In the quest for new ways to get at my files, I've set my Bubba2 up to run as a webdav server on the https virtual host with authentication via PAM. It's very handy for getting at my files when behind a firewall that blocks outgoing except to well known ports....
It would be great if something like this could be turned on and off with the admin UI. In fact it would be really nice if the bubba2 and its admin UI could provide webdav, nfsd and smb servers that could be turned on and off to suit the user's needs (with smb on by default and the others off).
New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
WebDAV support
Ok, it took a certain amount of fiddling on my part because I was trying to get it to authenticate with PAM and had also broken my virtual host config at the same time but basically here's what I did:
I'll assume that you're able to connect to the bubba via ssh and are happy editing text files and navigating your way around a linux system and that you've enabled the main debian package repositories. If you are not then you might want to rethink your plan...
1) The apache webdav module is already installed as part of apache2, so just need to enable the relevant modules - as root do:
2) Install the apache2 PAM module:
Edit: I forgot (see next post) to enable the AuthPAM module:
Add the www-data user to the shadow group so that the apache server can read the shadow file to authenticate users (NB this does have a security implication in that if you misconfigure your apache2 it might be possible for remote users to download your shadow passwords file).
You want to edit /etc/group/ so that the lentry for the shadow group reads:
3) I decided to enable webdav on the default https web-server as I don't use the bubba for its PIM functionality outside of my local network so can live withut needing the SSL web server for anything else. It's probably a good idea to use an SSL enabled server for WebDAV if you are connecting to it remotely as otherwise you'll be sending user credentials unencrypted over an untrusted network.
I edited /etc/apache2/sites-enabled/bubba to change the https virtual host:
Change the document root to be /home to enable access to all home directories
Edit the root directory config section:
4) With any luck, if I've not missed some important step out (!), then when you restart the web-server:
You should have a webdav server running on port 443 that you can use to access the home and storage directory using your normal login and password. Probably a sensible thing to do would be to restrict the user accounts a bit more in the apache confoiguration to stop a root login via webdave.[/code][/b]
I'll assume that you're able to connect to the bubba via ssh and are happy editing text files and navigating your way around a linux system and that you've enabled the main debian package repositories. If you are not then you might want to rethink your plan...
1) The apache webdav module is already installed as part of apache2, so just need to enable the relevant modules - as root do:
Code: Select all
a2enmod dav_fs
a2enmod davCode: Select all
apt-get update && apt-get install libapache2-mod-auth-pam
Code: Select all
a2enmod auth_pam
You want to edit /etc/group/ so that the lentry for the shadow group reads:
Code: Select all
shadow:x:42:www-data,root
I edited /etc/apache2/sites-enabled/bubba to change the https virtual host:
Code: Select all
<VirtualHost *:443>
Code: Select all
DocumentRoot /home/
Code: Select all
<Directory />
DAV on
AuthPAM_Enabled on
AuthType Basic
AuthBasicAuthoritative Off
AuthName "PAM"
require valid-user
AuthUserFile /dev/null
Code: Select all
/etc/init.d/apache2 restart
Last edited by gb119 on 22 Nov 2008, 12:44, edited 1 time in total.
Thanks a million for the great tutorial!
When restarting apache2 after following your instructions I received an error message.
Links that helped me:
How to enable modules:
http://www.debuntu.org/book/export/html/72
Omnifucus info:
http://forums.omnigroup.com/showthread.php?t=9306
Works great, thanks again!
When restarting apache2 after following your instructions I received an error message.
It seemed to be one thing missing in your procedure. I had to enable the auth_pam.load by typing the following as su:Forcing reload of web server (apache2)... waiting Syntax error on line 17 of /etc/apache2/sites-enabled/bubba:
Invalid command 'AuthPAM_Enabled', perhaps misspelled or defined by a module not included in the server configuration
failed!
Code: Select all
a2enmod auth_pamHow to enable modules:
http://www.debuntu.org/book/export/html/72
Omnifucus info:
http://forums.omnigroup.com/showthread.php?t=9306
Works great, thanks again!
Oops, sorry about that - as I said I'd fiddled a lot before I worked out what I was doing. I've edited the instructions above in case anyone else want to set up WebDAV.tojacob wrote: It seemed to be one thing missing in your procedure. I had to enable the auth_pam.load by typing the following as su:Code: Select all
a2enmod auth_pam
Re: WebDAV support
gb119 wrote:In the quest for new ways to get at my files, I've set my Bubba2 up to run as a webdav server on the https virtual host with authentication via PAM. It's very handy for getting at my files when behind a firewall that blocks outgoing except to well known ports....
It would be great if something like this could be turned on and off with the admin UI.
Bringing up an old thread. Is webdav for the Admin UI something planned for future updates of B2?
//Jonte
Re:
What if I'm familiar with all the steps excluding enabling main debian package repositories?gb119 wrote: I'll assume that you're able to connect to the bubba via ssh and are happy editing text files and navigating your way around a linux system and that you've enabled the main debian package repositories. If you are not then you might want to rethink your plan...
What should the sources.list entry look like?
Is it possible to enable the main debian package repository, apt-get the libapache2-mod-auth-pam and then disable main deebian package repository in the sources.list, i.e. returning to the normal B2 sources.list setup?
Thanks!
//Jonte
Re: Re:
All you have to do is have a line like:jonte wrote: What if I'm familiar with all the steps excluding enabling main debian package repositories?
What should the sources.list entry look like?
deb http://ftp.uk.debian.org/debian/ etch main
(replacing the "uk" with an appropriately close debian mirror)
That will work ok.jonte wrote: Is it possible to enable the main debian package repository, apt-get the libapache2-mod-auth-pam and then disable main deebian package repository in the sources.list, i.e. returning to the normal B2 sources.list setup?
Re: WebDAV support
@gb119
Great!
I'll give it a go (after backing up)
Thanks //Jonte
UPDATE: Odd or not, I checked my sources.list and it already has an uncommented debian etch main line (last edited november 2008). Still a good idea to comment the line after apt-geting Apache 2 PAM-module?
//J
Great!
I'll give it a go (after backing up)
Thanks //Jonte
UPDATE: Odd or not, I checked my sources.list and it already has an uncommented debian etch main line (last edited november 2008). Still a good idea to comment the line after apt-geting Apache 2 PAM-module?
//J
Re: WebDAV support
I tend to work on the "if it ain't broke..." principlejonte wrote:@gb119
UPDATE: Odd or not, I checked my sources.list and it already has an uncommented debian etch main line (last edited november 2008). Still a good idea to comment the line after apt-geting Apache 2 PAM-module?
Re: WebDAV support
Haha, I like the way you're thinkinggb119 wrote:I tend to work on the "if it ain't broke..." principlejonte wrote:@gb119
UPDATE: Odd or not, I checked my sources.list and it already has an uncommented debian etch main line (last edited november 2008). Still a good idea to comment the line after apt-geting Apache 2 PAM-module?
Thanks helping out!
//J
Re: WebDAV support
Hi,
Regarding WebDAV support. This is of course a feature we have thought of. Unfortunately it proved to be a bit of a problem to integrate with the rest of the system features.
The main problem is that webdav is run by Apache and thus only can access things that Apache can. Ie it cant handle multiple users in a practical way.
The other big problem is that Apache, and WebDav run by it, assumes exclusive access to the file system that it exposes. This can be a big problem if files are simultaneously accessed in another way, fx via samba or ftp.
That said it should of course be possible to export a dedicated Dav area from Bubba. But i'm not sure that this has any good use case.
I'm as always interested in thoughts and feedback regarding these things But here you have the main reasons why we don't provide this feature atm.
/Tor
Regarding WebDAV support. This is of course a feature we have thought of. Unfortunately it proved to be a bit of a problem to integrate with the rest of the system features.
The main problem is that webdav is run by Apache and thus only can access things that Apache can. Ie it cant handle multiple users in a practical way.
The other big problem is that Apache, and WebDav run by it, assumes exclusive access to the file system that it exposes. This can be a big problem if files are simultaneously accessed in another way, fx via samba or ftp.
That said it should of course be possible to export a dedicated Dav area from Bubba. But i'm not sure that this has any good use case.
I'm as always interested in thoughts and feedback regarding these things
But here you have the main reasons why we don't provide this feature atm./Tor
Co-founder OpenProducts and Ex Excito Developer
Re: WebDAV support
I was planning on using WebDAV in that way. Create a dedicated area, in this case for a work-project involving 3 people. Sharing/using documents. We now use an Apple Mobileme webDAV account for this task, and it's painstakingly slow.tor wrote: That said it should of course be possible to export a dedicated Dav area from Bubba. But i'm not sure that this has any good use case.
//Jonte
Re:
Ok, I followed your steps, and now my virtual host config is broken too.gb119 wrote:Ok, it took a certain amount of fiddling on my part because I was trying to get it to authenticate with PAM and had also broken my virtual host config at the same time but basically here's what I did:
...
Can you tell me what you did to fix yours?
Code: Select all
bubba:/etc/apache2# apache2 -t
[Wed Sep 16 15:13:32 2009] [warn] NameVirtualHost *:443 has no VirtualHosts
[Wed Sep 16 15:13:32 2009] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
Re: WebDAV support
Is there another viable solution than adding www-data to the shadow group?
see: http://pam.sourceforge.net/mod_auth_pam/shadow.html
Easy WebDAV-Support would come in really handy as I'm trying to set up syncing for Zotero (which supports only WebDAV).
see: http://pam.sourceforge.net/mod_auth_pam/shadow.html
Easy WebDAV-Support would come in really handy as I'm trying to set up syncing for Zotero (which supports only WebDAV).