Use WebDAV to create a simple document portal

Posted: November 1st, 2009 | Author: karol | Filed under: File server, Security | Comments Off

It is my experience that email is frequently used (or rather abused) to exchange documents of business sensitive nature.

As all should know email is an insecure way of communicating, and unless documents are fully encrypted, it should not be used to exchange/share documents of any sensitive nature.

A much sensible alternative is to build and to use a secure document exchange portal to facilitate exchange of files between business partners. Such portal can be created with commercial software packages. However, I recommend that you take a serious look at WebDAV protocol. WebDAV can be utilized to build a simple but secure and highly usable file portal, and if you create it with Apache and mod_dav open-source packages, such portal will also be very inexpensive.

WebDAV stands for “Web-based Distributed Authoring and Versioning”, and it is a set of extensions to the HTTP protocol that allows remote access to files on web servers. Its main purpose is to allow easy and remote management of content residing on a web server. However, WebDAV can also be used to quickly build a simple (and secure if run over https) network file system. This is what actually computers accessing your portal will see: a remote network file system.

You may ask the question why not to use one of common network file system for our document exchange portal, such as NFS or CIFS/SMB. The answer is in the word “secure” – our goal is to have a secure file system, and this means encryption of all network traffic. While setup (authentication) of an SMB or NFS session could be (and should be) encrypted, subsequent network traffic is not. It is possible to tunnel SMB or NFS communications via SSH protocol to achieve full encryption but requirements for such setup (such as the need for SSH software on each client, including Windows where it is rather very rare to find it) and the configuration are not simple and easy for “regular” computer users. WebDAV filesystem is much easier to set up and to use. It is fully encrypted with SSL, if one runs it over the https protocol. On top of it, we are getting advantage of authentication, access control, and great logging that Apache web server offers.

WebDAV server

Process of building a WebDAV based portal is very straightforward. All that you need is an Apache web server with mod_ssl and mod_dav modules installed. Most modern Linux distributions will have all the parts that you need.

If you have not configured Apache and mod_ssl, look for good tutorials on the web. You will find plenty of good information and advice.

If your organization does not own a public key certificate validated by a certificate authority (CA), you will have to decide whether to purchase such a certificate (it will cost a few hundred of dollars) or to proceed with a self-signed certificate. If your server is to be used by a small group of people, you may opt to use self-signed certificates. Self-signed certificates still guarantee that all network traffic is fully encrypted. They, however, make you vulnerable to man-in-the-middle attacks. These are not common attacks, and therefore the small risk may be acceptable.

If you are using a self-signed certificate, you need to educate your users about consequences as most WebDAV clients (i.e., programs used to access your WebDAV portal, we will talk about them later) will throw a fit when encountering a self-signed certificate. Users should be informed to proceed despite warning messages that are going to pop up on their computers when trying to connect to your portal.

mod_dav installation is very straightforward, you just need to load it via LoadModule directive in Apache configuration file. To enable WebDAV, simply insert the following line within a &#60Directory&#62 or &#60Location&#62 directive in your Apache configuration file:

DAV On

You can get more information about installation and configuration of mod_dav in Apache in this excellent article on webdav.org website.

Now, all that you need it to set up folders under Apache’s document directory. You will also need an authentication mechanism in Apache to control access to these folders. Since all of your network traffic is encrypted, “basic authentication” mechanism should be all that you need. Create usernames and passwords for all of users of your portal. Also, create access controls on each folder.

Below is an example of configuration for one of DAV enabled folders from my httpd.conf file:

If you are to exchange documents with parties residing outside of your LAN, you need to place your created WebDAV server in the DMZ network zone and configure access on the firewall.

Concerning hardware for your WebDAV server: it does not have to be anything spectacular and high performance unless you expect a lot of traffic. For a server to be accessed occasionally and by just a few users (which is a most likely scenario) you can reuse some old computer which will make your portal really inexpensive. I have actually run a portal, such as described here, on a spare 5-year old Dell laptop. Later, I purchased, for whole $199, an old dual Pentium4 rackmount system with 2 GB of memory and four SCSI disks (only 36 GB per disk, but SCSI and 15000 rpm). It made a very fast and responsive portal (primarily due to fast I/O).

How to access your portal: WebDAV clients

One needs a WebDAV client software to access a WebDAV server, such as the one that you just created. Fortunately, all most popular operating systems come with such software.

“My Network Places” on Windows XP and newer versions of Microsoft Windows operating system support WebDAV. To access a WebDAV server create a new network place with the address in the form of a URL:

https://yourserver.domain.com

A couple of notes concerning Windows WebDAV implementation:

If you see a waving flashlight in the folder window, it means that Windows want you to authenticate again (Windows will ask you repeatedly to authenticate, even if you ask it to remember your WebDAV password). However, the authentication window is often hidden behind the current window (the one with a waving flashlight). You may need to minimize or move some windows to find it.

Under some circumstances, double-clicking on PDF files on a WebDAV folder will not open them in your PDF reader (actually, I know that this happens with Adobe Reader, some other PDF readers may not show this behavior). Moreover, you may not be able to open them even from within the reader (File->Open). You have to move the PDF file to your local file system to open it. This actually occurs only when Internet Explorer is not your default web browser.

Under Mac OS X, one can access WebDAV server from the Finder menu: Go -> Connect to Server… Again provide the URL:

https://yourserver.domain.com

as an address of the server.

Note that WebDAV over https is supported only under Mac OS X Tiger or newer. If you run an older version of Mac OS X, you can only access WebDAV over http.

In Linux, you can access WebDAV server from command line using program called cadaver. Cadaver is a command line program with commands similar to ftp.

If you do not want to use command line, you can access WebDAV server from Gnome file explorer: Places -> Connect to Server… Choose “WebDAV (HTTP)” or “Secure WebDAV (HTTPS)’ as a “Service Type”.

I recall that in one of Ubuntu versions, option “Secure WebDAV (HTTPS” is not available in the Gnome menu. If this is the case, you can still access the server by choosing “Custom Location” and then providing URL in the form:

davs://yourserver.domain.com

(“davs” in a URL stands for “secure WebDAV”, i.e., WebDAV over HTTPS; use “dav” in a URL when you want to access WebDAV over HTTP.)

There are other WebDAV clients in Linux if the ones mentioned here by me do not suit your needs.

Download this page in PDF format

Comments are closed.

#%!@#(!

Notes by KM

Use WebDAV to create a simple document portal

Archives