mod_dav Installation and Configuration
2006-07-28 13:44
537 查看
mod_dav Installation and Configuration
This page details as much information as possible regarding the building, installation, and configuration of the mod_dav Apache module. This page does not cover installation of binary distributions of mod_dav, although the Apache configuration will still apply.Unix Build and Install Windows Build and Install Apache Configuration Setting Up the File Repository Other Notes Expat Build and Install (if necessary) | What to do if you have a problem Configuration for complex setups This section explains how to configure mod_dav when other "content handlers" such as mod_include, PHP, or CGI scripts are present. |
[ back to the main mod_dav page ]
Unix Build and Install
Step 1: ConfigurationThere are two general mechanisms for installing mod_dav into your Apache installation. The first method is to create a dynamically-loaded module using the "apxs" tool. The second method is to statically link mod_dav into the Apache executable.
Based on the method you choose, use one of the following configure commands:
./configure --with-apxs=/usr/local/apache/bin/apxs
or
./configure --with-apache=/usr/local/apache
Of course, you should use the path to your system's apxs executable or Apache build directory.
Note: if you use just
--with-apxs(no directory), then configure assumes that apxs is in your path. Note: sometimes, the APXS installation may be broken. If the configure process reports this, then please refer to a FAQ entry written by the PHP folks. It explains the problem quite well.
The configuration process will do its stuff. One of its tasks is to locate the Expat library (an XML parsing library). This library is included with Apache 1.3.9 and will automatically be found. If you have a previous version of Apache 1.3 (it must be at least Apache 1.3.4), then you will need a copy on your system. configure will look for it in /usr/{include,lib} and in /usr/local/{include,lib}. If it can't find it, then you will need to tell configure where it is on your system using the --with-expat=<dir> command line option. For example:
./configure --with-apxs=/usr/local/apache/bin/apxs --with-expat=/home/gstein/expat
If you need Expat, then please see the section at the end of this document for information on where to get Expat and how it must installed on your system.
Step 2: Build and Install
This is pretty simple. Just use the following two commands:
make
make installDynamic loading
If you chose to do a dynamically-loaded module using APXS, then your module will have been installed into Apache's runtime area.
Note: if using APXS and your Apache installation does not support loadable modules, then APXS will terminate with an error. Typically, we have seen the following error when this happens:
apxs:Break: Command failed with rc=16711680
If this happens, then you will need to rebuild and reinstall your Apache software with the
mod_somodule included. Note the reinstall part -- we've seen several cases where a new Apache was built and installed, but a new APXS was not (so the problems continued).
PHP has a FAQ entry about this problem that may help.
Static linking
If you chose to go with statically linking mod_dav into Apache, then mod_dav will have been partially compiled and placed into the Apache tree during the
make installstep. You are now ready to (re)configure and build Apache. When you configure Apache, there are two methods that you can choose. For the APACI-style (
./configurestyle), use the following command line option:
--activate-module=src/modules/dav/libdav.a
For the old-style configuration, add the following line to your
Configuration.tmplfile:
SharedModule modules/dav/libdav.aStep 3: Configure Apache See the Apache configuration section below.
Win32 Build and Install
Step 1: Expat installationExpat must be installed first. See the Expat section at the end of this document for instructions.
Step 2: Build
To build mod_dav using Microsoft Visual C++, simply issue the following command line from the directory containing the mod_dav files:
nmake /f mod_dav.mak
This builds an optimized version of mod_dav, located in
Release/mod_dav.dll.
mod_dav can also be built with Microsoft Visual Studio 5.0 or later using the supplied .dsp file.
Step 3: Install
For mod_dav installation, copy the following three files:
Release/mod_dav.dll expat/bin/xmlparse.dll expat/bin/xmltok.tll
to the directory where your Apache modules are located (
ServerRoot). If you use a precompiled binary, then just ensure the three DLLs are in the ServerRoot directory.
To add mod_dav to Apache, add the following line to the
httpd.conffile:
LoadModule dav_module mod_dav.dllStep 4: Configure Apache See the Apache configuration section below.
Apache Configuration
See the note on upgrading from 0.9.8 and prior versions.Loading the DAV Module
Apache must be informed about the mod_dav module through theAddmoduleand
LoadModuledirectives.
LoadModuleis used when mod_dav is dynamically loaded (i.e. built using APXS or you're on the Win32 platform). These configuration lines are (normally) inserted automatically on the Unix platforms (by APXS or the Apache build process), but the Win32 line needs to be added manually for that platform.
(this information is here for reference; if Apache does not recognize the mod_dav directives such as
DAVor
DAVLockDB, then you may be missing these configuration lines)
Unix platform, dynamic loading:
Loadmodule dav_module libexec/libdav.so Addmodule mod_dav.c
Unix platform, statically linked:
Addmodule mod_dav.c
Win32 platform:
Loadmodule dav_module mod_dav.dll
Addmodule mod_dav.c
Enabling DAV
Configuring the mod_dav module is quite simple, actually. Within a<Directory>or
<Location>directive in your Apache configuration file (i.e.
httpd.conf), simply insert the following line:
DAV On
If the
DAVdirective is within a
<Directory>directive, then DAV will be enabled for that particular directory and its subdirectories. For a
<Location>directive, then DAV will be enabled for that portion of the URL namespace.
The Lock Database
Next, add aDAVLockDBdirective at the top-level of your configuration file (i.e. outside of a
<Directory>or
<Location>directive). This directive should specify a filename that mod_dav will create. The directory should exist and should be writable by the web server process.
Note: the directory should not be on an NFS-mounted partition. mod_dav uses
flock/
fcntlto manage access to the database. Some operating systems cannot use these operations on an NFS-mounted partition.
In the following example, the DAV lock database will be stored in the
/usr/local/apache/vardirectory (which must be writable by the server process). The file's name will be
DAVLockwhen mod_dav needs to create it.
(actually, mod_dav will create one or more files using this file name plus an extension)
DAVLockDB /usr/local/apache/var/DAVLock
The
DAVLockDBdirective can appear outside of any container or within a
<VirtualHost>, it only needs to appear once, and a file extension should not be supplied.
Lock Timeout Minimums
An optional directive,DAVMinTimeout, specifies the minimum lifetime of a lock in seconds. If a client requests a lock timeout less than
DAVMinTimeout, then the
DAVMinTimeoutvalue will be used and returned instead. For example, Microsoft's Web Folders defaults to a lock timeout of 2 minutes; 10 minutes could be used to reduce network traffic and the chance that the client might lose a lock due to network latency.
The
DAVMinTimeoutdirective is optional, and may be used on a per-server or per-directory/location basis. It takes a single, non-negative integer. Since this value represents a minimum allowed, setting it to zero (0) will disable this feature. The default value for
DAVMinTimeoutis zero.
Preventing "Depth Infinity" PROPFINDs
APROPFINDrequest with a
Depth: Infinityheader can impose a large burden on the server. These kinds of requests could "walk" the entire repository, returning information about each resource found. mod_dav builds the response in memory, so these kinds of requests could potentially consume a lot of memory (the memory would be released at the end of the request, but the peak can be quite large).
To prevent these kinds of requests, the
DAVDepthInfinitydirective has been provided. It is a simple on/off directive, which can be used on a per-server or a per-directory/location basis. The default value for this directive is off, meaning these kinds of requests are not allowed.
NOTE: the WebDAV Working Group has stated that it is acceptable for DAV servers to refuse these kinds of requests. Properly written client software should not issue them, and you should not worry about disabling them.
Limiting XML Request Body Sizes
mod_dav will parse XML request bodies into memory. It would be a very effective "Denial of Service" attach to send a large request body at a mod_dav server. Apache defines a directive namedLimitRequestBodywhich will limit all methods' request bodies. Unfortunately, this is not an effective mechanism for a mod_dav server since large
PUToperations should be allowed.
To limit just the methods that have an XML request body, mod_dav defines the
LimitXMLRequestBodydirective. The default for this value is a compile-time constant, which is set to one million (1000000) bytes in the standard distribution. Setting the value to zero (0) will disable the size limit.
LimitXMLRequestBodymay be set on a per-server or a per-directory/location basis, and takes a single non-negative integer argument.
Sample Configuration
A sample configuration segment might look like:
|
Limiting DAV Access to Authorized Users
TheDAVand
DAVLockDBdirectives are the only two configuration changes necessary to operate a DAV server. However, it is usually best to secure the site to be writable only by specific users. This requires the use of the
<Limit>directive. Here is an example:
|
.htaccessfile into the target directory, altering your server configuration. The server may have already been configured to not read
.htaccessfiles, but it is best to make sure. Also, you may want to disallow other options within the DAV-enabled directory -- CGI, symbolic links, server-side includes, etc. Here is a modified configuration with the additional restrictions placed on it:
|
Using LimitExcept
Rather than using the <Limit>directive and specifying an exhaustive list of HTTP methods to secure, it is also possible to use the
<LimitExcept>directive. This directive applies the access restrictions to all methods except for the methods listed. For example, your configuration section might look like:
|
<Limit>directive is precise and explicit, but the
<LimitExcept>directive will automatically restrict methods that are added in the future.
PROPFIND Security
In the example configurations above, the PROPFIND method was limited, even though it is read-only. This is because the PROPFIND method can be used to list all the files in the DAV-enabled directory. For security purposes, you probably want the exact list of files to be hidden.An alternative would be to limit the PROPFIND to a group of people, a set of domains, or a set of hosts, while the methods that modify content are limited to just a few authors. This scenario allows, say, your company's employees to browse the files on the server, yet only a few people can change them. Anonymous (non-authenticated) visitors cannot browse or modify.
Finally, you can simply omit PROPFIND from the limits if your web server is intended as a general, read-only repository of files. This allows anybody to arbitrarily browse the directories and then to fetch the files.
Other Security Issues
Please refer to the security section, on the main mod_dav web page, for more information about security issues related to DAV and mod_dav in particular.Upgrading from version 0.9.8 or earlier
Previous versions did not contain aDAVLockDBdirective. You will need to add that for mod_dav to operate properly.
Setting Up the File Repository
mod_dav requires read/write access to the filesystem where the documents are stored. The following discussion uses Unix as an example; the Win32 platform will have similar concerns when used on an NTFS partition (where file/directory security is present).The need for read/write access means that the owner and group of the files will be that of the web server. For discussion, let's say that your Apache configuration file contains the following directives (among others!):
|
nobody" and as group "
www". mod_dav is going to need to read/write files in the
/home/www/davhomedirectory. A directory listing might look like this:
|
/home/www/davhomefile repository.
NOTE: the file repository is considered "private" to mod_dav and the web server. Modifying files via FTP or through filesystem commands should not be allowed. This is for a couple reasons:
External access may create files and directories with ownership or privileges that would prevent mod_dav from operating properly.
mod_dav does not use filesystem locking to protect the files from modification. Note that filesystem locking isn't even a guarantee [against changes] on many operating systems.
Other Notes
The DAV spec (RFC 2518) does not incorporate a security model. It relies on any web server and file system security that the administrator configures.On Unix machines, the web server process must have permission to write to the DAV-enabled directories and any files to be modified.
Local manipulation of files in a DAV-enabled directory is a bad thing. Specifically, DAV file locks are implemented by mod_dav, not the file system.
Expat Build and Install
James Clark's Expat parser is included in the source tree of Apache 1.3.9 and later. It is only necessary to obtain and build the Expat distribution when using an earlier version of Apache.On Windows precompiled Expat dlls are not shipped with the Apache distribution but are available with the mod_dav Win32 distribution.
If needed, James Clark's Expat parser is available from:
http://www.jclark.com/xml/ For Windows
Extract the Expat parser .zip into the directory where the mod_dav files are located, using the folders stored in the zip. Expat will be extracted into the
expat/subdirectory.
For Unix
Note that the expat Makefile does not automatically build the expat library. Add this rule to the
Makefile:
libexpat.a: $(OBJS) ar -rc $@ $(OBJS) ranlib $@
(don't forget to use tabs before the ar and ranlib lines there)
Then type:
make libexpat.a
And copy
libexpat.ato
/usr/local/liband
xmlparse/xmlparse.hto
/usr/local/include. If you wish to use a different directory, then you will need to pass that to
./configureusing the
--with-expatcommand line option.
What to do if you have a problem
Problems with the installation, configuration, or operation of mod_dav should be sent to the dav-dev mailing list. There are a number of people subscribed to that list who can help, so your chance of a speedy reply is much better than sending to Greg's (too-full) email inbox.Information you should include:
What versions of mod_dav and Apache are you using?
What client are you using to (attempt to) talk to your DAV-enabled server?
The relevant portions of your
httpd.conf
The relevant portions of your
error_logand
access_log
Are you attempting to talk to the DAV server through a proxy? There are known problems with many proxy servers.
To send mail to the dav-dev mailing list:
dav-dev@lyra.org
Information about subscribing to the mailing list, and a link to the list's archive:
http://dav.lyra.org/mailman/listinfo/dav-dev
Configuration for complex setups
Apache has a particular design restriction in that only one "content handler" is allowed to process a request. There are multiple stages involving authorization, access checking, MIME type handling, etc, but there is only one content handler.This content handler is specified with directives such as
SetHandler,
AddHandler, or indirectly by mapping a MIME type to a handler. Apache modules may also assert themselves as the handler during the request processing. mod_dav asserts itself this way when the
DAVdirective has enabled DAV for a particular directory or location. Content handlers may decide to assert themselves based on the request method; for example, mod_dav will be the content handler for methods such as
PUT,
DELETE, and
PROPPATCH, but not for the
GETmethod (which is left to be handled by other modules or Apache itself).
Once a content handler is identified for a request, then it will perform the bulk of the processing: it will manage the body of the request, and it will construct the response.
The problem that crops up is that many modules will assert themselves as the content handler regardless of the request method. When a DAV client issues a
PROPFIND, it will be intercepted by the other module, rather than mod_dav. This is actually reasonable, when you consider that a PHP or CGI script is perfectly capable of responding to a
PROPFIND. It is just that we want mod_dav to do it.
In the sections below, I'll cover some general problems and their solutions.
Web Folders fails when copying a dynamic resource
Problem: You are attempting to copy a dynamic resource, such as a CGI script, a server-parsed file (.shtml), or a PHP file, and you get an error dialog that reads:
An error occurred copying some or all of the selected files.
This is caused by the server-side script not returning a
Last-Modifiedheader. If the script can support returning headers (e.g. CGI or PHP), then it should be modified to ensure that a Last-Modified header is returned.
NOTE: the recommendation below has been found to NOT work. It inserts a constant Last-Modified time onto a dynamic script. Users' browsers and proxies will see the constant time and believe that the output has not changed. At this time, there is no specific answer to the problem.
If the script cannot return headers (such as a server-parsed HTML file (
.shtml)), then you can update your Apache installation to include the mod_headers module. Next, add a configuration section to your
httpd.confsimilar to the following:
|
Note: I have not performed exhaustive tests to discover the ramifications of forcing a
Last-Modifiedheader to a fixed time. In my tests, this allows Web Folders to perform the copy successfully, and Internet Explorer seems to be fine with it.
I'm getting PHP output rather than the source
This is caused by the simple fact that aGETis always going to run the script. There is no way to distinguish a "
GETfor the result" and a "
GETfor authoring."
Note: this problem applies to any server-side scripting solution. It is not specific to PHP. For demonstrations sake, I will use PHP as an example.
PHP and mod_dav will also conflict when they each attempt to handle the different HTTP request methods. This is caused by the simple fact that both modules are configured for the same location or directory, and are competing for acting as the content handler.
There are several ways to fix this. They all solve the problem by providing a separate URL to access the PHP source. In one scenario, you can provide a simple "source" URL:
|
|
In each of these ways to fix the problem, we are taking advantage of the fact that there are different URL namespaces that map to the same, underlying filesystem space. By attaching different processing to the URL spaces, we can create different behaviors during the translation to the filesystem space.
Finally, I believe that it may be possible to ensure that mod_dav occurs later in the
AddModuledirectives, thus making mod_dav be the content handler for methods besides
GET. If PHP is later in the list, then it will end up handling all methods. This trickery does not solve the authoring problem, however.
Greg Stein
Last modified: Wed Jun 28 00:18:59 PDT 2000
相关文章推荐
- CentOS SSH Installation And Configuration
- Eclipse主要插件Lomboz介绍(2)_Installation and Configuration
- OpenLDAP Installation and Configuration Guide
- Apache Mod cache usage and configuration
- Oracle GoldenGate Veridata Installation and Configuration
- Red Hat Enterprise MRG 2.0 Installation And Configuration Guide
- Grub installation and configuration
- smokeping:installation and configuration
- tomcat installation and configuration guide
- Solr Installation and Configuration
- Installation and Configuration MySQL Cluster 7.2 on CentOS 5 (include MySQL 5.5)
- MySQL Cluster 7.3.5 installation and configuration
- P6 Professional Installation and Configuration Guide (Microsoft SQL Server Database) 16 R1
- Redmine Installation and Configuration in Linux
- HAProxy Installation and Configuration on CentOS 6.4 to Mitigate The Effects of Abusive Clients--转
- skpye 4.3 installation and configuration in linux CentOS 7 / RHEL 7 / Fedora 20
- Simple Event Correlation installation and configuration
- Dovecot installation and configuration on CentOS
- minicom installation and configuration on ubuntu
- Openstack: Single node Installation and External Network Accessing Configuration Guide