Apache2 and PHP5: Difference between revisions
(Started dav/ldap section) |
m (extra info) |
||
| Line 11: | Line 11: | ||
==Adding WebDAV to your Apache2== | ==Adding WebDAV to your Apache2== | ||
===Thoughts about WebDAV and your configuration=== | |||
Out of the box, your Debian Apache2 is prepared to start using WebDAV. All you need is to enable two modules: one for WebDAV itself, one for the authentication that you want to use. Since our server mainly uses LDAP, we'll describe WebDAV+LDAP here. | Out of the box, your Debian Apache2 is prepared to start using WebDAV. All you need is to enable two modules: one for WebDAV itself, one for the authentication that you want to use. Since our server mainly uses LDAP, we'll describe WebDAV+LDAP here. | ||
Furthermore, because WebDAV allows editing files on your server, security is paramount (well, it always is, of course. What we mean is that it's even '''more''' important now). The Apache project recommends:<br> | |||
''The use of HTTP Basic Authentication is not recommended. You should use at least HTTP Digest Authentication, which is provided by the mod_auth_digest module. Nearly all WebDAV clients support this authentication method. An alternative is Basic Authentication over an SSL enabled connection.''<br> | |||
Thus you should not using Basic Authentication (which is pretty simple to set up) unless you run it over SSL - so we do that as well. We choose the Virtual Host that defines our SSL-site, and extend it with WebDAV functionality. If this is not what you want, consider stepping your authentication up to Digest Authentication. | |||
===Configuring WebDAV and LDAP for your SSL-enabled Virtual Host=== | |||
First, enable the WebDAV and authnz_ldap modules: | First, enable the WebDAV and authnz_ldap modules: | ||
a2enmod dav | a2enmod dav | ||
| Line 18: | Line 25: | ||
a2enmod authnz_ldap | a2enmod authnz_ldap | ||
Do not restart Apache2 just yet, because we haven't configured either the WebDAV site or its authentication! | Do not restart Apache2 just yet, because we haven't configured either the WebDAV site or its authentication! | ||
Furthermore, a location for the DAV lock database must be specified in the global section of your Apache2 configuration file using the [http://httpd.apache.org/docs/2.2/mod/mod_dav_fs.html#davlockdb DavLockDB directive]. To this end, create a file under ''/etc/apache2/conf.d'' named ''webdav'' containing this single line: | |||
DavLockDB /var/run/apache2/DavLock | |||
This will act as the (global) lock database for WebDAV; we don't need to specify it in any other configuration file (like the Virtual Host configuration files). Of course, your server should have a directory ''/var/run/apache2'', and it must be writable for the user ''www-data'' under which Apache2 runs. | |||
Next, adapt the virtual host that may employ WebDAV and LDAP authentication. The virtual host file needs a section that enables WebDAV (using the directive ''Dav On''), and some directives on how to authorize users within this section. Suppose we want to enable WebDAV only for subdirectory ''webdav'' within virtual host ''<nowiki>http://www.saruman.biz/</nowiki>''. Then in the correspondig Virtual Host file (something like ''/etc/apache2/sites-available/000-saruman.biz'') we need to include the following section: | Next, adapt the virtual host that may employ WebDAV and LDAP authentication. The virtual host file needs a section that enables WebDAV (using the directive ''Dav On''), and some directives on how to authorize users within this section. Suppose we want to enable WebDAV only for subdirectory ''webdav'' within virtual host ''<nowiki>http://www.saruman.biz/</nowiki>''. Then in the correspondig Virtual Host file (something like ''/etc/apache2/sites-available/000-saruman.biz'') we need to include the following section: | ||
<Location /webdav> | <Location /webdav> | ||
Order Allow,Deny | Order Allow,Deny | ||
Allow from all | Allow from all | ||
Dav On | Dav On | ||
These lines turn on WebDAV for the location ''/webdav''. This of course means that there should ''be'' a directory in your server's filesystem named ''webdav'' and located under the root of this virtual host, e.g. ''/var/www/saruman.biz/webdav'' | |||
AuthType Basic | AuthType Basic | ||
AuthBasicProvider ldap | AuthBasicProvider ldap | ||
AuthzLDAPAuthoritative | AuthzLDAPAuthoritative On | ||
This section sets up the authentication as HTTP Basic, with LDAP as the provider, and NOT allowing the authorization phase to fall back to other providers if LDAP cannot provide the required answer. If you want to use "require" statements from some other authorization provider, then you must set ''AuthzLDAPAuthoritative'' to "off". | |||
AuthName "Enter your Saruman.biz login" | |||
AuthLDAPURL "ldap://myserver.my.domain.com/ou=it,ou=departments,dc=my,dc=domain,dc=com?sAMAccountName" | AuthLDAPURL "ldap://myserver.my.domain.com/ou=it,ou=departments,dc=my,dc=domain,dc=com?sAMAccountName" | ||
AuthLDAPBindDN "myusername@my.domain.com" | AuthLDAPBindDN "myusername@my.domain.com" | ||
AuthLDAPBindPassword "mypassword" | AuthLDAPBindPassword "mypassword" | ||
The ''AuthName'' directive "sets the name of the authorization realm". The string provided for the AuthName is what will appear in the password dialog provided by most browsers.<br> | |||
require valid-user | require valid-user | ||
</Location> | </Location> | ||
Revision as of 00:06, 15 February 2009
Apache2
Installation of Apache2
Contribution needed.
Configuration of Apache2
Once Apache2 is in place, you might want to enable SSL for it.
Installation of PHP5
Contribution needed.
Adding WebDAV to your Apache2
Thoughts about WebDAV and your configuration
Out of the box, your Debian Apache2 is prepared to start using WebDAV. All you need is to enable two modules: one for WebDAV itself, one for the authentication that you want to use. Since our server mainly uses LDAP, we'll describe WebDAV+LDAP here.
Furthermore, because WebDAV allows editing files on your server, security is paramount (well, it always is, of course. What we mean is that it's even more important now). The Apache project recommends:
The use of HTTP Basic Authentication is not recommended. You should use at least HTTP Digest Authentication, which is provided by the mod_auth_digest module. Nearly all WebDAV clients support this authentication method. An alternative is Basic Authentication over an SSL enabled connection.
Thus you should not using Basic Authentication (which is pretty simple to set up) unless you run it over SSL - so we do that as well. We choose the Virtual Host that defines our SSL-site, and extend it with WebDAV functionality. If this is not what you want, consider stepping your authentication up to Digest Authentication.
Configuring WebDAV and LDAP for your SSL-enabled Virtual Host
First, enable the WebDAV and authnz_ldap modules:
a2enmod dav a2enmod dav_fs a2enmod authnz_ldap
Do not restart Apache2 just yet, because we haven't configured either the WebDAV site or its authentication!
Furthermore, a location for the DAV lock database must be specified in the global section of your Apache2 configuration file using the DavLockDB directive. To this end, create a file under /etc/apache2/conf.d named webdav containing this single line:
DavLockDB /var/run/apache2/DavLock
This will act as the (global) lock database for WebDAV; we don't need to specify it in any other configuration file (like the Virtual Host configuration files). Of course, your server should have a directory /var/run/apache2, and it must be writable for the user www-data under which Apache2 runs.
Next, adapt the virtual host that may employ WebDAV and LDAP authentication. The virtual host file needs a section that enables WebDAV (using the directive Dav On), and some directives on how to authorize users within this section. Suppose we want to enable WebDAV only for subdirectory webdav within virtual host http://www.saruman.biz/. Then in the correspondig Virtual Host file (something like /etc/apache2/sites-available/000-saruman.biz) we need to include the following section:
<Location /webdav> Order Allow,Deny Allow from all Dav On
These lines turn on WebDAV for the location /webdav. This of course means that there should be a directory in your server's filesystem named webdav and located under the root of this virtual host, e.g. /var/www/saruman.biz/webdav
AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative On
This section sets up the authentication as HTTP Basic, with LDAP as the provider, and NOT allowing the authorization phase to fall back to other providers if LDAP cannot provide the required answer. If you want to use "require" statements from some other authorization provider, then you must set AuthzLDAPAuthoritative to "off".
AuthName "Enter your Saruman.biz login" AuthLDAPURL "ldap://myserver.my.domain.com/ou=it,ou=departments,dc=my,dc=domain,dc=com?sAMAccountName" AuthLDAPBindDN "myusername@my.domain.com" AuthLDAPBindPassword "mypassword"
The AuthName directive "sets the name of the authorization realm". The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
require valid-user </Location>