WebDAV CGI - Documentation
- Requirements
- Installation
- Upgrade
- WebDAV CGI Setup
- Hints
- Database Setup
- UID/GID Wrapper
- Folder Sharing / Group Access
- Web interface
- Backends: AFS, GFS, SMB/CIFS, DBB, ...
- Performance
- Mod_Perl Support
- Security
- Troubleshooting Guide
Back to the WebDAV CGI home
Requirements
- all required Perl modules: see Installation
- a database (SQLite3, PostgreSQL, MySQL, ... (all supported by a Perl DBI driver))
- a Web server software (Apache recommended)
- a little bit configuration: Apache setup (see Installation) and a WebDAV CGI Setup
- WebDAV CGI works only with a UNIX/Linux server (Ubuntu 14.04/16.04 recommended, Windows/MacOS-X not tested and not supported)
You do not need mod_dav for the Apache Web server. WebDAV CGI replaces mod_dav completely.
WebDAV CGI supports two authentication schemes:- Basic authentication as described in the following instruction
- Session or form-based authentication
Installation
Note: All steps are done with root rights.
Upgrade Note: Please take a look at the Upgrade section for further information.
- download WebDAV CGI (note: not necessary for Gentoo)
- install required CPAN modules (Debian/Ubuntu package name):
- CGI (included in most Linux dists; older dists need that: libcgi-perl)
- DBI (libdbi-perl) and a database driver, e.g. DBD::SQLite (libdbd-sqlite3-perl) - (since v0.3.0)
- Date::Parse (libtimedate-perl) - (since v0.2.1)
OSSP::uuid (libossp-uuid-perl or from http://www.ossp.org/pkg/lib/uuid/) - (since v0.3.0)(since v0.8.0 replaced by UUID::Tiny)- UUID::Tiny (libuuid-tiny-perl) - (since 0.8.0)
- XML::Simple (libxml-simple-perl)
- Quota (libquota-perl) - (since v0.3.4)
- Archive::Zip (libarchive-zip-perl) - (since v0.5.0)
Image::Magick (perlmagick) - (since v0.5.1)(since v0.5.3 replaced by Graphics::Magick)- Graphics::Magick (libgraphics-magick-perl or http://www.graphicsmagick.org/perl.html) - (since v0.5.3)
- File::Spec::Link (libfile-copy-link-perl) - (since v0.5.2)
- IO::Compress::Gzip (included in most Linux dists) - (since v0.7.0)
- IO::Compress::Deflate (included in most Linux dists) - (since v0.7.0)
- IO::Compress::Brotli - (since v1.1.2)
- Module::Load (included in most Linux dists, older need libmodule-load-perl) - (since v0.8.0)
- optional (for SMB backend): Filesys::SmbClient (libfilesys-smbclient-perl) - (since v0.8.0)
- optional (for RCS backend): Rcs (librcs-perl) - (since v0.8.0)
- JSON (libjson-perl) - (since v0.8.5)
- DateTime - (since v0.8.5)
- DateTime::Format::Human::Duration (libdatetime-format-human-duration-perl) - (since v0.8.5)
- Image::ExifTool (libimage-exiftool-perl)- (since v1.0.1)
- List::MoreUtils (liblist-moreutils-perl)- (since v1.1.0)
- optional for SendByMail extension:MIME::Entity (libmime-tools-perl) - (since v0.9.1)
- optional for LDAP address book of SendByMail extension:Net::LDAP (libnet-ldap-perl) - (since v0.9.1)
- optional for Kerberos helpers in conjunction with mod_perl (AFS, SMB):Env::C - (since v1.0.0)
- optional for AFS Kerberos helpers in conjunction with mod_perl:AFS::PAG - (since v1.0.1)
perl -MCPAN -e "install <ModuleName>"
' or with 'apt-get install <PackageName>
'.## Debian/Ubuntu quick install: apt install libdbi-perl libdbd-sqlite3-perl sqlite3 libtimedate-perl \ libuuid-tiny-perl libxml-simple-perl libquota-perl \ libarchive-zip-perl libgraphics-magick-perl libmodule-load-perl \ libfile-copy-link-perl libjson-perl libdatetime-perl \ libmime-tools-perl libnet-ldap-perl libimage-exiftool-perl \ liblist-moreutils-perl libcgi-session-perl libwww-csrf-perl \ libdatetime-format-human-duration-perl cpan install IO::Compress::Brotli ## only for PostgreSQL users: apt install libdbd-pg-perl ## only for MySQL users: apt install libdbd-mysql-perl ## only for SMB backend users: apt install libfilesys-smbclient-perl smbclient krb5-user ## only for RCS backend users: apt install librcs-perl ## only for AFS users: apt install openafs-client krb5-user openafs-krb5 libafs-pag-perl ## for mod_perl users with Kerberos (SMB, AFS) authentication: cpan install Env::C
- install additional binaries/packages for a better WebDAV CGI experience:
- Ghostscript - allows the web interface of WebDAV CGI to generate thumbnails for PDF/PS files (Debian/Ubuntu package: ghostscript)
- smbclient (only for SMB backend users) - allows the web interface to show quota information (Debian/Ubuntu package: smbclient)
- kinit (only for SMB and AFS backend users) - allowed you to omit mod_auth_kerberos (Debian/Ubuntu package: krb5-user)
- libreoffice - allows file conversions
## Debian/Ubuntu quick install: apt install ghostscript ## only for SMB backend users: apt install smbclient ## only for SMB and AFS backend users: apt install krb5-user ## for ODFConverter extension: apt install libreoffice
## Gentoo quick install: emerge -va app-text/ghostscript-gpl ## only for SMB backend users: emerge -va net-fs/cifs-utils ## only for SMB and AFS backend users: emerge -va app-crypt/heimdal
- install locales
## Debian/Ubuntu quick install: rm -f /var/lib/locales/supported.d/webdavcgi for l in de_DE en_US fr_FR it_IT hu_HU ; do fgrep $l /usr/share/i18n/SUPPORTED >> /etc/locale.gen done locale-gen
- change directory to your preferred installation path, e.g.
cd /etc
- install WebDAV CGI:
unzip webdavcgi-latest.zip
ortar jxf webdavcgi-latest.tar.gz2
(Gentoo:emerge -va www-apps/webdavcgi
)- OR clone the Git repo (preferred):
git clone https://github.com/DanRohde/webdavcgi.git
- change directory to the source base (e.g:
cd webdavcgi*
) and callbash install.sh
to compile all wrappers and to fix file permissions - configure webdav.pl
- configure your web server:
- you can do that with rewrite rules (recommended)
- or with a handler action (unsupported)
a2enmod rewrite
) - and don't forget to take a look at the backend specific configuration: AFS, GFS, SMB/CIFS, DBB, or RCS### EXAMPLE 1: a complete (virtual) server root handled by WebDAV CGI: ScriptAlias /webdavcgi /etc/webdavcgi/cgi-bin/webdavwrapper # ScriptAlias /logout /etc/webdavcgi/cgi-bin/logout <Location /webdavcgi> AuthType Basic AuthName "WebDAV space" AuthUserFile /path-to-my-auth-file Require valid-user </Location> RewriteEngine On # RewriteRule /logout - [L] RewriteRule ^/ /webdavcgi [PT,E=WEBDAVCONF:/etc/webdav.conf,E=PERLLIB:/etc/webdavcgi/lib/perl,L]
### EXAMPLE 2: a virtual path /webdav ScriptAlias /webdavcgi /etc/webdavcgi/cgi-bin/webdavwrapper # ScriptAlias /webdav/logout /etc/webdavcgi/cgi-bin/logout <Location /webdavcgi> AuthType Basic AuthName "WebDAV space" AuthUserFile /path-to-my-auth-file Require valid-user </Location> # if you want to map this to a real path, do that: # (and setup $VIRTUAL_BASE='/webdav/?' and $DOCUMENT_ROOT in your WebDAV CGI config) RewriteEngine On # RewriteRule ^/webdav/logout - [L] RewriteRule ^/webdav /webdavcgi [PT,E=WEBDAVCONF:/etc/webdav.conf,E=PERLLIB:/etc/webdavcgi/lib/perl,L]
### EXAMPLE 3: a .htaccess file to handle a complete folder with WebDAV CGI: ### Prerequisites: /webdavcgi is a script alias ## (ScriptAlias /webdavcgi /etc/webdavcgi/cgi-bin/webdavwrapper) and ### 'AllowOverride AuthConfig FileInfo' is set for the current folder RewriteEngine On RewriteRule .* /webdavcgi [E=WEBDAVCONF:/etc/webdav.conf,E=PERLLIB:/etc/webdavcgi/lib/perl] AuthType Basic AuthName "A protected WebDAV folder" AuthUserFile /path-to-my-auth-file Require valid-user
Upgrade
Upgrading from 1.1.2 to 1.1.3
- $MIMEFILE default changed to
/etc/mime.types
Upgrading from 1.1.1 to 1.1.2
- Brotli compression was added: Perl module IO::Compress::Broli required (
cpan install IO::Compress::Brotli
) - The web interface was refactored:
- folder upload was implemented (by form and D&D) and can be disabled with
$ALLOW_FOLDERUPLOAD=0;
in webdav.conf - $HEADER and $LANGSWITCH defaults were changed
- menus in toolbar and navigation bar are allowed now
- the new $ALLOW_PATHINFO (default: 0) enables former enabled path input in toolbar (quick navigation) again
- folder upload was implemented (by form and D&D) and can be disabled with
- The new Localizer extension allows an easy translation of the Web interface (locales and help files).
- The new extension MotD is activated by default now and shows /etc/motd as a dialog to the web users of WebDAV CGI.
Upgrading from 1.1.0 to 1.1.1
- Feedback extension was added.
- SaveSettings extension was added.
- Some config variables were added:
$OPTIMIZERTMP
- contains absolute path for caches: message, CSS, JS (default: /tmp)$READBUFSIZE
- contains buffer size for local file reads (default: 65536)
Upgrading from 1.0.0 to 1.1.0
- A new Perl module is required: List::MoreUtils (Debian/Ubuntu:
apt-get install liblist-moreutils-perl
) - The new ImageInfo extensions needs the additional Perl module Image::ExifTool
(Debian/Ubuntu:apt-get install libimage-exiftool-perl
, CPAN:perl -MCPAN -e "install Image::ExifTool"
) - It's now possible to use AFS in conjunction with mod_perl and without mod_waklog, but it makes it necessary to install a new Perl module: AFS::PAG (Debian:
apt-get install libafs-pag-perl
orperl -MCPAN -e "install AFS::APG"
). - GPXViewer extension was added.
- QuickToggle extension was added.
- VideoJS extension was added.
- A statusbar was added (see settings dialog).
- Hungarian language was added. Don't forget to add the necessary locale
hu_HU.UTF-8 UTF-8
- New config variables were added and can be used for an easier upgrade (don't change this variables) if you use it for your
@EXTENSIONS
list in yourwebdav.conf
, e.g.@EXTENSIONS = (@DEFAULT_EXTENSIONS, @EXTRA_EXTENSIONS);
:@DEFAULT_EXTENSIONS
- contains a list of useful extensions@AFS_EXTENSIONS
- contains a list of AFS backend related extensions@EXTRA_EXTENSIONS
- contains a list of special extensions (e.g. GPXViewer, SourceCodeViewer, HexDump, SendByMail)@PUB_EXTENSIONS
- contains a list of public URI extensions@DEV_EXTENSIONS
- contains a list for WebDAV CGI developers (e.g. PropertiesViewer, SysInfo)
Upgrading from 0.9.0 to 1.0.0
- The database schema has some bugs so it needs a update (please kill all speedy processes before you start with the database schema changes):
# PostgreSQL: ALTER TABLE webdav_locks ALTER COLUMN basefn TYPE varchar(5000); ALTER TABLE webdav_locks ALTER COLUMN fn TYPE varchar(5000); ALTER TABLE webdav_locks ALTER COLUMN type DROP not null; ALTER TABLE webdav_props ALTER COLUMN fn TYPE varchar(5000); # MySQL: ALTER TABLE webdav_locks MODIFY basefn varchar(5000) not null; ALTER TABLE webdav_locks MODIFY fn varchar(5000) not null; ALTER TABLE webdav_locks MODIFY type varchar(255); ALTER TABLE webdav_props MODIFY fn varchar(5000) not null; # SQLite: DROP INDEX webdav_locks_idx1; DROP INDEX webdav_locks_idx2; DROP INDEX webdav_locks_idx3; DROP INDEX webdav_locks_idx4; ALTER TABLE webdav_locks RENAME TO webdav_locks_old; DROP INDEX webdav_props_idx1; DROP INDEX webdav_props_idx2; ALTER TABLE webdav_props RENAME TO webdav_props_old; CREATE TABLE webdav_locks (basefn VARCHAR(5000) NOT NULL, fn VARCHAR(5000) NOT NULL, type VARCHAR(255), scope VARCHAR(255), token VARCHAR(255) NOT NULL, depth VARCHAR(255) NOT NULL, timeout VARCHAR(255) NULL, owner TEXT NULL, timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP); CREATE TABLE webdav_props (fn VARCHAR(5000) NOT NULL, propname VARCHAR(255) NOT NULL, value TEXT); CREATE INDEX webdav_locks_idx1 ON webdav_locks (fn); CREATE INDEX webdav_locks_idx2 ON webdav_locks (basefn); CREATE INDEX webdav_locks_idx3 ON webdav_locks (fn,basefn); CREATE INDEX webdav_locks_idx4 ON webdav_locks (fn,basefn,token); CREATE INDEX webdav_props_idx1 ON webdav_props (fn); CREATE INDEX webdav_props_idx2 ON webdav_props (fn,propname); INSERT INTO webdav_locks SELECT * FROM webdav_locks_old; INSERT INTO webdav_props SELECT * FROM webdav_props_old; DROP TABLE webdav_locks_old; DROP TABLE webdav_props_old;
- mod_perl is now supported for AFS and SMB backends
- ZIP download and upload moved to new extension Zip. Expand your extension list to activate it
@EXTENSIONS = ( 'Zip', ...);
- The AFS Group Manager is an extension now. Add 'AFSGroupManger' to your extensions list to activate it.
- The AFS ACL Manager is an extension now. Add 'AFSACLManager' to your extensions list to use it.
- Search support was moved to a new extension (Search). Expand your extension list to enable search
@EXTENSIONS=('Search',...);
- The option '$ALLOW_EDIT' was removed, instead use or not use 'TextEditor' extension:
@EXTENSION=('TextEditor',....);
- The option '@EDITABLEFILES' was removed, instead configure 'TextEditor' extension:
$EXTENSION_CONFIG{TextEditor}{editablefiles}=\@EDITABLEFILES;
- A lot of new extensions were added (activation:
@EXTENSIONS= ('ExtensionName1', 'ExtensionName2', ... );
):- AFSACLManager - enables AFS ACL management
- AFSGroupManager - enables AFS Group management
- Diff - compares two files/folders
- DiskUsage - shows disk usage for folders
- Download - adds a download button
- HexDump - shows a hexdump
- Highlighter - colorize text and backgrounds of files and folders
- History - shows a folder history
- ODFConverter - converts between Open Document file formats and other Office file formats
- Permissions - manage POSIX file permissions (user,group,others:rwxst)
- PosixAclManager - allows POSIX ACL changes
- Redirect - redirects folders to any web page
- Search - enables file/content search support
- SendByMail - sends files/folders by e-mail ( Perl module MIME::Entity from MIME tools required; Debian/Ubuntu:
apt-get install libmime-tools-perl
) - SourceCodeViewer - shows syntax highlighted source code
- TextEditor - allows text file modifications
- ViewerJS - shows OpenDocument and PDF files
- Zip - allows ZIP download for files/folders and ZIP upload with decompression
Upgrading from 0.8.6 to 0.9.0
- The classic view and the sidebar view are removed from code base.
- %UI_ICONS configuration variable is obsolete and was removed
- The complete backend configuration was changed:
%FSVLINK=(...);
was replaced by$BACKEND_CONFIG{FS}{fsvlink}={...};
%SMB=(...);
was replaced by$BACKEND_CONFIG{SMB}={...};
%RCS=(...);
was replaced by$BACKEND_CONFIG{RCS}={...};
$GFSQUOTA='...';
was replaced by$BACKEND_CONFIG{GFS}{quota}='...';
$AFS_FSCMD='...';
was replaced by$BACKEND_CONFIG{AFS}{fscmd}='...';
$AFSQUOTA='...';
was replaced by$BACKEND_CONFIG{AFS}{quota}='...';
%DBB=(...);
was replaced by$BACKEND_CONFIG{DBB}={...};
- A extension configuration variable was added:
%EXTENSION_CONFIG
Upgrading from 0.8.5 to 0.8.6
- The Simple View:
- Home button template was changed:
data-action="changeuri"
was replaced byclass="action changeuri"
(see The Simple View Documentation)
- Home button template was changed:
Upgrading from 0.8.4 to 0.8.5
- the SVN repository URL has changed:
svn switch --relocate https://webdavcgi.svn.sourceforge.net/svnroot/webdavcgi/trunk http://svn.code.sf.net/p/webdavcgi/code/trunk
- the default view was changed from 'sidebar' to 'simple'
- new Perl modules are needed:
JSON
(Ubuntu/Debian package: libjson-perl)DateTime
(Ubuntu/Debian package: libdatetime-perlDateTime::Format::Human::Duration
(CPAN)
- SMB backend: the new optional flag 'secure' was added to enable a URL check for allowed servers and shares
Upgrading from 0.8.3 to 0.8.4
- The new install.sh script does not copy or link webdav.pl and webdavwrapper to your cgi-bin directory. You can add/change ScriptAliases to use webdav.pl
or a webdavwrapper from your installation src, e.g.
ScriptAlias /webdavcgi /etc/webdavcgi/cgi-bin/webdavwrapper RewriteRule ^/ /webdavcgi [PT,L,E=WEBDAVCONF:/etc/webdav.conf,E=PERLLIB:/etc/webdavcgi/lib/perl] <Location /webdavcgi> AuthType Basic AuthUserFile /etc/apache2/webabusers AuthName "WebDAV space" Require valid-user </Location>
- AFS backend:
- Speedy support for AFS was added and a mod_auth_kerberos free installation is now possible:
- a new setuid/setgid wrapper was added: helper/webdavwrapper-afs.c (mod_waklog isn't required if you use webdavwrapper-afs.c)
- a PAG script was added: cgi-bin/afswrapper
- visit AFS section for details
- mod_waklog is no longer required for AFS
- Speedy support for AFS was added and a mod_auth_kerberos free installation is now possible:
- SMB backend:
- a wrapper for mod_auth_kerberos free installation was added
- username/password/workgroup authentication support was added
Upgrading from 0.8.2 to 0.8.3
- changed
@UNSELECTABLE_FOLDERS
default to()
(relevant for AFS backend users) - changed
helper/webdavwrapper-smb.c
to fix a Kerberos ticket bug (relevant for SMB backend users)
Upgrading from 0.8.1 to 0.8.2
- see Speedy support section to improve the WebDAV CGI performance
Upgrading from 0.8.0 to 0.8.1
-
%AUTOREFRESH
was added for the new auto-refresh feature
Upgrading from 0.7.x to ≥0.8.0
- a new Perl module is needed:
Module::Load
(Ubuntu/Debian package: libmodule-load-perl) -
OSSP::uuid
Perl module was replaced byUUID::Tiny
(Ubuntu/Debian package: libuuid-tiny-perl) - WebDAV CGI comes with some own modules so you need to set a additional Perl library path:
- add
E=PERLLIB:/etc/webdavcgi/lib/perl
to your rewrite rule options in the Apache configuration - OR add
SetEnv PERLLIB /etc/webdavcgi/lib/perl
to your Apache configuration (don't forget to activate/install env module, e.g.a2enmod env; /etc/init.d/apache restart
) - OR change shebang of webdav.pl to
#!/usr/bin/perl -I/etc/webdavcgi/lib/perl
- add
-
$IGNOREFILEPERMISSIONS
config variable was removed -
$BACKEND
variable was added and is required (allowed values: 'FS', 'AFS', 'GFS', 'SMB', 'DBB') -
$SHOW_MIME
and$SHOW_PERM
were removed: use the new options@ALLOWED_TABLE_COLUMNS
and@VISIBLE_TABLE_COLUMNS
instead -
%MIMETYPES
format was changed: only a single filename suffix is allowed as a key (instead of a space separated list of suffixes); please use$MIMEFILE
instead -
@EXTENSIONS
parameter was added: contains a list of extensions -
$ENABLE_SYSINFO
was removed: add'SysInfo'
to the@EXTENSIONS
list -
$ENABLE_PROPERTIES_VIEWER
was removed: add'PropertiesViewer'
to the@EXTENSIONS
list -
$ENABLE_SIDEBAR
was removed: use@SUPPORTED_VIEWS
instead -
$MAXLASTMODIFIEDSIZE
was removed -
$MAXNAVPATHSIZE
was added
Upgrading from ≤0.6.x to ≥0.7.x
- two new Perl modules are used by WebDAV CGI:
IO::Compress::Gzip
andIO::Compress::Deflate
(both are integrated in most Linux dists) - WebDAV CGI is no longer a single file distribution therefore:
- unpack the new installation package in your preferred installation path, e.g.
cd /etc; unzip webdavcgi-0.7.?.zip
- link the path for easier upgrades, e.g.
ln -s /etc/webdavcgi-0.7.? /etc/webdavcgi
- copy the webdav.pl script to your CGI directory and allow execution, e.g.
cp /etc/webdavcgi/cgi-bin/webdav.pl /usr/lib/cgi-bin chmod a+x /usr/lib/cgi-bin/webdav.pl
- add the
$INSTALL_BASE
variable to your existing/etc/webdav.conf
, e.g.echo "\$INSTALL_BASE='/etc/webdavcgi/';" >> /etc/webdav.conf
- check your config file and modules, e.g.
#> perl -c /etc/webdav.conf webdav.conf syntax OK #> perl -I/etc/webdavcgi/lib/perl -c /usr/lib/cgi-bin/webdav.pl webdav.pl syntax OK #> bash /etc/webdavcgi/checkenv +++ Checking perl: perl /usr/bin/perl ++++ Checking required modules: CGI installed DBI installed POSIX installed File::Temp installed Date::Parse installed UUID::Tiny installed XML::Simple installed Quota installed Archive::Zip installed IO::Compress::Gzip installed IO::Compress::Deflate installed Digest::MD5 installed Module::Load installed ++++ Checking optional modules: DBD::SQLite installed DBD::mysql installed DBD::Pg installed ++++ Checking required modules for FS backend: File::Spec::Link installed ++++ Checking required modules for AFS backend: File::Spec::Link already checked ++++ Checking required modules for GFS backend: File::Spec::Link already checked ++++ Checking required modules for SMB backend: Filesys::SmbClient installed ++++ Checking required modules for RCS backend: Rcs installed ++++ Checking optional binaries: smbclient /usr/bin/smbclient #### Summary: All modules found. All binaries found.
- unpack the new installation package in your preferred installation path, e.g.
- WebDAV CGI has a new Web interface and some configuration defaults were changed and new options were added. See CHANGELOG in your installation path and take a look into webdav.pl for further information.
WebDAV CGI Setup
The WebDAV CGI can be easier upgraded if you use a configuration file instead of changing the setup section ofwebdav.pl
.
- Create a
/etc/webdav.conf
with a minimal setup and don't forget to fix file permissions:chmod a+r /etc/webdav.conf
:## the install base is needed to find webdav-ui.* and locale files ## (don't forget the trailing slash): $INSTALL_BASE = '/etc/webdavcgi/'; ## the backend module (supported: FS, AFS, GFS, SMB, DBB, RCS, GIT): $BACKEND = 'FS'; ## this is an example if a user starts with home dir (http://mywebdavserver/ -> user home): $VIRTUAL_BASE = '/'; $DOCUMENT_ROOT = '/home/'.$ENV{REMOTE_USER}.'/'; ## if you use a complex home folder structure, try this: # $DOCUMENT_ROOT=(getpwnam($ENV{REMOTE_USER}))[7].'/'; $DBI_SRC='dbi:SQLite:dbname=/tmp/webdav.'.$ENV{REMOTE_USER}.'.db'; $DBI_USER=''; $DBI_PASS=''; $CREATE_DB = !-e '/tmp/webdav.'.$ENV{REMOTE_USER}.'.db';
- Please take a look at backend specific configuration sections AFS, GFS, SMB/CIFS, DBB, RCS, GIT
- Set up your database
- If you need to change other options, take a look at
etc/webdav.conf.complete
- Enable session or form-based authentication if needed.
- There are a lot of extensions to activate.
- Don't forget to check the config file syntax:
perl -c /etc/webdav.conf
- configure your Apache web server
Hints
Apache and webdav.pl setup:- You can use Apache's
'SetEnv VAR VAL'
or'RewriteRule ... [E=VAR:VAL]'
in conjunction with'$ENV{VAR}'
in your config to setup WebDAV CGI. This allows you a path based, virtual host based or user based configuration. - see Performance section for more.
- RedHat/Fedora/CentOS: see https://bugzilla.redhat.com/show_bug.cgi?id=527143#c2
- You can use Image::Magick instead but it makes trouble in conjunction with Speedy:
sed -i -e 's@Graphics::Magick@Image::Magick@g' \ checkenv \ lib/perl/WebInterface/Renderer.pm
Database Setup
Common Instructions
- Install the necessary Perl DBI driver (Debian/Ubuntu package: libdbd-...-perl)
- Create the database and the schema
- Configure WebDAV CGI (
$DBI_SRC, $DBI_USER, $DBI_PASS
)
SQLite 3
- DBI driver for SQLite3: Debian/Ubuntu package:
libdbd-sqlite3-perl
- You can use the auto create feature (
$CREATE_DB=1;
) - Example config:
$DBI_SRC='dbi:SQLite:dbname=/tmp/webdav.'.$ENV{REMOTE_USER}.'.db'; $DBI_USER=""; $DBI_PASS=""; $CREATE_DB = !-e '/tmp/webdav.'.$ENV{REMOTE_USER}.'.db';
PostgreSQL
- DBI driver for PostgreSQL: Debian/Ubuntu package:
libdbd-pg-perl
- Disable the auto create feature (
$CREATE_DB = 0;
) and create the database schema with following statements (the database 'webdavcgi' must exists), e.g:## Ubuntu/Debian: apt-get install postgresql postgresql-client su - postgres createuser webdavcgi -P createdb -O webdavcgi webdavcgi psql webdavcgi <<EOF CREATE TABLE webdav_locks (basefn VARCHAR(5000) NOT NULL, fn VARCHAR(5000) NOT NULL, type VARCHAR(255), scope VARCHAR(255), token VARCHAR(255) NOT NULL, depth VARCHAR(255) NOT NULL, timeout VARCHAR(255) NULL, owner TEXT NULL, timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP); CREATE TABLE webdav_props (fn VARCHAR(5000) NOT NULL, propname VARCHAR(255) NOT NULL, value TEXT); CREATE INDEX webdav_locks_idx1 ON webdav_locks (fn); CREATE INDEX webdav_locks_idx2 ON webdav_locks (basefn); CREATE INDEX webdav_locks_idx3 ON webdav_locks (fn,basefn); CREATE INDEX webdav_locks_idx4 ON webdav_locks (fn,basefn,token); CREATE INDEX webdav_props_idx1 ON webdav_props (fn); CREATE INDEX webdav_props_idx2 ON webdav_props (fn,propname); GRANT ALL ON ALL TABLES IN SCHEMA public TO webdavcgi; EOF
- Example config:
$DBI_SRC='dbi:Pg:dbname=webdavcgi;host=localhost;port=5432'; $DBI_USER='webdavcgi'; $DBI_PASS='changeme'; $CREATE_DB = 0;
MySQL
- DBI driver for MySQL: Debian/Ubuntu-Package:
libdbd-mysql-perl
- Disable the auto create feature (
$CREATE_DB = 0;
) and create the database schema with following statements (the database 'webdavcgi' must exists), e.g.:mysql -p webdavcgi <<EOF CREATE TABLE webdav_locks (basefn VARCHAR(5000) NOT NULL, fn VARCHAR(5000) NOT NULL, type VARCHAR(255), scope VARCHAR(255), token VARCHAR(255) NOT NULL, depth VARCHAR(255) NOT NULL, timeout VARCHAR(255) NULL, owner TEXT NULL, timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP); CREATE TABLE webdav_props (fn VARCHAR(255) NOT NULL, propname VARCHAR(255) NOT NULL, value TEXT); CREATE INDEX webdav_locks_idx1 ON webdav_locks (fn); CREATE INDEX webdav_locks_idx2 ON webdav_locks (basefn); CREATE INDEX webdav_locks_idx3 ON webdav_locks (fn,basefn); CREATE INDEX webdav_locks_idx4 ON webdav_locks (fn,basefn,token); CREATE INDEX webdav_props_idx1 ON webdav_props (fn); CREATE INDEX webdav_props_idx2 ON webdav_props (fn,propname); EOF
- Example config:
$DBI_SRC='DBI:mysql:database=webdavcgi;host=localhost;port=3306'; $DBI_USER='mysqluser'; $DBI_PASS='changeme'; $CREATE_DB=0;
UID/GID Wrapper
If you use the example wrapper (webdavwrapper.c
, webdavwrapper-krb.c
, webdavwrapper-afs.c
) you should consider this:
- Your operating system have to know all your WebDAV users. The following command should display a complete passwd entry (replace UID with a account name):
getent passwd UID # OR getent passwd # should display all users
Configure NSSWITCH (/etc/nsswitch.conf) to make your user accounts usable. - The owner and group must be root:
chown root:root cgi-bin/webdavwrapper*
- The
webdavwrapper
binary needs set-user-ID and the set-group-ID bit to change the user ID and the group ID at runtime. Of course it needs also execute flags.chmod ug+s,a+x cgi-bin/webdavwrapper*
webdavwrapper-afs.c
or webdavwrapper-krb.c
instead of webdavwrapper.c
(see AFS Support section)
Folder Sharing / Group Access
There are two ways to share a folder between users of a group (not for AFS users - see AFS note below):- Add all users to UNIX/Posix group (/etc/groups, a LDAP group, ...) - recommended:
- create a group, e.g:
groupadd GROUP
- create a folder to share:
mkdir SHAREDFOLDER
- change the group:
chgrp GROUP SHAREDFOLDER
- set set-GID-flag to the folder and make it readable/executable/writeable for the group:
chmod g+srwx SHAREDFOLDER
- set the
$UMASK
parameter in your WebDAV CGI config file:$UMASK = 0002;
- create a group, e.g:
- Use the UID/GID Wrapper to map all users to a common user:
- create a common user, e.g.:
adduser USER
- create a folder to share:
mkdir SHAREDFOLDER
- change the owner:
chown USER SHAREDFOLDER
- set the WEBDAV_USER environment variable: add
E=WEBDAV_USER:USER
to your Apache rewrite rule option
- create a common user, e.g.:
- Create a AFS group and add AFS users to the group.
- Set lookup, read, write, delete, insert, and lock rights for that group to the shared folder.
- Don't forget to set lookup rights for the AFS group to all upper folders.
Web interface
How to add a new translation
Since WebDAV CGI v1.1.2 there is a Localizer extension that helps you to translate all locale and online help files. Activate it by putting @DEV_EXTENSIONS or 'Localize' to your @EXTENSIONS setup (see extensions doc) in your webdav.conf. And you need write permissions for all locale and online help files, e.g.
find /etc/webdavcgi/ -name locale -type d -exec chmod -R a+w {} \; find /etc/webdavcgi/ -name help -type d -exec chmod -R a+w {} \;This is an example to get access rights but it should only used if no other user has access to the installation. Alternatively, you can use access groups and putting the users to the group and give only the group write permissions, e.g.
find /etc/webdavcgi/ -name locale -type d -exec chgrp -R mygroup {} \; find /etc/webdavcgi/ -name help -type d -exec chgrp -R mygroup {} \; find /etc/webdavcgi/ -name locale -type d -exec chmod -R g+w {} \; find /etc/webdavcgi/ -name help -type d -exec chmod -R g+w {} \;And to see your results you should delete temporary message files (
rm /tmp/*msg
)
and put your language to the %SUPPORTED_LANGUAGES in your webdav.conf ($SUPPORTED_LANGUAGES{_my_locale_} = 'MyLanguage';
)
if necessary (or simply write ?lang=_my_locale_
behind the WebDAV CGI URL).
The old and simple way:
Copy the locale/webdav-ui_default.msg
to locale/webdav-ui_<_my_locale_>.msg
and translate all values (leave the keys unchanged; format: key "value"
).
/etc/webdavcgi/lib/perl/WebInterface/Extensions/*/locale/*
.
How to change CSS styles
There are many ways to do it:- Add a
webdav-ui-custom.css
to thelib/
directory of the WebDAV CGI installation (recommended). Note: webdav.pl delivers this style file with a cache timeout of one week. You can compress the style sheet to speed up file transfers: (gzip webdav-ui-custom.css
). If webdav-ui-custom.css and webdav-ui-custom.css.gz exist then the uncompressed version is delivered. - Add the following to your WebDAV CGI configuration file:
$CSS .= <<EOF .filelist { font-size: 0.9em; } EOF ;
- Set
$CSSURI
variable in your WebDAV CGI config, e.g.$CSSURI='http://myserver/mystyle.css';
- Set the
$HTMLHEAD
variable in your WebDAV CGI config (e.g.$HTMLHEAD='<link .../>';
or$HTMLHEAD='<style>...</style>';
) - see Simple view documentation for more.
- ...
How to add or change icons
Here are some examples to do that in the WebDAV CGI configuration file:$ICONS{'mymime/type'}='/uripath/to/my/icons/test.gif';
%ICONS = ( %ICONS, ( 'mymime/type1'=>'/uripath/to/my/icons/test1.gif', 'mymime/type2'=>'/uripath/to/my/icons/test2.gif', ) );
How to customize error messages/documents
Two HTTP status codes are supported for customized error documents: '404 Not Found
' and '403 Forbidden
'
You have to use '.html' or '.txt' extensions for your error documents to determine a correct MIME type.
- put your error documents to the
$INSTALL_BASE/htdocs
folder or wherever you want (should be readable by your users) - add following options to your WebDAV CGI configuration file:
$ERROR_DOCS{'404 Not Found'} = "$INSTALL_BASE/htdocs/404.html"; $ERROR_DOCS{'403 Forbidden'} = "$INSTALL_BASE/htdocs/403.html";
Variable substitution in $HEADER, $SIGNATURE, $LANGSWITCH, and %ICONS
Following variables are substituted:$CLOCK | a clock with client time formatted with locale value for key 'vartimeformat' |
$ENV{_VAR_} | value of environment variable _VAR_ |
$LANG | current language code |
$NOW | current date formatted with locale value for key 'varnowformat' |
$PATH_TRANSLATED | locale folder name corresponding to the request URI |
$REQUEST_URI | request URI without query string |
$TIME | current time formatted with locale value for key 'vartimeformat' |
$TL{_KEY_} | locale value for key _KEY_ |
$USER | current user id |
$VBASE | virtual host base matching $VIRTUAL_BASE |
$VHTDOCS | virtual htdocs path $VHTDOCS to the $INSTALL_BASE/htdocs |
Performance
- Use a fast (local) database.
- Don't use mod_auth_external without auth caching.
- Use load balancing cluster (Attention: use a central, single database for all nodes)
- Disable all features you don't need (take a look at all
$ALLOW_...
and$ENABLE_...
parameters in the WebDAV CGI setup section):$ENABLE_LOCK = 0;
- disable WebDAV locking support but it is unsafe in conjunction with shared group folders and some clients make trouble.- Web interface:
$ENABLE_THUMBNAIL=0;
- disables thumbnail support$ENABLE_THUMBNAIL_CACHE=1;
- enables the thumbnail cache and reduces CPU usage (only useful if$ENABLE_THUMBNAIL=1;
)$ENABLE_THUMBNAIL_PDFPS=0;
- disables thumbnails for PDF/PS documents and reduces CPU usage (only useful if$ENABLE_THUMBNAIL=1;
- Compression of HTML, JavaScript, and CSS is enabled by default (
$ENABLE_COMPRESSION = 1;
) but this option can increase your server load. - Filter and limit large folders (
$FILECOUNTLIMIT
,$FILECOUNTPERDIRLIMIT
,$FILEFILTERPERDIR
) - Limit folder depth for copy/move operations (
$LIMIT_FOLDER_DEPTH
) - Change the bufsize for upload/download operations (
$BUFSIZE
) - Since WebDAV CGI v1.0.0 mod_perl is supported for backends without setuid/setgid wrapping (e.g. SMB, AFS)
- disable
$CREATE_DB
after first WebDAV access (PROPFIND request). If you use a file based database like SQLite you can enable/disable it automatically:$CREATE_DB = !-e <mydatabasefile.db>
- Slow response working with WebDAV resources on Windows Vista or Windows 7: KB2445570
- For AFS backend users:
- prevent usage of mod_auth_kerberos and mod_waklog
- replace pagsh with a fast bourne shell (e.g. DASH) in the afswrapper script (
cgi-bin/afswrapper
)
Security
HTTP Basic Authentication and Brute Force Attacks
The WebDAV protocol or most WebDAV clients supports only HTTP Basic authentication so you need it for WebDAV access.- You can use the session.pl script of WebDAV CGI (see Session or form-based authentication)
for your WebDAV access because the session authentication handler of WebDAV CGI has a pure brute force attack detection and prevention (BFAP).
There are some options you can set in your webdav-session.conf to modify the behavoir of BFAP. The default setting allows only 3 login attempts within 10 seconds for a account:
$SESSION{bfap} = { # type of BFAP protection for counting login attempts (0: disabled; 1: by user; 2: by user@IP; 3: by IP): # note: if you use NAT or a load balancer the REMOTE_ADDR environment variable is not useable so you should use value "2" type => 1, # number of allowed login failures before logon will be paused: failcount} => 3, # time range in seconds before the failcount will be reseted: failrange => 10, # delay in seconds to be paused after failcount was reached (only effective in session logon screen): delay => 10, # sleep for some seconds before login attempt (every (successful) logon will be delayed) (0 - disabled) sleep => 0, # sleep for random seconds before (successul) login attempt (0 - disabled; >0: range of seconds for random routine) randomsleep => 0, # sleep some seconds after failcount was reached: sleeponfail => 3, };
- Or you can use a authentication module of your webserver. You should use
- fail2ban
- or mod_security (Apache only).
Temporary files and disk/memory space
WebDAV CGi creates a lot of temporary files:- cached files for JavaScript, CSS, localization messages
- thumbnails for previes
- upload and download files
- brute force attack prevention(BFAP) files (webdav_bfap_*)