You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bjoern Voigt <bj...@arcor.de> on 2016/05/21 21:08:29 UTC
[users@httpd] Apache mod_dav alternatives?
I am using Apache as a web and proxy server, but I am unhappy with
Apache as a WebDAV file server.
I am missing a good file permission or ACL configuration in Apache mod_dav.
My wishlist:
* "good/flexible" permission control (important)
* stable and secure (important)
* Apache >= 2.4 based or an Apache alternative (important)
* permission control delegable to some users (nice to have)
* compatibility with Samba and local users (nice to have)
The Apache path-based access control with directives like
<Directory "/home/dav/user1">
<LimitExcept PROPFIND OPTIONS>
require user user1
</LimitExcept>
<Limit PROPFIND OPTIONS>
require group allusers
</Limit>
</Directory>
is inflexible, even in small user groups.
Do you know good alternatives?
(Please do not suggest Apache < 2.4 alternatives. Some good projects
have stopped development and are incompatible with Apache 2.4. Apache
alternatives are welcome too.)
Greetings,
Bj�rn
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache mod_dav alternatives?
Posted by Wim Lewis <wi...@omnigroup.com>.
On May 21, 2016, at 2:08 PM, Bjoern Voigt <bj...@arcor.de> wrote:
> I am using Apache as a web and proxy server, but I am unhappy with
> Apache as a WebDAV file server.
>
> I am missing a good file permission or ACL configuration in Apache mod_dav.
It's relatively easy to write a custom authz provider for your local needs. You can use existing authn module(s) to determine who's making the request, and the authz module just contains whatever allow/deny logic is specific to your site.
You might also be able to do something with the (new in 2.4.x) expression syntax, depending on what logic you need:
https://httpd.apache.org/docs/2.4/en/expr.html <https://httpd.apache.org/docs/2.4/en/expr.html>
A third approach is to use mod_fcgi's ability to delegate just the authnz decision to an fcgi daemon, but once authorized to process the request with apache. I haven't tried that.
Re: [users@httpd] Apache mod_dav alternatives?
Posted by Bjoern Voigt <bj...@arcor.de>.
Christopher Schultz wrote:
> Bjoern,
>
> On 5/21/16 5:08 PM, Bjoern Voigt wrote:
> > I am using Apache as a web and proxy server, but I am unhappy with
> > Apache as a WebDAV file server.
>
> > I am missing a good file permission or ACL configuration in Apache
> > mod_dav.
>
> > My wishlist:
>
> > * "good/flexible" permission control (important) * stable and
> > secure (important) * Apache >= 2.4 based or an Apache alternative
> > (important) * permission control delegable to some users (nice to
> > have) * compatibility with Samba and local users (nice to have)
>
> > The Apache path-based access control with directives like
>
> > <Directory "/home/dav/user1"> <LimitExcept PROPFIND OPTIONS>
> > require user user1 </LimitExcept>
>
> > <Limit PROPFIND OPTIONS> require group allusers </Limit>
> > </Directory>
>
> > is inflexible, even in small user groups.
>
> > Do you know good alternatives? (Please do not suggest Apache < 2.4
> > alternatives. Some good projects have stopped development and are
> > incompatible with Apache 2.4. Apache alternatives are welcome
> > too.)
>
> mod_dav + mod_auth_ldap + LDAP server?
>
> We use this internally and have scripts to take a somewhat simple
> permission-configuration (e.g. /foo can be read by group foo and
> writable by group foowriters) and produce httpd.conf-style files with
> <Directory>, <Location>, etc. directives for those rules.
Thanks Christopher for this tips.
But I do not like Single-Sign-On so much. Scripts which generate Apache
configurations can be a good solution. Currently my problem is not big
enough, so that I start writing such scripts. This point from my wishlist
> * permission control delegable to some users (nice to have)
would also require, that I write a web-based or client-server-solution
so that users can configure their own Apache/WebDAV permissions.
I hoped that there are cool Apache community solutions. But there is
probably nothing. My own search was unsuccessful too.
Greetings,
Bj�rn
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache mod_dav alternatives?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Bjoern,
On 5/21/16 5:08 PM, Bjoern Voigt wrote:
> I am using Apache as a web and proxy server, but I am unhappy with
> Apache as a WebDAV file server.
>
> I am missing a good file permission or ACL configuration in Apache
> mod_dav.
>
> My wishlist:
>
> * "good/flexible" permission control (important) * stable and
> secure (important) * Apache >= 2.4 based or an Apache alternative
> (important) * permission control delegable to some users (nice to
> have) * compatibility with Samba and local users (nice to have)
>
> The Apache path-based access control with directives like
>
> <Directory "/home/dav/user1"> <LimitExcept PROPFIND OPTIONS>
> require user user1 </LimitExcept>
>
> <Limit PROPFIND OPTIONS> require group allusers </Limit>
> </Directory>
>
> is inflexible, even in small user groups.
>
> Do you know good alternatives? (Please do not suggest Apache < 2.4
> alternatives. Some good projects have stopped development and are
> incompatible with Apache 2.4. Apache alternatives are welcome
> too.)
mod_dav + mod_auth_ldap + LDAP server?
We use this internally and have scripts to take a somewhat simple
permission-configuration (e.g. /foo can be read by group foo and
writable by group foowriters) and produce httpd.conf-style files with
<Directory>, <Location>, etc. directives for those rules.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXQlAzAAoJEBzwKT+lPKRY13gP/jP9doBi2ca0jN5ShWbKd59K
+zCbf40wPn/HPnE7WbxN+TmzMtlYeQBSeDuj9YkRHGATMfMoVgJ94CK1uWLtXmBL
/2HWfgZcB/CBDJsj4rYr5rD1DT2Z+GZZtHsXLnC+ySokCw0zSetTAz9LxWxtPv9z
VpL2/W2GM3THLYk47hAUQnLV8puHTtHGPubugHWDW3lPhY8FJjfS/PFMNktSKLz5
O4Ysxe1nk9JwxHx4WU4W/FoboH7wT8Rrph3lRejabpRXdqFhm6z2caK/a8lTysOe
FzevFLtFAI6Jqafrnew4moGBaK5LTPIerYB+vzjyhBk/Drbq87TI0IWXK2dBe3Ug
gYWb2OekFcGN8rOu5/f9aIiLhJkArM5zK7d4wHaVYZuWmu4aWKngbwu5/lq8g5au
oWOu+r7s2rsvAJg7jWjOJkHNPFvsjwjpX8N68borcK6ke2Ojw805gj29KDrQLq9k
Yt8koS6CMhUXLaMlqB+v9bYkBErUH1jW4LryQW8jXSagN0I+hOLRZT3xB5exWmfC
PvwKVQFhU8N9NFS6/csjMZHSmVa/i3Q8rQDldWT54CqUIFeq7X3W5s5T3KJtHnkx
ntL1HiO6AdiEABmdBZDZ2eJbMiNmhLDWnALvQ2ZAd5mwb/a1TZlJR08odtwds4gg
pYaFHWZpvjF1LtIan4Do
=UNgs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org