1 / 28

Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp

William A. Rowe, Jr. ASF Member, httpd and APR projects Sr. Software Engineer, Covalent Technologies. Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp. The Choices. upload scripts content management applications ssh (scp) or nfs/samba filesystems WebDAV (mod_dav)

don
Download Presentation

Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. William A. Rowe, Jr.ASF Member, httpd and APR projectsSr. Software Engineer, Covalent Technologies Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp

  2. The Choices • upload scripts • content management applications • ssh (scp) or nfs/samba filesystems • WebDAV (mod_dav) • ftpd (strictly using ssl/tls), or mod_ftp

  3. Upload scripts • Mostly, they suck • Notorious (bugtraq / vuln-dev notoriety) • Quite possibly ideal for narrow-focus, tightly controlled applications such as media, photos, web 2.0 updates etc.

  4. CMS Applications • Single purposed (not a solution for a diverse author base). • Deploy corresponding CMS server agent required by each of the authoring tools. • As secure as the design paradigm.

  5. ssh (scp) • Secure (Very) • Requires 1:1 system accounts to web administrators • Keys strongly recommended over password access • One more service to administer

  6. nfs/samba • Requires 1:1 user:author accounts • On the locally deployed server – ideal • Sub-par solution for remotely co-located web server infrastructure • One more service to administer

  7. WebDAV / mod_dav • Does not require 1:1 users to authors • Easily secured with https: (ssl/tls) • Short of ftp, the mostly widely deployed and flexible authoring solution(no lock-in!)

  8. ftpd for Content • Requires 1:1 accounts per web admin • (Unless anonymous, which is the worse of two evils) • Non-SSL security is worse than no security (packet sniffers, anyone?) • One more service to administer

  9. ftp using mod_ftp + tls/ssl • Does -not- require 1:1 users / authors. • All content is written with the ownership of the user which httpd is running as (same as mod_dav). • Passwords and content, are all secured on the wire with implicit or explicit ssl.

  10. The Criteria • Single administrative solution • Secure / Encrypted transactions (ssl/tls) • Apache HTTP security context (httpd managed users, not system accounts)

  11. The bottom line – our Authors • Lenya, Slide, Vignette & many more clients, including MS Web Folders and MS Office all support WebDAV • More ancient clients will support ftp • Flexibility without frequent server-side installation churn

  12. The Solutions • mod_dav – the modern connector • mod_ftp – the legacy connector • Add mod_ssl – avoid plaintext over the wire for either protocol • Single security-context for content

  13. mod_dav_fs • mod_dav is simply a protocol • mod_dav_fs does the heavy 'filesystem' lifting of file content – and locking • You must leverage both modules! • See conf/extras/httpd-dav.conf

  14. mod_ftp • Here – but not yet here • http://httpd.apache.org/modules/ will keep you up to date with it's first release • Not for the timid, but for the impatient: http://svn.apache.org/repos/asf/httpd/mod_ftp/trunk/STATUS

  15. Authorization Options • For few authors, mod_authz_username • For many, mod_authz_dbd/dbm/ldaphelp manage the users

  16. Permissions and Ownership • Apache defaults to User Nobody • For authoring, use a generally low-privilege account e.g. “webauthor” • Must have read/write to the web contents

  17. More Secure Permissions • Consider two httpd instances, author and user instances, two separate Users • Short of 'perchild' MPM – these must be physical (IP-based) vhosts. (For SSL, they must be IP based vhosts anyways).

  18. Trouble for Authors GET is not GET, for authors • <!--#include virtual="/header.shtml" --> • Options Includes, and Set/AddHandler • GET /doc.shtml produces the combined document – not what the author wants!

  19. A real GET EITHER • Create a <VirtualHost>, e.g. http://author.example.com/ • Create an Alias/<Location >, e.g.http://author.example.com/author/

  20. GETting true files In either case <VirtualHost | Location ...> SetHandler default-handler This provides a true GET, but for ScriptAlias hint - Don't use ScriptAlias

  21. Trouble : Incompatibilies Client incompatibility • Some hints are in httpd.conf, others are found in extra/httpd-dav.conf • Google is your friend; new releases mean newly incompatible behaviors

  22. <Limit > considered harmful • Two <Limit>'s will not be aggregated! • <Limit > is not a proper container, it is for a limited subset of auth directives • You may have only one <Limit> • But when you violate the rules – httpd is ...

  23. A <VirtualHost > surprise • Named hosts are looking at ServerName and ServerAlias. IP Based hosts are looking at port and number. • When not matched, the content is served by the first vhost ... so make it a stub

  24. Ports and Host Names • DAV is simply http/https – usual port 80/443 • mod_ftp typically listens on 21 – or 990 for pure Implicit TLS • BUT – mod_ftp requires a second port!

  25. Data Connections for FTP • Apache running as Nobody/Untrusted user can't use the default port 20 data!

  26. Good References http://www.webdav.org/ http://www.apache.org/docs/2.2/ http://httpd.apache.org/modules/ http://wiki.apache.org/httpd/

  27. Educational Links • http://en.wikipedia.org/wiki/Ftp_client • http://en.wikipedia.org/wiki/Comparison_of_FTP_clients • http://en.wikipedia.org/wiki/WebDAV

  28. Contact and Followup http://www.rowe-clan.net/wrowe/ http://people.apache.org/~wrowe/ wrowe@rowe-clan.net IRC help at irc.freenode.net #apache Peer help at users@httpd.apache.org

More Related