mod_dav.xml revision db479b48bd4d75423ed4a45e15b75089d1a8ad72
530eba85dbd41b8a0fa5255d3648d1440199a661slive<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
e942c741056732f50da2074b36fe59805d370650slive<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
5f5d1b4cc970b7f06ff8ef6526128e9a27303d88nd<!-- $LastChangedRevision$ -->
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding Licensed to the Apache Software Foundation (ASF) under one or more
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding contributor license agreements. See the NOTICE file distributed with
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding this work for additional information regarding copyright ownership.
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding The ASF licenses this file to You under the Apache License, Version 2.0
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding (the "License"); you may not use this file except in compliance with
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding the License. You may obtain a copy of the License at
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd Unless required by applicable law or agreed to in writing, software
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd distributed under the License is distributed on an "AS IS" BASIS,
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd See the License for the specific language governing permissions and
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd limitations under the License.
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive<description>Distributed Authoring and Versioning
d24d4c5159bcb11c25bb294926cfe7105c789ea9slive(<a href="http://www.webdav.org/">WebDAV</a>) functionality</description>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive href="http://www.webdav.org">WebDAV</a> ('Web-based Distributed
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive Authoring and Versioning') functionality for Apache. This
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive extension to the HTTP protocol allows creating, moving,
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive copying, and deleting resources and collections on a remote web
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive server.</p>
d1e705efc6b288edbe466fd1af69d228f508361end<seealso><directive module="mod_dav_fs">DavLockDB</directive></seealso>
d1e705efc6b288edbe466fd1af69d228f508361end<seealso><directive module="core">LimitXMLRequestBody</directive></seealso>
d1e705efc6b288edbe466fd1af69d228f508361end<seealso><a href="http://www.webdav.org">WebDAV Resources</a></seealso>
d1e705efc6b288edbe466fd1af69d228f508361end <p>To enable <module>mod_dav</module>, add the following to a
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p>This enables the DAV file system provider, which is implemented
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive by the <module>mod_dav_fs</module> module. Therefore, that module
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive must be compiled into the server or loaded at runtime using the
d1e705efc6b288edbe466fd1af69d228f508361end <directive module="mod_so">LoadModule</directive> directive.</p>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p>In addition, a location for the DAV lock database must be
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive specified in the global section of your <code>httpd.conf</code>
283c8419679dcabdd6605521b5094c7e31e44f4dslive file using the <directive module="mod_dav_fs">DavLockDB</directive>
283c8419679dcabdd6605521b5094c7e31e44f4dslive directive:</p>
d1e705efc6b288edbe466fd1af69d228f508361end </example>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p>The directory containing the lock database file must be
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive writable by the <directive module="mpm_common">User</directive>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive and <directive module="mpm_common" >Group</directive> under which
283c8419679dcabdd6605521b5094c7e31e44f4dslive Apache is running.</p>
d1e705efc6b288edbe466fd1af69d228f508361end <p>You may wish to add a <directive module="core" type="section"
d1e705efc6b288edbe466fd1af69d228f508361end >Limit</directive> clause inside the <directive module="core"
d1e705efc6b288edbe466fd1af69d228f508361end type="section">Location</directive> directive to limit access to
d1e705efc6b288edbe466fd1af69d228f508361end DAV-enabled locations. If you want to set the maximum amount of
d1e705efc6b288edbe466fd1af69d228f508361end bytes that a DAV client can send at one request, you have to use
d1e705efc6b288edbe466fd1af69d228f508361end the <directive module="core">LimitXMLRequestBody</directive>
d1e705efc6b288edbe466fd1af69d228f508361end >LimitRequestBody</directive> directive has no effect on DAV
d1e705efc6b288edbe466fd1af69d228f508361end requests.</p>
d1e705efc6b288edbe466fd1af69d228f508361end <Location /foo><br />
f4da05db224f3f2a4a2eeba4fb106da6b3466b8dnoirin Order Allow,Deny<br />
f4da05db224f3f2a4a2eeba4fb106da6b3466b8dnoirin Allow from all<br />
f4da05db224f3f2a4a2eeba4fb106da6b3466b8dnoirin Dav On<br />
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive AuthType Basic<br />
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive AuthName DAV<br />
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <LimitExcept GET OPTIONS><br />
d1e705efc6b288edbe466fd1af69d228f508361end require user admin<br />
d1e705efc6b288edbe466fd1af69d228f508361end </LimitExcept><br />
d1e705efc6b288edbe466fd1af69d228f508361end </Location><br />
d1e705efc6b288edbe466fd1af69d228f508361end </example>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p><module>mod_dav</module> is a descendent of Greg Stein's <a
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive href="http://www.webdav.org/mod_dav/">mod_dav for Apache 1.3</a>. More
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive information about the module is available from that site.</p>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p>Since DAV access methods allow remote clients to manipulate
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive files on the server, you must take particular care to assure that
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive your server is secure before enabling <module>mod_dav</module>.</p>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p>Any location on the server where DAV is enabled should be
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive protected by authentication. The use of HTTP Basic Authentication
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive is not recommended. You should use at least HTTP Digest
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive Authentication, which is provided by the
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <module>mod_auth_digest</module> module. Nearly all WebDAV clients
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive support this authentication method. An alternative is Basic
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive Authentication over an <a href="/ssl/">SSL</a> enabled
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive connection.</p>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p>In order for <module>mod_dav</module> to manage files, it must
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive be able to write to the directories and files under its control
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive using the <directive module="mpm_common">User</directive> and
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <directive module="mpm_common">Group</directive> under which
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive Apache is running. New files created will also be owned by this
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <directive module="mpm_common">User</directive> and <directive
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive module="mpm_common">Group</directive>. For this reason, it is
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive important to control access to this account. The DAV repository
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive is considered private to Apache; modifying files outside of Apache
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive (for example using FTP or filesystem-level tools) should not be
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive allowed.</p>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p><module>mod_dav</module> may be subject to various kinds of
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive denial-of-service attacks. The <directive
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive module="core">LimitXMLRequestBody</directive> directive can be
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive used to limit the amount of memory consumed in parsing large DAV
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive requests. The <directive
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive module="mod_dav">DavDepthInfinity</directive> directive can be
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive used to prevent <code>PROPFIND</code> requests on a very large
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive repository from consuming large amounts of memory. Another
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive possible denial-of-service attack involves a client simply filling
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive up all available disk space with many large files. There is no
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive direct way to prevent this in Apache, so you should avoid giving
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive DAV access to untrusted users.</p>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive<section id="complex"><title>Complex Configurations</title>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p>One common request is to use <module>mod_dav</module> to
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive manipulate dynamic files (PHP scripts, CGI scripts, etc). This is
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive difficult because a <code>GET</code> request will always run the
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive script, rather than downloading its contents. One way to avoid
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive this is to map two different URLs to the content, one of which
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive will run the script, and one of which will allow it to be
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive downloaded and manipulated with DAV.</p>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive<Location /php-source>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive DAV On<br />
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive</Location>
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <p>With this setup, <code>http://example.com/phparea</code> can be
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive used to access the output of the PHP scripts, and
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive <code>http://example.com/php-source</code> can be used with a DAV
6e49afdcb88db0a6d000bbb5d106e8e7c9cd67ceslive client to manipulate them.</p>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive<directivesynopsis>
d1e705efc6b288edbe466fd1af69d228f508361end <p>Use the <directive>Dav</directive> directive to enable the
d1e705efc6b288edbe466fd1af69d228f508361end WebDAV HTTP methods for the given container:</p>
d1e705efc6b288edbe466fd1af69d228f508361end <Location /foo><br />
d1e705efc6b288edbe466fd1af69d228f508361end Dav On<br />
d1e705efc6b288edbe466fd1af69d228f508361end </Location>
d1e705efc6b288edbe466fd1af69d228f508361end </example>
d1e705efc6b288edbe466fd1af69d228f508361end <p>The value <code>On</code> is actually an alias for the default
d1e705efc6b288edbe466fd1af69d228f508361end provider <code>filesystem</code> which is served by the <module
d1e705efc6b288edbe466fd1af69d228f508361end >mod_dav_fs</module> module. Note, that once you have DAV enabled
d1e705efc6b288edbe466fd1af69d228f508361end for some location, it <em>cannot</em> be disabled for sublocations.
d1e705efc6b288edbe466fd1af69d228f508361end For a complete configuration example have a look at the <a
d1e705efc6b288edbe466fd1af69d228f508361end Do not enable WebDAV until you have secured your server. Otherwise
d1e705efc6b288edbe466fd1af69d228f508361end everyone will be able to distribute files on your system.
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive</directivesynopsis>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive<directivesynopsis>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive<description>Minimum amount of time the server holds a lock on
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slivea DAV resource</description>
d1e705efc6b288edbe466fd1af69d228f508361end<contextlist><context>server config</context><context>virtual host</context>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive <p>When a client requests a DAV resource lock, it can also
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive specify a time when the lock will be automatically removed by
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive the server. This value is only a request, and the server can
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive ignore it or inform the client of an arbitrary value.</p>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive <p>Use the <directive>DavMinTimeout</directive> directive to specify, in
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive seconds, the minimum lock timeout to return to a client.
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive Microsoft Web Folders defaults to a timeout of 120 seconds; the
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive <directive>DavMinTimeout</directive> can override this to a higher value
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive (like 600 seconds) to reduce the chance of the client losing
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive the lock due to network latency.</p>
d1e705efc6b288edbe466fd1af69d228f508361end <Location /MSWord><br />
d1e705efc6b288edbe466fd1af69d228f508361end DavMinTimeout 600<br />
d1e705efc6b288edbe466fd1af69d228f508361end </Location>
d1e705efc6b288edbe466fd1af69d228f508361end </example>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive</directivesynopsis>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive<directivesynopsis>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive<description>Allow PROPFIND, Depth: Infinity requests</description>
d1e705efc6b288edbe466fd1af69d228f508361end<contextlist><context>server config</context><context>virtual host</context>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive <p>Use the <directive>DavDepthInfinity</directive> directive to
d1e705efc6b288edbe466fd1af69d228f508361end allow the processing of <code>PROPFIND</code> requests containing the
d1e705efc6b288edbe466fd1af69d228f508361end header 'Depth: Infinity'. Because this type of request could constitute
d1e705efc6b288edbe466fd1af69d228f508361end a denial-of-service attack, by default it is not allowed.</p>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive</directivesynopsis>
c1ce37b2dcce132ff0abf6a15f5225a0e89af5e4slive</modulesynopsis>