Search

Debian - Setup HTTPS WebDav share and client configuration

Contents[Hide]

Debian

For some reasons, I need to access some of my home server files from outside when I am on the move.

That access can be done from various places :

  • some friends or relatives ADSL boxes,
  • a public Wifi access
  • my 3G connection with unlimited data plan.

Some of these accesses can be very restrictive, allowing only web access (port 80 and 443 only) and some can also even check your user agent (my 3G data plan).

So to be sure to be able to access my files from anywhere & anytime, I decided to setup a secured WebDav share. This share will be accessed by using the HTTPS protocol on port 443. As a matter of fact, it should be allowed with no restriction by any access type.

This article will explain how to setup such WebDav share on an existing Apache2 server. It will also explain how to setup a Windows and a Ubuntu client to be able to use that access.

This setup has been done on Debian Squeeze, but it should be compatible with any following version.

The following guide suppose that you are connected as root.
If not, you should start all the console commands with sudo.

1. Server setup

1.1. Create the SSL certificate & key

The first step is to create the SSL certificate and SSL key needed by your Apache server. These will be used to secure the transmission. The SSL certificate will have a .crt extension and the SSL key a .key extension.

To create these to files, you first need to create your local authority file by shooting these commands :

mkdir /tmp/ssl_conf
cd /tmp/ssl_conf
openssl req -config /etc/ssl/openssl.cnf -new -out server.csr

You will be prompted for a passphrase. Then you need to answer few questions about your server.

It is very important that you define the Common Name (CN) with your server public URL (yourserver.dyndns.org).
As your Webdav share will be accessible from Internet, the CN should be set with your public IP address or better, with your public DNS name (DynDNS for example).
If you don't do so, your site URL and your generated certificate won't match.

Then, you have to create the certificate and the key file with these commands :

openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
openssl x509 -in server.crt -out server.der.crt -outform DER

Your certificate will be valid 3650 days (10 years).

Last step is to copy these 2 files in the Apache configuration folder :

cp server.crt /etc/apache2/
cp server.key /etc/apache2/

1.2. Create your WebDav folder & password file

I suppose that your Apache web root is the standart /var/www.

We will create the WebDav root in /var/www/webdav  and make the Apache user (www-data) the owner of that directory.

All your files accessible will be located under that WebDav root.

mkdir -p /var/www/webdav
chown www-data /var/www/webdav

Next we will create the WebDAV password file for a test user.

For security reasons, the file should not be accessible from the webdav shared directory.
So we will create it in the home directory of the www-data user .  

htpasswd -c /home/www-data/passwd.dav test

You will be asked to type in a password for the user test. The -c switch creates the file as it does not exist.

Then, change the permissions of your new password file so that only root and the members of the www-data group can access it :

chown root:www-data /home/www-data/passwd.dav
chmod 640 /home/www-data/passwd.dav

1.3. Setup the Apache SSL host

Afterwards, we need to enable the WebDAV and SSL modules in Apache :

a2enmod dav_fs
a2enmod dav
a2enmod ssl

You will be noticed if they were already enabled.

We now need to declare a new SSL virtual host in your Apache configuration.

If you already have a vhost for which you'd like to enable WebDAV, you must adjust this tutorial to your situation.

Modify the default Apache vhost configuration to add the HTTPS webdav virtual host :

/etc/apache2/sites-available/default

NameVirtualHost *:443

ServerAdmin YourEmailAddress
ServerName  myserver.address.com

SSLEngine on
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.key

DocumentRoot /var/www/

Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

Alias /webdav /var/www/webdav

DAV On
AuthType Basic
AuthName "webdav"
AuthUserFile /home/www-data/passwd.dav
Require valid-user

Restart Apache afterwards :

/etc/init.d/apache2 restart

Your HTTPS webdav access yould now be operationnal.

2. Router Setup

For your Webdav share to be accessible from Internet, you have to configure your router accordingly.

As the Webdav share will be accessed thru the HTTPS protocol, you should configure your router to forward port 443 (TCP) to your Webdav server.

3. Test the access

You can test your WebDav share with any browser by typing https://myserver.address.com

Your browser should inform you that you need to accept a certificate. Accept it and you should be prompted with a login / password. After typing them, you should see the list of files present in your /var/www/webdav folder.

Success !!!

4. Debian or Ubuntu client

To be able to read and write files from that share, you need to use a proper WebDav client.

Under Linux (Debian, Ubuntu, ...) you can access it straight from Nautilus, as with any network share. This step is too simple to be described. But this method has actually a main drawback : It is not handled properly by Nautilus while opening an Open Office document.

To avoid these troubles, the best approach is to mount the WebDav share as a filesystem in your home directory. As a result, you will get access to your WebDav share thru /home/YourAccount/webdav.

4.1. Install the package and declare the user

First of all you need to install the davfs2 package with the following command:

sudo aptitude install davfs2

By default this package is installed so that only root can mount davfs volumes.
To mount as other users, you need to set the SUID bit for /sbin/mount.davfs and to designate a group whose members can mount davfs volumes.

To set the SUID bit, use this command:

sudo chmod u+s /sbin/mount.davfs

Then, you need to configure davfs so that members of the group "users" can mount davfs volumes.
You have to change the dav_group line as follow

/etc/davfs2/davfs2.conf

dav_group users

Finally, you need to add your user to the users group :

sudo addgroup YourAccount users

4.2. Import the server certificate

As you have generated a self-made certificate, without any trusted authority, you will get this type of message when you will try to mount your webdav share on a Linux client :

/sbin/mount.davfs: the server certificate is not trusted
issuer:      your company, your.server.name, city, region, country
subject:     your company, your.server.name, city, region, country
identity:    your.server.name
fingerprint: d9:........................:5c
You only should accept this certificate, if you can
verify the fingerprint! The server might be faked
or there might be a man-in-the-middle-attack.
Accept certificate for this session? [y,N]

To avoir it, you will need to declare your server certificate to davfs. First thing is to place your server certificate server.crt on your client computer under /etc/davfs2/certs/server.crt. You then need to inform davfs to use it, by replacing the following commented line in /etc/davfs2/davfs2.conf :

/etc/davfs2/davfs2.conf

servercert         /etc/davfs2/certs/server.crt

4.3. Declare the login / password to be used

One more step is to pre-declare the WebDav share login and password in the davfs configuration. Once done, you will be able to mount the share with davfs handling automatically the authentification process.

These should be declared in the secrets file of davfs, where you get one line per webdav share :

/etc/davfs2/secrets

...
https://your.server.name/webdav   YourWebdavLogin     YourWebdavPassword
...

4.4. Declare the mount

To be able to mount the WebDav share easily, the best way is to add the following line at the end of your /etc/fstab :

/etc/fstab

https://your.server.name/webdav/   /home/YourAccount/webdav    davfs        rw,user,noauto          0        0

Here are the parameters description :

  • davfs is the filesystem type
  • rw for read/write
  • user allows users other than root to mount the volume
  • noauto means it won't mount on startup (needed if you use wifi access with portfolio password)

At this point, you need to restart your computer for all these configurations to become operationnal.

4.5. Mount the WebDav share

After reboot, you can issue that command to mount your WebDav share :

mount /home/YourAccount/webdav

You should see on your desktop a new external drive icon named webdav.

Your webdav access is now fully operationnal and, as it is seen as a part of your filesystem, is should be transparent to any type of program.

Any shortcut on your desktop to a script with that command will allow your to mount the share in one click :-)

5. Windows XP et Seven client

If you plan to use it under Windows, prefer to use NetDrive.

It is very simple to setup and will present your WebDav share as a network drive.

The built-in XP WebFolder client is very difficult to setup and seems not to accept the Basic authentification protocol. I've never succeded to make it work !

Hope it helps  :-)

Signature Technoblog

This article is published "as is", without any warranty that it will work for your specific need.
If you think this article needs some complement, or simply if you think it saved you lots of time & trouble,
just let me know at This email address is being protected from spambots. You need JavaScript enabled to view it.. Cheers !

icon linux icon debian icon apache icon mysql icon php icon piwik icon googleplus