How to secure WebDAV with SSL and Two-Factor Authentication - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Wed, 2007-04-11 17:24. ::

Configure Apache

If you are using a binary version of Apache, you will only need to load the modules in httpd.conf. If you are compiling yourself, use the --with-dav option at compile time, and add support for the file system backend with the --enable-dav-fs option. Obviously, it is critical that Apache be configured for SSL to encrypt the data in transfer. If you do not have SSL keys, you will need to generate them:

openssl genrsa -out webdav.mydomain.com.key 1024

openssl req -new -key webdav.mydomain.com.key -out webdav.mydomain.com.csr

openssl x509 -in webdav.mydomain.com.csr -out webdav.mydomain.com.crt -req -signkey webdav.mydomain.com.key -days 365

cp webdav.mydomain.com.key /etc/httpd/conf/

cp webdav.mydomain.crt /etc/httpd/conf/

Now, you can edit your httpd.conf file. First, validate that the DAV modules are loaded:

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so

Load the mod_auth_xradius modules and set the time-out, in this case 1 hour. :

LoadModule auth_xradius_module modules/mod_auth_xradius.so
AuthXRadiusCache dbm conf/authxcache
AuthXRadiusCacheTimeout 3600

And, create a locking database for WebDAV:

<IfModule mod_dav_fs.c="">
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb
</IfModule>

Make sure that Apache can handle various WebDAV clients:

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

Then, add a virtual host for SSL:

NameVirtualHost *:443
<VirtualHost webdav.mydomain.com:443="">
ServerName webdav.mydomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLProxyEngine on
SSLCertificateFile conf/webdav.mydomain.com.crt
SSLCertificateKeyFile conf/webdav.mydomain.com.key
  Alias /webdav/ "/var/www/webdav/"
  <Directory /var/www/webdav>
     DAV on
     <Limit GET PROPFIND POST OPTIONS MKCOL PUT DELETE LOCK UNLOCK COPY MOVE PROPPATCH>
     AuthTypSe Basic
     AuthName "You must be authenticated by WiKID to Enter!"
     AuthXRadiusAddServer "wikid_server_ip:1812" "webdav_shared_secret"
     AuthXRadiusTimeout 7
     AuthXRadiusRetries 2
     require valid-user
     </Limit>
   </Directory>
</VirtualHost>

A couple of notes: Depending on your setup, you might also need to add the location of your SSL cert and key to your ssl.conf file. I am using an alias here because I have the document root set to publish public facing webpages. I also am using the Limit command as defined in the Apache Documentation:

The purpose of the Limit directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the Limit bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected.

You can set the AuthXRadiusCacheTimeout for whatever time you think is appropriate depending upon your needs and what you think the client environment is like. The more open the access, the more frequently your users should have to re-authenticate. Making it too short, however can cause problems with large file transfers, so if you are looking for a secure replacement to FTP, think about typical file sizes and transfer times.

Each sub-directory listed in the httpd.conf file inherits the security of it's parent, so if you want to further restrict access you can. For example, this virtual host add subdirectories that are limited to specific users:

NameVirtualHost *:443
<VirtualHost webdav.mydomain.com:443="">
ServerName webdav.mydomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLProxyEngine on
SSLCertificateFile conf/webdav.mydomain.com.crt
SSLCertificateKeyFile conf/webdav.mydomain.com.key
  Alias /webdav/ "/var/www/webdav/"
 <Directory /var/www/webdav>
     DAV on
     <Limit GET PROPFIND POST OPTIONS MKCOL PUT DELETE LOCK UNLOCK COPY MOVE PROPPATCH>
     AuthType Basic
     AuthName "You must be authenticated by WiKID to Enter!"
     AuthXRadiusAddServer "wikid_server_ip:1812" "webdav_shared_secret"
     AuthXRadiusTimeout 7
     AuthXRadiusRetries 2
     require valid-user
     </Limit>
   </Directory>
   <Directory /var/www/webdav/PCIdata>
     require user bob ted alice
   </Directory>
</VirtualHost>

You could also have a top-level directory that was read-only and sub-directories that were write-able by certain users.

N.B.: I was getting a 412 Error when trying to use Cadaver on linux. Checking the audit.log showed that mod-security was blocking it. I had to comment out this line in mod-security:

# SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.