How to configure a webdav server secured with openssl

I needed a fast way to have people sharing documents and other data remotely. I wanted to avoid the cloud, I really rather having things locally at work.

This was made in a Debian 5 (lenny) sever and pretty much works the same way for a recent Ubuntu server. I’ve done most of this in a 9.04 Ubuntu box.

First I configured apache with the webdav module:

#aptitude install apache2

Activate de webdav module:

# a2enmod dav_fs

The webdav acess should be limited to authorized users. So we create a protected /webdav location by editing /etc/apache2/sites-available/webdav:

# vim /etc/apache2/sites-available/webdav

Alias /webdav /var/www/webdav

AuthType Digest
AuthName “webdav”
AuthUserFile /etc/apache2/webdav.passwd
Require valid-user

we also need, for more secure authentication, to activate the auth_digest module:

# a2enmod auth_digest

The we need to create our users and passwords:

# htdigest -c /etc/apache2/webdav.passwd webdav username

When adding a new user don’t use the -c flag because it will override the previous settings.

Then we need to add our directory and make it writable by the www-data group:

# mkdir /var/www/webdav
# chgrp www-data /var/www/webdav
# chmod g+w /var/www/webdav

Lest’s activate our site:

#a2ensite webdav

And reload apache:

# /etc/init.d/apache2 reload

Test it with a webdav client like cadaver

$ cadaver http://yourdomain/webdav

Now to secure the connection with openssl:

# aptitude install openssl

# a2enmod ssl

We need to generate a personal certificate for our server:

# openssl genrsa -des3 -out server.key 1024

# openssl req -new -key server.key -out server.csr

# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Now we have 3 files: server.key, server.csr and server.crt. Let’s copy erver.key and server.crt to the certs and private directories:

# cp server.crt /etc/ssl/certs

# cp server.key /etc/ssl/private

Now we need to edit /etc/apache2/ports.conf:

# vim /etc/apache2/ports.conf

You have change the port from 80 to 443. It should look like this:

NameVirtualHost *:443

#Listen 80

# SSL name based virtual hosts are not yet supported, therefore no

# NameVirtualHost statement here

Listen 443

Now edit /etc/apache2/sites-enabled/000-default and change the port 80 to 443 in the firts line:
Note that http requests will be bloqued, and only https requests will be accepted.

Now lets edit /etc/apache2/sites-available/default to tell apache where to find the certificate:

#vim /etc/apache2/sites-available/default

DocumentRoot /var/www/

SSLEngine on

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

SSLCertificateFile /etc/ssl/certs/server.crt

SSLCertificateKeyFile /etc/ssl/private/server.key


Time to reload apache and try it out!

# /etc/init.d/apache2 force-reload

This how to was made with the help of two other how two’s I found. One of tem is this one, for openssl and the other one I really can’t find it now :(. It was a Debian how to written in Portuguese, so thank you to the author! If I find it I’ll link it.