www/

Enabling Modules

Next we enable the WebDAV modules using a2enmod

sudo a2enmod dav
sudo a2enmod dav_fs

The Apache modules are found under /etc/apache2/mods-available. This creates a symbolic link from /etc/apache2/mods-available to /etc/apache2/mods-enabled.


Open or create the configuration file at /etc/apache2/sites-available/000-default.conf using your favorite text editor.

nano /etc/apache2/sites-available/000-default.conf

On the first line, add the DavLockDB directive configuration:

DavLockDB /var/www/DavLock

And the Alias and Directory directives inside the VirtualHost section:

Alias /webdav /var/www/webdav

<Directory /var/www/webdav>
    DAV On

The file should look like this after editing.

DavLockDB /var/www/DavLock
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

        Alias /webdav /var/www/webdav

        <Directory /var/www/webdav>
            DAV On

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The DavLockDB directive designates the name of the DAV Lock database. It should be a path to a file. The file does not need to be created. The directory should be writeable by the Apache server.

The Alias directive maps requests to http://your.server/webdav to the/var/www/webdav folder.

The Directory directive tells Apache to enable WebDAV for the /var/www/webdav folder. You can find out more about mod_dav from the Apache docs.

If you restart the Apache server, you will have a working WebDAV server without authentication.

Restart the Apache server like this:

sudo service apache2 restart

Adding Authentication

A WebDAV server without authentication is not secure. In this section we’ll add authentication to your WebDAV server using the Digest authentication scheme.

Basic or Digest Authentication?

There are many authentication schemes available. Note that if you are serving HTTPS, we are assuming your SSL certificate is valid (not self-signed).

If you are using HTTP, use Digest authentication as it will work on all operating systems. If you are using HTTPS, you have the option of using Basic authentication.

We’re going to cover the Digest authentication scheme since it works on all the operating systems without the need for an SSL certificate.

Digest Authentication

Let us generate the file (called users.password) that stores the passwords for the users. In Digest authentication, there is the realm field which acts as a namespace for the users. We will use webdav as our realm. Our first user will be called cyberpunk.

To generate the digest file, we have to install the dependencies.

sudo apt-get install apache2-utils

We are going to add users next. Let us generate the user password file using the command below.

sudo htdigest -c /etc/apache2/users.password webdav cyberpunk

This adds the user cyberpunk to the password file. There should be a password prompt to create the password for cyberpunk.

For subsequent addition of users, you should remove the c flag. Here’s another example adding a user called chris. Create a password when prompted.

sudo htdigest /etc/apache2/users.password webdav chris

We also need to allow Apache to read the password file, so we change the owner.

sudo chown www-data:www-data /etc/apache2/users.password

After the password file is created, we should make changes to the configuration at/etc/apache2/sites-available/000-default.conf.

Add the following lines to the Directory directive

AuthType Digest
AuthName "webdav"
AuthUserFile /etc/apache2/users.password
Require valid-user

The final version should look like this (with the comments removed).

DavLockDB /var/www/DavLock

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /webdav /var/www/webdav

    <Directory /var/www/webdav>
        DAV On
        AuthType Digest
        AuthName "webdav"
        AuthUserFile /etc/apache2/users.password
        Require valid-user

The mod_authn module contains the definitions for the authentication directives.

The AuthType directive instructs Apache that for the /var/www/webdav directory, there should be authentication using the Digest scheme.

Digest authentication requires a value for realm which we set as webdav. Realm acts like a namespace. When you have users which have the same name, you can separate them using different values for realm. We use the AuthName directive to set the value for realm.

The AuthUserFile directive is used to indicate the location of the password file.

The Require directive states that only valid users who authenticate themselves are able to acess that directory.

Finally, enable the Digest module and restart the server for the settings to take effect.

sudo a2enmod auth_digest
sudo service apache2 restart

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s