WebDAV Home Directories

I decided I wanted to replace my netatalk file server1) with WebDAV, in a way that it would share the home directories and honor file permissions properly.

This is one of those where I bet the next four things I'd hear are “Why didn't you use x?!?!” where x equals NFS, SAMBA, FTP or whatnot. In short: because it works best. I used to use NFS a lot, and it has weird incompatibilities and things here and there that just don't work in this environment. My dislike of Windows administration rules out SAMBA. People understand HTTP, and it works everywhere. So: WebDAV.

Making that decision was easy, implementing it was more difficult. I ended up using the following tools

This isn't so much of a HOWTO as much as it is an explanation of the difficulties I experienced for my own notes.

Things I Noticed In Implementation

  • I needed to do a lot more permissions work for the actual server
  • To work in GNOME, DirectorySlash needed to be set off for WebDAV shares, as nautilus doesn't support redirects. For some reason. Didn't need to do that on the dev system, and I don't know why yet.

Apache

Biggest problem I faced with Apache was that WebDAV currently breaks if you have an index file, which gets in the way of working on web sites saved on my file server, and prevented me from using h5ai. I found some folks talking about it, with a work-around.

The work-around didn't work for me, so I pulled a patch out of the bug report. This was patched against Apache 2.4.10.

diff -Naur orig.httpd-2.4.10/modules/mappers/mod_dir.c httpd-2.4.10/modules/mappers/mod_dir.c
--- orig.httpd-2.4.10/modules/mappers/mod_dir.c	2014-12-11 01:39:08.977373387 -0800
+++ httpd-2.4.10/modules/mappers/mod_dir.c	2014-12-11 01:40:40.161734313 -0800
@@ -279,6 +279,10 @@
         return DECLINED;
     }
 
+	if (r->method_number != M_GET && r->method_number != M_POST) {
+		return DECLINED;
+	}
+
     if (d->checkhandler == MODDIR_ON && strcmp(r->handler, DIR_MAGIC_TYPE)) {
         return DECLINED;
     }

After I applied that, directories worked fine. For simplicity in the future, I built it into a Arch Linux package. This is my taurball for that, if you like.

Also, if you have PHP turned on, make sure to turn it off with “php_flag engine Off” so you look at the code, not the output.

mod_authnz_external and pwauth

Exactly like is says on the tin. Set it up so external auth passes to pwauth as a pipe, so users can use the system passwords to log in. mod_authnz_external requires HTTP basic auth as far as I can see, so SSL is an absolute must unless you want system passwords leaking out all over the place.

I used a self-signed cert because why the hell not?

mpm-itk

I suppose there's several ways to skin this cat, but frankly, I know this plugin and I like the idea of using it for this. Works as it says on the tin. Each user has a virtual host. I suppose from a security perspective, that means that you know who's got files on the server, but I think I can live with that.

In each virtual host entry for the user, I'm changing the HTTP server to their UID and GID. That way, standard unix ownership applies.

h5ai

I wanted something nicer than the standard Apache auto-indexing for the file server if you look at it with a web browser. Being able to browse your filestore from the web seems like it could be useful functionality for getting files without having to set up WebDAV, also for ease of use for all of them not-me people.

I did have to make some changes to the code to fit in this environment, and the AUR package for h4ai needed some work to fit within Arch Linux's webapp guidelines2). To see what I did, my modified taurball is here. I've shared my changes with the author, but it's pretty basic changes, so I assume they'll come up with something nicer.

This isn't heavily tested yet, so if I discover any problems, I'll update this post.

~~LINKBACK~~

1)
we've only got one Mac OS desktop in significant use, and that only probably only has a year or two left on it
2)
which have some problems of their own, but it's better than nothing