manual/mod/mod_dav.xml

	mod_dav.xml revision 283c8419679dcabdd6605521b5094c7e31e44f4d
db93f1f441db5c05e281f4ed3738a3660527cd8eslive<?xml version="1.0"?>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<modulesynopsis metafile="mod_dav.xml.meta">
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<name>mod_dav</name>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<description>Distributed Authoring and Versioning
3f08db06526d6901aa08c110b5bc7dde6bc39905nd(<a href="http://www.webdav.org/">WebDAV</a>) functionality</description>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<status>Extension</status>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<sourcefile>mod_dav.c</sourcefile>
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<identifier>dav_module</identifier>
2e545ce2450a9953665f701bb05350f0d3f26275nd
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<summary>
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen    <p>This module provides class 1 and class 2 <a
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    href="http://www.webdav.org">WebDAV</a> ('Web-based Distributed
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    Authoring and Versioning') functionality for Apache. This
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    extension to the HTTP protocol allows creating, moving,
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen    copying, and deleting resources and collections on a remote web
3f08db06526d6901aa08c110b5bc7dde6bc39905nd    server.</p>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd</summary>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<seealso><directive module="mod_dav_fs">DavLockDB</directive></seealso>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<seealso><directive module="core">LimitXMLRequestBody</directive></seealso>
4b5981e276e93df97c34e4da05ca5cf8bbd937dand<seealso><a href="http://www.webdav.org">WebDAV Resources</a></seealso>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<section id="example"><title>Enabling WebDAV</title>
ed1d958582984a7c54a6ca859e15939a414fa733nd    <p>To enable <module>mod_dav</module>, add the following to a
ed1d958582984a7c54a6ca859e15939a414fa733nd    container in your <code>httpd.conf</code> file:</p>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd
74f9e2dc9461c0e91b182eff6a9828fe42496dbcnd    <example>Dav On</example>
74f9e2dc9461c0e91b182eff6a9828fe42496dbcnd
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd    <p>This enables the DAV file system provider, which is implemented
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    by the <module>mod_dav_fs</module> module. Therefore, that module
74f9e2dc9461c0e91b182eff6a9828fe42496dbcnd    must be compiled into the server or loaded at runtime using the
d474d8ef01ec5c2a09341cd148851ed383c3287crbowen    <directive module="mod_so">LoadModule</directive> directive.</p>
d474d8ef01ec5c2a09341cd148851ed383c3287crbowen
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    <p>In addition, a location for the DAV lock database must be
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem    specified in the global section of your <code>httpd.conf</code>
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem    file using the <directive module="mod_dav_fs">DavLockDB</directive>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd    directive:</p>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    <example>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd      DavLockDB /usr/local/apache2/var/DavLock
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    </example>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    <p>The directory containing the lock database file must be
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    writable by the <directive module="mpm_common">User</directive>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    and <directive module="mpm_common" >Group</directive> under which
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    Apache is running.</p>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    <p>You may wish to add a <directive module="core" type="section"
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    >Limit</directive> clause inside the <directive module="core"
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    type="section">Location</directive> directive to limit access to
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    DAV-enabled locations. If you want to set the maximum amount of
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    bytes that a DAV client can send at one request, you have to use
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    the <directive module="core">LimitXMLRequestBody</directive>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    directive. The "normal" <directive module="core"
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    >LimitRequestBody</directive> directive has no effect on DAV
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    requests.</p>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    <example><title>Full Example</title>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd      DavLockDB /usr/local/apache2/var/DavLock<br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd      <br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd       &lt;Location /foo&gt;<br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd       <indent>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         Dav On<br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         <br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         AuthType Basic<br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         AuthName DAV<br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         AuthUserFile user.passwd<br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         <br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         &lt;LimitExcept GET OPTIONS&gt;<br />
5ae30adbe59946de742ab0cd6be3b7457471a698takashi         <indent>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd           require user admin<br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         </indent>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd         &lt;/LimitExcept&gt;<br />
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd       </indent>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd       &lt;/Location&gt;<br />
5652dbe450e4fcfdf36d4cfb42d7f2345ded29a4maczniak    </example>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd   <p><module>mod_dav</module> is a descendent of Greg Stein's <a
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd   href="http://www.webdav.org/mod_dav/">mod_dav for Apache 1.3</a>.  More
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd   information about the module is available from that site.</p>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd</section>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd<section id="security"><title>Security Issues</title>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    <p>Since DAV access methods allow remote clients to manipulate
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    files on the server, you must take particular care to assure that
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    your server is secure before enabling <module>mod_dav</module>.</p>
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    <p>Any location on the server where DAV is enabled should be
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    protected by authentication.  The use of HTTP Basic Authentication
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    is not recommended. You should use at least HTTP Digest
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    Authentication, which is provided by the
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    <module>mod_auth_digest</module> module. Nearly all WebDAV clients
ed1d958582984a7c54a6ca859e15939a414fa733nd    support this authentication method. An alternative is Basic
ed1d958582984a7c54a6ca859e15939a414fa733nd    Authentication over an <a href="/ssl/">SSL</a> enabled
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd    connection.</p>
74f9e2dc9461c0e91b182eff6a9828fe42496dbcnd
74f9e2dc9461c0e91b182eff6a9828fe42496dbcnd    <p>In order for <module>mod_dav</module> to manage files, it must
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd    be able to write to the directories and files under its control
1cc20a8827ff6056399d64e3106b44d31e8e0e53nd    using the <directive module="mpm_common">User</directive> and
74f9e2dc9461c0e91b182eff6a9828fe42496dbcnd    <directive module="mpm_common">Group</directive> under which
d474d8ef01ec5c2a09341cd148851ed383c3287crbowen    Apache is running.  New files created will also be owned by this
d474d8ef01ec5c2a09341cd148851ed383c3287crbowen    <directive module="mpm_common">User</directive> and <directive
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    module="mpm_common">Group</directive>.  For this reason, it is
07dc96d063d49299da433f84b5c5681da9bbdf68rbowen    important to control access to this account.  The DAV repository
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen    is considered private to Apache; modifying files outside of Apache
0d0ba3a410038e179b695446bb149cce6264e0abnd    (for example using FTP or filesystem-level tools) should not be
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd    allowed.</p>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd    <p><module>mod_dav</module> may be subject to various kinds of
6116c12fdd3ed06d388fe6572e50a22e9320dfa5nd    denial-of-service attacks.  The <directive
    module="core">LimitXMLRequestBody</directive> directive can be
    used to limit the amount of memory consumed in parsing large DAV
    requests.  The <directive
    module="mod_dav">DavDepthInfinity</directive> directive can be
    used to prevent <code>PROPFIND</code> requests on a very large
    repository from consuming large amounts of memory.  Another
    possible denial-of-service attack involves a client simply filling
    up all available disk space with many large files.  There is no
    direct way to prevent this in Apache, so you should avoid giving
    DAV access to untrusted users.</p>
</section>

<section id="complex"><title>Complex Configurations</title>

    <p>One common request is to use <module>mod_dav</module> to
    manipulate dynamic files (PHP scripts, CGI scripts, etc).  This is
    difficult because a <code>GET</code> request will always run the
    script, rather than downloading its contents.  One way to avoid
    this is to map two different URLs to the content, one of which
    will run the script, and one of which will allow it to be
    downloaded and manipulated with DAV.</p>

<example>
Alias /phparea /home/gstein/php_files<br />
Alias /php-source /home/gstein/php_files<br />
&lt;Location /php-source&gt;
<indent>
    DAV On<br />
    ForceType text/plain<br />
</indent>
&lt;/Location&gt;
</example>

    <p>With this setup, <code>http://example.com/phparea</code> can be
    used to access the output of the PHP scripts, and
    <code>http://example.com/php-source</code> can be used with a DAV
    client to manipulate them.</p>
</section>

<directivesynopsis>
<name>Dav</name>
<description>Enable WebDAV HTTP methods</description>
<syntax>Dav On|Off|<var>provider-name</var></syntax>
<default>Dav Off</default>
<contextlist><context>directory</context></contextlist>

<usage>
    <p>Use the <directive>Dav</directive> directive to enable the
    WebDAV HTTP methods for the given container:</p>

    <example>
      &lt;Location /foo&gt;<br />
      <indent>
        Dav On<br />
      </indent>
      &lt;/Location&gt;
    </example>

    <p>The value <code>On</code> is actually an alias for the default
    provider <code>filesystem</code> which is served by the <module
    >mod_dav_fs</module> module. Note, that once you have DAV enabled
    for some location, it <em>cannot</em> be disabled for sublocations.
    For a complete configuration example have a look at the <a
    href="#example">section above</a>.</p>

    <note type="warning">
      Do not enable WebDAV until you have secured your server. Otherwise
      everyone will be able to distribute files on your system.
    </note>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>DavMinTimeout</name>
<description>Minimum amount of time the server holds a lock on
a DAV resource</description>
<syntax>DavMinTimeout <var>seconds</var></syntax>
<default>DavMinTimeout 0</default>
<contextlist><context>server config</context><context>virtual host</context>
<context>directory</context></contextlist>

<usage>
    <p>When a client requests a DAV resource lock, it can also
    specify a time when the lock will be automatically removed by
    the server. This value is only a request, and the server can
    ignore it or inform the client of an arbitrary value.</p>

    <p>Use the <directive>DavMinTimeout</directive> directive to specify, in
    seconds, the minimum lock timeout to return to a client.
    Microsoft Web Folders defaults to a timeout of 120 seconds; the
    <directive>DavMinTimeout</directive> can override this to a higher value
    (like 600 seconds) to reduce the chance of the client losing
    the lock due to network latency.</p>

    <example><title>Example</title>
      &lt;Location /MSWord&gt;<br />
      <indent>
        DavMinTimeout 600<br />
      </indent>
      &lt;/Location&gt;
    </example>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>DavDepthInfinity</name>
<description>Allow PROPFIND, Depth: Infinity requests</description>
<syntax>DavDepthInfinity on|off</syntax>
<default>DavDepthInfinity off</default>
<contextlist><context>server config</context><context>virtual host</context>
<context>directory</context></contextlist>

<usage>
    <p>Use the <directive>DavDepthInfinity</directive> directive to
    allow the processing of <code>PROPFIND</code> requests containing the
    header 'Depth: Infinity'. Because this type of request could constitute
    a denial-of-service attack, by default it is not allowed.</p>
</usage>
</directivesynopsis>

</modulesynopsis>