You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Bjoern Voigt <bj...@arcor.de> on 2016/05/21 21:08:29 UTC

[users@httpd] Apache mod_dav alternatives?

I am using Apache as a web and proxy server, but I am unhappy with
Apache as a WebDAV file server.

I am missing a good file permission or ACL configuration in Apache mod_dav.

My wishlist:

  * "good/flexible" permission control (important)
  * stable and secure (important)
  * Apache >= 2.4 based or an Apache alternative (important)
  * permission control delegable to some users (nice to have)
  * compatibility with Samba and local users (nice to have)

The Apache path-based access control with directives like

        <Directory "/home/dav/user1">
                <LimitExcept PROPFIND OPTIONS>
                        require user user1
                </LimitExcept>

                <Limit PROPFIND OPTIONS>
                        require group allusers
                </Limit>
        </Directory>

is inflexible, even in small user groups.

Do you know good alternatives?
(Please do not suggest Apache < 2.4 alternatives. Some good projects
have stopped development and are incompatible with Apache 2.4. Apache
alternatives are welcome too.)

Greetings,
Bj�rn

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache mod_dav alternatives?

Posted by Wim Lewis <wi...@omnigroup.com>.

On May 21, 2016, at 2:08 PM, Bjoern Voigt <bj...@arcor.de> wrote:
> I am using Apache as a web and proxy server, but I am unhappy with
> Apache as a WebDAV file server.
> 
> I am missing a good file permission or ACL configuration in Apache mod_dav.

It's relatively easy to write a custom authz provider for your local needs. You can use existing authn module(s) to determine who's making the request, and the authz module just contains whatever allow/deny logic is specific to your site.

You might also be able to do something with the (new in 2.4.x) expression syntax, depending on what logic you need:
     https://httpd.apache.org/docs/2.4/en/expr.html <https://httpd.apache.org/docs/2.4/en/expr.html>

A third approach is to use mod_fcgi's ability to delegate just the authnz decision to an fcgi daemon, but once authorized to process the request with apache. I haven't tried that.

Re: [users@httpd] Apache mod_dav alternatives?

Posted by Bjoern Voigt <bj...@arcor.de>.

Christopher Schultz wrote:
> Bjoern,
>
> On 5/21/16 5:08 PM, Bjoern Voigt wrote:
> > I am using Apache as a web and proxy server, but I am unhappy with
> > Apache as a WebDAV file server.
>
> > I am missing a good file permission or ACL configuration in Apache
> > mod_dav.
>
> > My wishlist:
>
> > * "good/flexible" permission control (important) * stable and
> > secure (important) * Apache >= 2.4 based or an Apache alternative
> > (important) * permission control delegable to some users (nice to
> > have) * compatibility with Samba and local users (nice to have)
>
> > The Apache path-based access control with directives like
>
> > <Directory "/home/dav/user1"> <LimitExcept PROPFIND OPTIONS>
> > require user user1 </LimitExcept>
>
> > <Limit PROPFIND OPTIONS> require group allusers </Limit>
> > </Directory>
>
> > is inflexible, even in small user groups.
>
> > Do you know good alternatives? (Please do not suggest Apache < 2.4
> > alternatives. Some good projects have stopped development and are
> > incompatible with Apache 2.4. Apache alternatives are welcome
> > too.)
>
> mod_dav + mod_auth_ldap + LDAP server?
>
> We use this internally and have scripts to take a somewhat simple
> permission-configuration (e.g. /foo can be read by group foo and
> writable by group foowriters) and produce httpd.conf-style files with
> <Directory>, <Location>, etc. directives for those rules.
Thanks Christopher for this tips.

But I do not like Single-Sign-On so much. Scripts which generate Apache
configurations can be a good solution. Currently my problem is not big
enough, so that I start writing such scripts. This point from my wishlist
> * permission control delegable to some users (nice to have)
would also require, that I write a web-based or client-server-solution
so that users can configure their own Apache/WebDAV permissions.

I hoped that there are cool Apache community solutions. But there is
probably nothing. My own search was unsuccessful too.

Greetings,
Bj�rn

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache mod_dav alternatives?

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Bjoern,

On 5/21/16 5:08 PM, Bjoern Voigt wrote:
> I am using Apache as a web and proxy server, but I am unhappy with 
> Apache as a WebDAV file server.
> 
> I am missing a good file permission or ACL configuration in Apache
> mod_dav.
> 
> My wishlist:
> 
> * "good/flexible" permission control (important) * stable and
> secure (important) * Apache >= 2.4 based or an Apache alternative
> (important) * permission control delegable to some users (nice to
> have) * compatibility with Samba and local users (nice to have)
> 
> The Apache path-based access control with directives like
> 
> <Directory "/home/dav/user1"> <LimitExcept PROPFIND OPTIONS> 
> require user user1 </LimitExcept>
> 
> <Limit PROPFIND OPTIONS> require group allusers </Limit> 
> </Directory>
> 
> is inflexible, even in small user groups.
> 
> Do you know good alternatives? (Please do not suggest Apache < 2.4
> alternatives. Some good projects have stopped development and are
> incompatible with Apache 2.4. Apache alternatives are welcome
> too.)

mod_dav + mod_auth_ldap + LDAP server?

We use this internally and have scripts to take a somewhat simple
permission-configuration (e.g. /foo can be read by group foo and
writable by group foowriters) and produce httpd.conf-style files with
<Directory>, <Location>, etc. directives for those rules.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXQlAzAAoJEBzwKT+lPKRY13gP/jP9doBi2ca0jN5ShWbKd59K
+zCbf40wPn/HPnE7WbxN+TmzMtlYeQBSeDuj9YkRHGATMfMoVgJ94CK1uWLtXmBL
/2HWfgZcB/CBDJsj4rYr5rD1DT2Z+GZZtHsXLnC+ySokCw0zSetTAz9LxWxtPv9z
VpL2/W2GM3THLYk47hAUQnLV8puHTtHGPubugHWDW3lPhY8FJjfS/PFMNktSKLz5
O4Ysxe1nk9JwxHx4WU4W/FoboH7wT8Rrph3lRejabpRXdqFhm6z2caK/a8lTysOe
FzevFLtFAI6Jqafrnew4moGBaK5LTPIerYB+vzjyhBk/Drbq87TI0IWXK2dBe3Ug
gYWb2OekFcGN8rOu5/f9aIiLhJkArM5zK7d4wHaVYZuWmu4aWKngbwu5/lq8g5au
oWOu+r7s2rsvAJg7jWjOJkHNPFvsjwjpX8N68borcK6ke2Ojw805gj29KDrQLq9k
Yt8koS6CMhUXLaMlqB+v9bYkBErUH1jW4LryQW8jXSagN0I+hOLRZT3xB5exWmfC
PvwKVQFhU8N9NFS6/csjMZHSmVa/i3Q8rQDldWT54CqUIFeq7X3W5s5T3KJtHnkx
ntL1HiO6AdiEABmdBZDZ2eJbMiNmhLDWnALvQ2ZAd5mwb/a1TZlJR08odtwds4gg
pYaFHWZpvjF1LtIan4Do
=UNgs
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org