order they appear in the configuration file, after the <code class="directive"><a href="#directory"><Directory></a></code> sections and
<code>.htaccess</code> files are read, and after the <code class="directive"><a href="#files"><Files></a></code> sections.</p>
- <p>Note that URLs do not have to line up with the filesystem at
- all, it should be emphasized that <code class="directive"><Location></code> operates completely
- outside the filesystem.</p>
+ <p><code class="directive"><Location></code> sections operate
+ completely outside the filesystem. This has several consequences.
+ Most importantly, <code class="directive"><Location></code>
+ directives should not be used to control access to filesystem
+ locations. Since several different URLs may map to the same
+ filesystem location, such access controls may by circumvented.</p>
+
+ <div class="note"><h3>When to use <code class="directive"><Location></code></h3>
+
+ <p>Use <code class="directive"><Location></code> to apply
+ directives to content that lives outside the filesystem. For
+ content that lives in the filesystem, use <code class="directive"><a href="#directory"><Directory></a></code> and <code class="directive"><a href="#files"><Files></a></code>. An exception is
+ <code><Location /></code>, which is an easy way to
+ apply a configuration to the entire server.</p>
+ </div>
<p>For all origin (non-proxy) requests, the URL to be matched is a
URL-path of the form <code>/path/</code>. No scheme, hostname,
<h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#example">Enabling WebDAV</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#security">Security Issues</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#complex">Complex Configurations</a></li>
</ul><h3>See also</h3>
<ul class="seealso">
<li><code class="directive"><a href="../mod/mod_dav_fs.html#davlockdb">DavLockDB</a></code></li>
<div class="example"><p><code>Dav On</code></p></div>
- <p>This enables the DAV file system provider, which is implemented by
- the <code class="module"><a href="../mod/mod_dav_fs.html">mod_dav_fs</a></code> module. Therefore that module has to
- be compiled into the server or has to be loaded at runtime using the
+ <p>This enables the DAV file system provider, which is implemented
+ by the <code class="module"><a href="../mod/mod_dav_fs.html">mod_dav_fs</a></code> module. Therefore, that module
+ must be compiled into the server or loaded at runtime using the
<code class="directive"><a href="../mod/mod_so.html#loadmodule">LoadModule</a></code> directive.</p>
- <p>In order to make it work you have to specify a web-server writable
- filename for the DAV lock database by adding the following to the
- global section in your <code>httpd.conf</code> file:</p>
+ <p>In addition, a location for the DAV lock database must be
+ specified in the global section of your <code>httpd.conf</code>
+ file:</p>
<div class="example"><p><code>
- DavLockDB /tmp/DavLock
+ DavLockDB /usr/local/apache2/var/DavLock
</code></p></div>
+ <p>The directory containing the lock database file must be
+ writable by the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code>
+ and <code class="directive"><a href="../mod/mpm_common.html#group">Group</a></code> under which
+ Apache is running. For security reasons, you should create a
+ directory for this purpose rather than changing the permissions on
+ an existing directory. In the above example, Apache will create
+ files in the <code>/usr/local/apache2/var/</code> directory
+ with the base filename <code>DavLock</code> and extension name
+ chosen by the server.</p>
+
<p>You may wish to add a <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code> clause inside the <code class="directive"><a href="../mod/core.html#location"><Location></a></code> directive to limit access to
DAV-enabled locations. If you want to set the maximum amount of
bytes that a DAV client can send at one request, you have to use
AuthName DAV<br />
AuthUserFile user.passwd<br />
<br />
- <LimitExcept GET HEAD OPTIONS><br />
+ <LimitExcept GET OPTIONS><br />
<span class="indent">
require user admin<br />
</span>
</Location><br />
</code></p></div>
- <div class="warning"><h3>Security</h3>
- <p>The use of HTTP Basic Authentication is not recommended. You
- should use at least HTTP Digest Authentication, which is provided by
- the <code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code> module. Nearly all WebDAV clients
- support this authentication method. Of course, Basic Authentication
- over an <a href="../ssl/">SSL</a> enabled connection is secure,
- too.</p>
- </div>
+ <p><code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code> is a descendent of Greg Stein's <a href="http://www.webdav.org/mod_dav/">mod_dav for Apache 1.3</a>. More
+ information about the module is available from that site.</p>
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="security" id="security">Security Issues</a></h2>
+
+ <p>Since DAV access methods allow remote clients to manipulate
+ files on the server, you must take particular care to assure that
+ your server is secure before enabling <code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code>.</p>
+
+ <p>Any location on the server where DAV is enabled should be
+ protected by authentication. The use of HTTP Basic Authentication
+ is not recommended. You should use at least HTTP Digest
+ Authentication, which is provided by the
+ <code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code> module. Nearly all WebDAV clients
+ support this authentication method. An alternative is Basic
+ Authentication over an <a href="../ssl/">SSL</a> enabled
+ connection.</p>
+
+ <p>In order for <code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code> to manage files, it must
+ be able to write to the directories and files under its control
+ using the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> and
+ <code class="directive"><a href="../mod/mpm_common.html#group">Group</a></code> under which
+ Apache is running. New files created will also be owned by this
+ <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> and <code class="directive"><a href="../mod/mpm_common.html#group">Group</a></code>. For this reason, it is
+ important to control access to this account. The DAV repository
+ is considered private to Apache; modifying files outside of Apache
+ (for example using FTP or filesystem-level tools) should not be
+ allowed.</p>
+
+ <p><code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code> may be subject to various kinds of
+ denial-of-service attacks. The <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code> directive can be
+ used to limit the amount of memory consumed in parsing large DAV
+ requests. The <code class="directive"><a href="#davdepthinfinity">DavDepthInfinity</a></code> directive can be
+ used to prevent <code>PROPFIND</code> requests on a very large
+ repository from consuming large amounts of memory. Another
+ possible denial-of-service attack involves a client simply filling
+ up all available disk space with many large files. There is no
+ direct way to prevent this in Apache, so you should avoid giving
+ DAV access to untrusted users.</p>
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="complex" id="complex">Complex Configurations</a></h2>
+
+ <p>One common request is to use <code class="module"><a href="../mod/mod_dav.html">mod_dav</a></code> to
+ manipulate dynamic files (PHP scripts, CGI scripts, etc). This is
+ difficult because a <code>GET</code> request will always run the
+ script, rather than downloading its contents. One way to avoid
+ this is to map two different URLs to the content, one of which
+ will run the script, and one of which will allow it to be
+ downloaded and manipulated with DAV.</p>
+
+<div class="example"><p><code>
+Alias /phparea /home/gstein/php_files<br />
+Alias /php-source /home/gstein/php_files<br />
+<Location /php-source>
+<span class="indent">
+ DAV On<br />
+ ForceType text/plain<br />
+</span>
+</Location>
+</code></p></div>
+
+ <p>With this setup, <code>http://example.com/phparea</code> can be
+ used to access the output of the PHP scripts, and
+ <code>http://example.com/php-source</code> can be used with a DAV
+ client to manipulate them.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="Dav" id="Dav">Dav</a> <a name="dav" id="dav">Directive</a></h2>
projects / thirdparty / apache / httpd.git / commitdiff
