Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp William A. Rowe, Jr. ASF Member, httpd and APR projects Sr. Software Engineer, Covalent.

Published byLinette Miles Modified over 9 years ago

Similar presentations

Presentation on theme: "Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp William A. Rowe, Jr. ASF Member, httpd and APR projects Sr. Software Engineer, Covalent."— Presentation transcript:

1 Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp William A. Rowe, Jr. ASF Member, httpd and APR projects Sr. Software Engineer, Covalent Technologies

2 The Choices upload scripts content management applications ssh (scp) or nfs/samba filesystems WebDAV (mod_dav) ftpd (strictly using ssl/tls), or mod_ftp

3 Upload scripts Mostly, they suck Notorious (bugtraq / vuln-dev notoriety) Quite possibly ideal for narrow-focus, tightly controlled applications such as media, photos, web 2.0 updates etc.

4 CMS Applications Single purposed (not a solution for a diverse author base). Deploy corresponding CMS server agent required by each of the authoring tools. As secure as the design paradigm.

5 ssh (scp) Secure (Very) Requires 1:1 system accounts to web administrators Keys strongly recommended over password access One more service to administer

6 nfs/samba Requires 1:1 user:author accounts On the locally deployed server – ideal Sub-par solution for remotely co-located web server infrastructure One more service to administer

7 WebDAV / mod_dav Does not require 1:1 users to authors Easily secured with https: (ssl/tls) Short of ftp, the mostly widely deployed and flexible authoring solution (no lock-in!)

8 ftpd for Content Requires 1:1 accounts per web admin (Unless anonymous, which is the worse of two evils) Non-SSL security is worse than no security (packet sniffers, anyone?) One more service to administer

9 ftp using mod_ftp + tls/ssl Does -not- require 1:1 users / authors. All content is written with the ownership of the user which httpd is running as (same as mod_dav). Passwords and content, are all secured on the wire with implicit or explicit ssl.

10 The Criteria Single administrative solution Secure / Encrypted transactions (ssl/tls) Apache HTTP security context (httpd managed users, not system accounts)

11 The bottom line – our Authors Lenya, Slide, Vignette & many more clients, including MS Web Folders and MS Office all support WebDAV More ancient clients will support ftp Flexibility without frequent server-side installation churn

12 The Solutions mod_dav – the modern connector mod_ftp – the legacy connector Add mod_ssl – avoid plaintext over the wire for either protocol Single security-context for content

13 mod_dav_fs mod_dav is simply a protocol mod_dav_fs does the heavy 'filesystem' lifting of file content – and locking You must leverage both modules! See conf/extras/httpd-dav.conf

14 mod_ftp Here – but not yet here http://httpd.apache.org/modules/ will keep you up to date with it's first releasehttp://httpd.apache.org/modules/ Not for the timid, but for the impatient: http://svn.apache.org/repos/asf/httpd/mod_ftp/trunk/STATUS

15 Authorization Options For few authors, mod_authz_username For many, mod_authz_dbd/dbm/ldap help manage the users

16 Permissions and Ownership Apache defaults to User Nobody For authoring, use a generally low- privilege account e.g. “webauthor” Must have read/write to the web contents

17 More Secure Permissions Consider two httpd instances, author and user instances, two separate Users Short of 'perchild' MPM – these must be physical (IP-based) vhosts. (For SSL, they must be IP based vhosts anyways).

18 Trouble for Authors GET is not GET, for authors Options Includes, and Set/AddHandler GET /doc.shtml produces the combined document – not what the author wants!

19 A real GET EITHER Create a, e.g. http://author.example.com/ Create an Alias/, e.g. http://author.example.com/author/

20 GETting true files In either case SetHandler default-handler This provides a true GET, but for ScriptAlias hint - Don't use ScriptAlias

21 Trouble : Incompatibilies Client incompatibility Some hints are in httpd.conf, others are found in extra/httpd-dav.conf Google is your friend; new releases mean newly incompatible behaviors

22 considered harmful Two 's will not be aggregated! is not a proper container, it is for a limited subset of auth directives You may have only one But when you violate the rules – httpd is...

23 A surprise Named hosts are looking at ServerName and ServerAlias. IP Based hosts are looking at port and number. When not matched, the content is served by the first vhost... so make it a stub

24 Ports and Host Names DAV is simply http/https – usual port 80/443 mod_ftp typically listens on 21 – or 990 for pure Implicit TLS BUT – mod_ftp requires a second port!

25 Data Connections for FTP Apache running as Nobody/Untrusted user can't use the default port 20 data!

26 Good References http://www.webdav.org/ http://www.apache.org/docs/2.2/ http://httpd.apache.org/modules/ http://wiki.apache.org/httpd/

27 Educational Links http://en.wikipedia.org/wiki/Ftp_client http://en.wikipedia.org/wiki/Comparison _of_FTP_clients http://en.wikipedia.org/wiki/WebDAV

28 Contact and Followup http://www.rowe-clan.net/wrowe/ http://people.apache.org/~wrowe/ wrowe@rowe-clan.net IRC help at irc.freenode.net #apache Peer help at users@httpd.apache.org

Download ppt "Managing your Apache HTTP Web Server Content with mod_dav and mod_ftp William A. Rowe, Jr. ASF Member, httpd and APR projects Sr. Software Engineer, Covalent."

Similar presentations

ESUP-Portail: a pure WebDAV-based Network attached Storage Pierre Gambarotto Pascal Aubry.

ESUP-Portail: a pure WebDAV-based Network attached Storage Pierre Gambarotto Pascal Aubry.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Snippet Management The following screens demonstrate how to: 1. Access and view snippets 2. Create a local standard snippet, or a local class snippet 3.

Snippet Management The following screens demonstrate how to: 1. Access and view snippets 2. Create a local standard snippet, or a local class snippet 3.
Virtual Hosts The apache server can handle multiple “web sites” at a time – a web service provider company may have multiple different sites to offer (see.

Virtual Hosts The apache server can handle multiple “web sites” at a time – a web service provider company may have multiple different sites to offer (see.
Linux Operations and Administration

Linux Operations and Administration
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
Module 1: Installing Internet Information Services 5.0.

Module 1: Installing Internet Information Services 5.0.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.

Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Web-based Software Development Web-based Distributed Authoring and Versioning Jul 19, 2005 Shin Young Ahn.

Web-based Software Development Web-based Distributed Authoring and Versioning Jul 19, 2005 Shin Young Ahn.
1 Web Server Administration Chapter 9 Extending the Web Environment.

1 Web Server Administration Chapter 9 Extending the Web Environment.

Similar presentations

Ads by Google