|Email article link|
Apache Recipe of the Day
The following recipe is from Apache Cookbook, by Ken Coar and Rich Bowen. All links in this recipe point to the online version of the book on the Safari Bookshelf.
6.18. Securing WebDAV
Require authentication to use WebDAV:
<Directory "/www/htdocs/dav-test"> Order Allow,Deny Deny from all AuthDigestFile /www/acl/.htpasswd-dav-test AuthDigestDomain /dav-test/ AuthName "DAV access" Require Satisfy any </Directory>
Because WebDAV operations can modify your server's resources and mod_dav runs as part of the server, locations that are WebDAV-enabled need to be writable by the user specified in the server's User directive. This means that the same location is writable by any CGI scripts or other modules that run as part of the Apache server. To keep remote modification operations under control, you should enable access controls for WebDAV-enabled locations. If you use weak controls, such as user-level authentication, you should use Digest authentication rather than Basic, as shown in the Solution.
The contents of the <Directory> container could be put into a dav-test/.htaccess file, as well. Note that the authentication database (specified with the AuthDigestFile directive) is not within the server's URI space, and so it cannot be fetched with a browser nor with any WebDAV tools.