Home / server / Questions / 291104
In Process
Tristan
Asked: 2011-07-17 18:44:47 +0800 CST

Apache and per-user WebDAV DocumentRoot

  • 772

I have a WebDAV user set up that currently gets usernames and passwords from my MySQL Database. I give users the option to use WebDAV for large file uploads (this is for a file sharing service I'm currently developing) but I've reached a little issue I can't seem to figure out.

First of all - how would I go about each user having their own WebDAV root so they can't look into other user's files? I already run a cronjob that checks for any users that enabled WebDAV and automatically creates the directories with the appropriate permissions. I just need some method of telling apache this.

Thanks for any help, I really appreciate it.

I also am aware I could just run a cronjob every minute to generate me an apache config and reload the apache config, but this would just be a little too much overhead and I'd like some more flexibility.

apache-2.2 webdav mod-webdav

2 Answers

  1. It's rather a pity that Apache's config isn't as flexible as nginx's, so you could do something like:

    Alias /dav /path/to/dav/store/$REMOTE_USER

    However, you can use REMOTE_USER in a rewrite rule, like so:

    RewriteEngine On
RewriteRule ^/dav(.*)$ /__davinternal/%{LA-U:REMOTE_USER} [PT]

    Then put all your auth/DAVish loveliness into a <Location /__davinternal> and bob's your auntie's live-in lover.

    This works great if you've got consistent locations in your filesystem for all your users (say /path/to/dav/store/<username>); if you've got user folders scattered across the filesystem (with a mapping in MySQL), you can still map your user locations, but you've got to use a RewriteMap:

    RewriteMap davdirs txt:/path/to/user/dir/map.txt
RewriteRule /^dav(.*)$ /__davinternal/${davdirs:%{LA-U:REMOTE_USER}}

    You can do a RewriteMap straight out of MySQL (via an external script), but I'd try and get my app to update a dbm file whenever that mapping information changed and use a dbm map instead -- much better performance, and doesn't hammer your database into the ground.

    I've not covered the security implications of these setups in this answer, partially because I'm not entirely sure myself, and because I don't know what your exact security policy might be.

    • 4

  2. As far as I could tell (2-3 years ago), you need to add a per user/directory config. 

    # cat /etc/apache2/conf.d/dav_store.conf
# First you need to say that a share under location X will be a webdav share:

Alias /store /home/davfs/storage/                                                                                                                                                 
<Directory /home/davfs/storage/>
        DAV On
        AuthType Basic
        AuthName "sample"

        Auth_MySQL On
        Auth_MySQL_Authoritative On
        Auth_MySQL_Host localhost
        Auth_MySQL_User _admin
        Auth_MySQL_Password 123
        Auth_MySQL_DB dav
        Auth_MySQL_Password_Table auth_user
        Auth_MySQL_Username_Field username
        Auth_MySQL_Password_Field password
        Auth_MySQL_Empty_Passwords Off
        Auth_MySQL_Encryption_Types Django #This was custom.
        #AuthMySQLUserCondition = "is_active = 1"

        # non root users cannot view this directory
        Options -Indexes -MultiViews
        AllowOverride None
        require user root;

</Directory>


<Directory /home/davfs/storage/*/>
        DAV On
        require user root;
</Directory>

Include /home/davfs/etc/conf.d/*.dvu

    And the per user config file locks a user to a dir. Here's a sample

    <Directory /home/davfs/storage/lm/lmwangi/>                                                                                                                                     
        # We need this in subdirs.. otherwise error messages such as
        # "DAV Off" cannot be used to turn off a subtree of a DAV-enabled location.
        # will fill up your log
        DAV On

        require user lmwangi
</Directory>

    And that's all there's to it. I think you have to reload Apache on every config change. It would be wonderful if these tasks could be done using an Apache module... (No more crons to generate configs, no more reloads etc)

    • 0