23 de Julho de 2009 by amrlima
How to configure a webdav server secured with openssl
I needed a fast way to have people sharing documents and other data remotely. I wanted to avoid the cloud, I really rather having things locally at work.
This was made in a Debian 5 (lenny) sever and pretty much works the same way for a recent Ubuntu server. I’ve done most of this in a 9.04 Ubuntu box.
First I configured apache with the webdav module:
#aptitude install apache2
Activate de webdav module:
# a2enmod dav_fs
The webdav acess should be limited to authorized users. So we create a protected /webdav location by editing /etc/apache2/sites-available/webdav:
# vim /etc/apache2/sites-available/webdav
Alias /webdav /var/www/webdav
DAV On
AuthType Digest
AuthName “webdav”
AuthUserFile /etc/apache2/webdav.passwd
Require valid-user
we also need, for more secure authentication, to activate the auth_digest module:
# a2enmod auth_digest
The we need to create our users and passwords:
# htdigest -c /etc/apache2/webdav.passwd webdav username
When adding a new user don’t use the -c flag because it will override the previous settings.
Then we need to add our directory and make it writable by the www-data group:
# mkdir /var/www/webdav
# chgrp www-data /var/www/webdav
# chmod g+w /var/www/webdav
Lest’s activate our site:
#a2ensite webdav
And reload apache:
# /etc/init.d/apache2 reload
Test it with a webdav client like cadaver
$ cadaver http://yourdomain/webdav
Now to secure the connection with openssl:
# aptitude install openssl
# a2enmod ssl
We need to generate a personal certificate for our server:
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Now we have 3 files: server.key, server.csr and server.crt. Let’s copy erver.key and server.crt to the certs and private directories:
# cp server.crt /etc/ssl/certs
# cp server.key /etc/ssl/private
Now we need to edit /etc/apache2/ports.conf:
# vim /etc/apache2/ports.conf
You have change the port from 80 to 443. It should look like this:
NameVirtualHost *:443
#Listen 80
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
Now edit /etc/apache2/sites-enabled/000-default and change the port 80 to 443 in the firts line:
Note that http requests will be bloqued, and only https requests will be accepted.
Now lets edit /etc/apache2/sites-available/default to tell apache where to find the certificate:
#vim /etc/apache2/sites-available/default
DocumentRoot /var/www/
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
(…)
Time to reload apache and try it out!
# /etc/init.d/apache2 force-reload
This how to was made with the help of two other how two’s I found. One of tem is this one, for openssl and the other one I really can’t find it now :(. It was a Debian how to written in Portuguese, so thank you to the author! If I find it I’ll link it.