httpd.conf (notes
in red and excerpts) for Basic authentication to NetInfo database
Visit the Security section
for information on Basic authentication.
It is not a recommended setup as it is completely open, but
is provided for testing purposes.
The document Understanding
NetInfo (PDF) explains NetInfo, the directory service used under
Mac OS X. This setup uses the local NetInfo database which is on the
same host as the web server.
##
## httpd.conf -- Apache HTTP server configuration file
##
...
# Listen: Allows you to bind Apache to specific
IP addresses
# and/or ports, in addition to the default. See also the
# <VirtualHost> directive.
#
#Listen 3000
#Listen 12.34.56.78:80
Listen fqhostname.bio.upenn.edu:80
...
It is important to specify the fully qualified
hostname of your server; WebDAV clients will cause the server to spit
out 502 Bad Gateway errors if you use a CNAME alias, as the hostname
information in HTTP requests ends up not resolving properly.
# Dynamic Shared Object (DSO) Support
...
LoadModule dav_module libexec/httpd/libdav.so
LoadModule ssl_module libexec/httpd/libssl.so
#LoadModule perl_module libexec/httpd/libperl.so
#LoadModule php4_module libexec/httpd/libphp4.so
LoadModule hfs_apple_module libexec/httpd/mod_hfs_apple.so
LoadModule apple_auth_module libexec/httpd/mod_auth_apple.so
...
# Reconstruction of the complete module list from all
# available modules (static and shared
ones) to achieve
# correct module execution order. [WHENEVER YOU CHANGE
# THE LOADMODULE SECTION ABOVE UPDATE
THIS, TOO]
...
AddModule mod_dav.c
AddModule mod_ssl.c
#AddModule mod_perl.c
#AddModule mod_php4.c
AddModule mod_hfs_apple.c
AddModule mod_auth_apple.c
Uncomment the WebDAV and SSL .so and .c module
entries.
Also add the Apple NetInfo authentication module
if you are doing a lookup to the NetInfo database (local or parent).
This is usually more convenient than having to populate and maintain
a htpasswd-generated file from the NetInfo
data, either manually or using scripts.
# User/Group: The name (or #number) of the user/group
to
# run httpd as...
#
User www
Group www
...
Your web server must run as the www
user and group; additionally, any users who access the WebDAV share
must be members of the www group.
Under Mac OS X (Client), use the NetInfo Manager
to adjust the user's group affiliations. Under Mac OS X Server, use
Server Admin to drag users into the www
group.
# ServerName allows you to set a host name...
#
ServerName fqhostname.bio.upenn.edu
...
Again, you can't use CNAMEs or the WebDAV clients
will choke with URI errors (see Listen directive, above).
<IfModule mod_dav.c>
DAVLockDB "/private/var/run/davlocks/.davlock100"
DAVMinTimeout 600
DAVDepthInfinity On
</IfModule>
Add the directive rules for mod_dav.
DAVDepthInfinity shouldn't be required any longer,
and defaults to Off when omitted, but
is added for testing purposes.
# --
# Default Directives for access control and other
features
# start here.
# --
# The top level DAV directory
# Here we turn DAV on, allow web browser access, and enable only
# read operations. The application realm name can be called
# anything that pertains to your application...
<Directory "/Library/WebServer/Documents">
Options All MultiViews ExecCGI Indexes
AllowOverride None
DAV On
AuthName "DAV Evaluation"
AuthType Basic
#AuthUserFile
/Library/WebServer/users_basic
<LimitExcept
GET HEAD OPTIONS>
require valid-user
</LimitExcept>
<Limit PUT POST DELETE PROPFIND PROPPATCH
MKCOL COPY MOVE LOCK UNLOCK>
require valid-user
</Limit>
</Directory>
The above access directive will allow the following
authoring permissions:
- Read access to all visitors to the directory
/Library/WebServer/Documents (root
directory)
- Read/write/lock/etc. access to that directory,
protected via Basic authentication
- With AuthUserFile
commented out, lookups will be performed against the NetInfo database
httpd.conf (notes
in red and excerpts) for Digest authentication to local htdigest
table
Visit the Security section
for information on Digest authentication.
It follows Penn's Secure Host requirements by not transmitting authentication
data over plaintext. However, it cannot tie in with Penn's central authentication
methods, and so its use is limited to small workgroups.
Use of htdigest
is required to create the user database users_digest
and then add users:
[fqhostname:/Library/WebServer] root# htdigest
-c users_digest "DAV Evaluation + Digest" reynolda
Adding password for reynolda in realm DAV Evaluation + Digest.
New password:
Re-type new password:
[fqhostname:/Library/WebServer] root# htdigest
users_digest "DAV Evaluation + Digest" aharon
Adding password for aharon in realm DAV Evaluation + Digest.
New password:
Re-type new password:
And so on...
##
## httpd.conf -- Apache HTTP server configuration file
##
...
# Listen: Allows you to bind Apache to specific
IP addresses
# and/or ports, in addition to the default. See also the
# <VirtualHost> directive.
#
#Listen 3000
#Listen 12.34.56.78:80
Listen fqhostname.bio.upenn.edu:80
...
It is important to specify the fully qualified
hostname of your server; WebDAV clients will cause the server to spit
out 502 Bad Gateway errors if you use a CNAME alias, as the hostname
information in HTTP requests ends up not resolving properly.
# Dynamic Shared Object (DSO) Support
...
LoadModule digest_module libexec/httpd/mod_digest.so
LoadModule dav_module libexec/httpd/libdav.so
LoadModule ssl_module libexec/httpd/libssl.so
#LoadModule perl_module libexec/httpd/libperl.so
#LoadModule php4_module libexec/httpd/libphp4.so
LoadModule hfs_apple_module libexec/httpd/mod_hfs_apple.so
...
# Reconstruction of the complete module list from all
# available modules (static and shared
ones) to achieve
# correct module execution order. [WHENEVER YOU CHANGE
# THE LOADMODULE SECTION ABOVE UPDATE
THIS, TOO]
...
AddModule mod_digest.c
AddModule mod_dav.c
AddModule mod_ssl.c
#AddModule mod_perl.c
#AddModule mod_php4.c
AddModule mod_hfs_apple.c
Uncomment the Digest, WebDAV and SSL .so and
.c module entries.
Remove or comment the Apple NetInfo authentication
module mod_auth_apple, if listed. It appears not to cooperate
with mod_digest. Instead, you'll have to use htdigest
to create a local user database (see above).
# User/Group: The name (or #number) of the user/group
to
# run httpd as...
#
User www
Group www
...
Your web server must run as the www
user and group; additionally, any users who access the WebDAV share
must be made part of the www group.
Under Mac OS X (Client), use the NetInfo Manager
to adjust the user's group affiliations. Under Mac OS X Server, use
Server Admin to drag users into the www
group.
# ServerName allows you to set a host name...
#
ServerName fqhostname.bio.upenn.edu
...
Again, you can't use CNAMEs or the WebDAV clients
will choke with URI errors (see Listen directive, above).
<IfModule mod_dav.c>
DAVLockDB "/private/var/run/davlocks/.davlock100"
DAVMinTimeout 600
DAVDepthInfinity On
</IfModule>
Add the directive rules for mod_dav.
DAVDepthInfinity shouldn't be required any longer,
and defaults to Off when omitted, but
is added for testing purposes.
# --
# Default Directives for access control and other
features
# start here.
# --
# The top level DAV directory
# Here we turn DAV on, allow web browser access, and enable only
# read operations. The application realm name can be called
# anything that pertains to your application...
<Directory "/Library/WebServer/Documents">
Options All MultiViews ExecCGI Indexes
AllowOverride None
DAV On
AuthName "DAV Evaluation"
AuthType Digest
AuthDigestFile
/Library/WebServer/users_digest
<LimitExcept GET HEAD OPTIONS>
require valid-user
</LimitExcept>
<Limit PUT POST DELETE PROPFIND PROPPATCH
MKCOL COPY MOVE LOCK UNLOCK>
require valid-user
</Limit>
</Directory>
The above access directive will allow the following
authoring permissions:
- Read access to all visitors to the directory
/Library/WebServer/Documents (root
directory)
- Read/write/lock/etc. access to that directory,
protected via Digest authentication
- /Library/WebServer/users_digest
serves as the local user table against which Digest will perform lookups
httpd.conf
(notes in red and excerpts) for Basic + SSL
authentication to NetInfo database
Visit the Security section
for information on Basic authentication and SSL encryption.
This satisifies the Penn Critical Host policy for protecting authentication,
and could be tied into a Kerberos v5 setup.
The document Understanding
NetInfo (PDF) explains NetInfo, the directory service used under
Mac OS X. This setup uses the local NetInfo database which is on the
same host as the web server.
A self-signed SSL certificate was created and installed using
instructions provided on Apple's Developer site.
##
## httpd.conf -- Apache HTTP server configuration file
##
...
Replace the access control directives from the
Basic authentication setup
with the following:
# --
# Default Directives for access control and other
features
# start here.
# --
# The top level DAV directory
# Here we turn DAV on, allow web browser access, and enable only
# read operations. The application realm name can be called
# anything that pertains to your application...
<IfModule mod_ssl.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# directives for SSL
SSLProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel info
<VirtualHost fqhostname.bio.upenn.edu:80>
# full read access
to site via HTTP
DocumentRoot "/Library/WebServer/Documents"
ServerName fqhostname.bio.upenn.edu
ServerAdmin bio-computing@sas.upenn.edu
SSLEngine off
</VirtualHost>
<VirtualHost fqhostname.bio.upenn.edu:443>
# full read access
to site via HTTPS
DocumentRoot "/Library/WebServer/Documents"
ServerName fqhostname.bio.upenn.edu
ServerAdmin bio-computing@sas.upenn.edu
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
#
SSL Engine switch
SSLEngine on
SSLProtocol all
-SSLv3
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#
Path to certificates and private key
SSLCertificateFile
/etc/httpd/ssl.key/server.crt
SSLCertificateKeyFile
/etc/httpd/ssl.key/server.key
<Files
~ "\.(cgi|shmtl|phtml|php3?)$">
SSLOptions
+StdEnvVars
</Files>
<Directory
"/Library/WebServer/CGI-Executables">
SSLOptions
+StdEnvVars
</Directory>
#
Correction for MSIE
SetEnvIf User-Agent
".*MSIE.*" \
nokeepalive ssl-unclean-shutdown
\
downgrade-1.0
force-response-1.0
<Directory
"/Library/WebServer/Documents">
Options
All MultiViews ExecCGI Indexes
AllowOverride
None
DAV
On
AuthName
"DAV Evaluation + Basic(SSL)"
AuthType
Basic
# AuthUserFile
/Library/WebServer/users
<LimitExcept
GET HEAD OPTIONS>
require
valid-user
</LimitExcept>
<Limit
PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
valid-user
</Limit>
</Directory>
</VirtualHost>
</IfModule>
Final test httpd.conf
configuration
The final configuration for the Mac OS X 10.1.3 (Client) test server
used for evaluation of WebDAV clients uses:
- Digest authentication to local user table over port 80 (HTTP)
- Basic authentication to NetInfo database over port 443 (HTTPS)
and keeps to the testing parameters as listed
above.
##
## httpd.conf -- Apache HTTP server configuration file
##
...
Replace the access control directives from the
Basic + SSL authentication
setup with the following:
<IfModule mod_dav.c>
DAVLockDB "/private/var/run/davlocks/.davlock100"
DAVMinTimeout 600
DAVDepthInfinity On
</IfModule>
# --
# Default Directives for access control and other
features
# start here.
# --
<IfModule mod_ssl.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# directives for SSL
SSLProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel info
<VirtualHost fqhostname.bio.upenn.edu:80>
# full read access to site via HTTP
DocumentRoot "/Library/WebServer/Documents"
ServerName fqhostname.bio.upenn.edu
ServerAdmin bio-computing@sas.upenn.edu
SSLEngine off
<Directory
"/Library/WebServer/Documents/digest">
Options All MultiViews
ExecCGI Indexes
AllowOverride
None
DAV On
AuthName "DAV
Evaluation + Digest"
AuthType Digest
AuthDigestFile
/Library/WebServer/users_digest
<LimitExcept
GET HEAD OPTIONS>
require
valid-user
</LimitExcept>
<Limit PUT
POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
valid-user
</Limit>
</Directory>
<Directory
"/Library/WebServer/Documents/digest/aharon">
<LimitExcept
GET HEAD OPTIONS>
require
user aharon
</LimitExcept>
<Limit PUT
POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
user aharon
</Limit>
</Directory>
<Directory
"/Library/WebServer/Documents/digest/amyp">
<LimitExcept
GET HEAD OPTIONS>
require
user amyp
</LimitExcept>
<Limit PUT
POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
user amyp
</Limit>
</Directory>
...
<Directory
"/Library/WebServer/Documents/digest/yetter">
<LimitExcept
GET HEAD OPTIONS>
require
user yetter
</LimitExcept>
<Limit PUT
POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
user yetter
</Limit>
</Directory>
</VirtualHost>
<VirtualHost fqhostname.bio.upenn.edu:443>
# full read access to site via HTTPS
DocumentRoot "/Library/WebServer/Documents"
ServerName fqhostname.bio.upenn.edu
ServerAdmin bio-computing@sas.upenn.edu
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
# SSL Engine
switch
SSLEngine on
SSLProtocol all -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Path to certificates
and private key
SSLCertificateFile /etc/httpd/ssl.key/server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
<Files ~
"\.(cgi|shmtl|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/Library/WebServer/CGI-Executables">
SSLOptions +StdEnvVars
</Directory>
# Correction
for MSIE
SetEnvIf User-Agent ".*MSIE.*"
\
nokeepalive ssl-unclean-shutdown
\
downgrade-1.0 force-response-1.0
<Directory
"/Library/WebServer/Documents/basicssl">
Options All MultiViews
ExecCGI Indexes
AllowOverride
None
DAV On
AuthName "DAV
Evaluation + Basic(SSL)"
AuthType Basic
<LimitExcept
GET HEAD OPTIONS>
require
valid-user
</LimitExcept>
<Limit PUT
POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
valid-user
</Limit>
</Directory>
<Directory
"/Library/WebServer/Documents/basicssl/aharon">
<LimitExcept
GET HEAD OPTIONS>
require
user aharon
</LimitExcept>
<Limit PUT
POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
user aharon
</Limit>
</Directory>
<Directory
"/Library/WebServer/Documents/basicssl/amyp">
<LimitExcept
GET HEAD OPTIONS>
require
user amyp
</LimitExcept>
<Limit PUT
POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
user amyp
</Limit>
</Directory>
...
<Directory
"/Library/WebServer/Documents/basicssl/yetter">
<LimitExcept
GET HEAD OPTIONS>
require
user yetter
</LimitExcept>
<Limit PUT
POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require
user yetter
</Limit>
</Directory>
</VirtualHost>
</IfModule>
