
                    mod_dav Installation and Configuration
                                       
   This page details as much information as possible regarding the
   building, installation, and configuration of the mod_dav Apache
   module. This page does not cover installation of binary distributions
   of mod_dav, although the Apache configuration will still apply.
     * [1]Unix Build and Install
     * [2]Windows Build and Install
     * [3]Apache Configuration
     * [4]Setting Up the File Repository
     * [5]Other Notes
     * [6]Expat Build and Install (if necessary)
       
   When this page refers to "Unix", it generally means any of the Unix or
   Unix-like platforms (such as Linux, *BSD, Solaris, AIX, HP/UX, etc).
   
   [7][ back to the main mod_dav page ]
     _________________________________________________________________
   
Unix Build and Install

   Step 1: Configuration
          There are two general mechanisms for installing mod_dav into
          your Apache installation. The first method is to create a
          dynamically-loaded module using the "apxs" tool. The second
          method is to statically link mod_dav into the Apache
          executable.
          
          Based on the method you choose, use one of the following
          configure commands:
          
     ./configure --with-apxs=/usr/local/apache/bin/apxs
     
     or
     ./configure --with-apache=/usr/local/apache
     
          Of course, you should use the path to your system's apxs
          executable or Apache build directory.
          
     Note: if you use just --with-apxs (no directory), then configure
     assumes that apxs is in your path.
     
          The configuration process will do its stuff. One of its tasks
          is to locate the Expat library (an XML parsing library). This
          library is included with Apache 1.3.9 and will automatically be
          found. If you have a previous version of Apache 1.3 (it must be
          at least Apache 1.3.4), then you will need a copy on your
          system. configure will look for it in /usr/{include,lib} and in
          /usr/local/{include,lib}. If it can't find it, then you will
          need to tell configure where it is on your system using the
          --with-expat=<dir> command line option. For example:
          
     ./configure --with-apxs=/usr/local/apache/bin/apxs
     --with-expat=/home/gstein/expat
     
          If you need Expat, then please see [8]the section at the end of
          this document for information on where to get Expat and how it
          must installed on your system.
          
   Step 2: Build and Install
          This is pretty simple. Just use the following two commands:
          
     make
     make install
     
        Dynamic loading
                If you chose to do a dynamically-loaded module using
                APXS, then your module will have been installed into
                Apache's runtime area.
                
                Note: if using APXS and your Apache installation does not
                support loadable modules, then APXS will terminate with
                an error. Typically, we have seen the following error
                when this happens:
                
     apxs:Break: Command failed with rc=16711680
     
                If this happens, then you will need to rebuild and
                reinstall your Apache software with the mod_so module
                included. Note the reinstall part -- we've seen several
                cases where a new Apache was built and installed, but a
                new APXS was not (so the problems continued).
                
        Static linking
                If you chose to go with statically linking mod_dav into
                Apache, then mod_dav will have been partially compiled
                and placed into the Apache tree. You are now ready to
                (re)configure and build Apache. When you configure
                Apache, there are two methods that you can choose. For
                the APACI-style (./configure style), use the following
                command line option:
                
     --activate-module=src/modules/dav/libdav.a
     
                For the old-style configuration, add the following line
                to your Configuration.tmpl file:
                
     SharedModule modules/dav/libdav.a
     
   Step 3: Configure Apache
          See [9]the Apache configuration section below.
     _________________________________________________________________
   
Win32 Build and Install

   Step 1: Expat installation
          Expat must be installed first. See [10]the Expat section at the
          end of this document for instructions.
          
   Step 2: Build
          To build mod_dav using Microsoft Visual C++, simply issue the
          following command line from the directory containing the
          mod_dav files:
          
     nmake /f mod_dav.mak
     
          This builds an optimized version of mod_dav, located in
          Release/mod_dav.dll.
          
          mod_dav can also be built with Microsoft Visual Studio 5.0 or
          later using the supplied .dsp file.
          
   Step 3: Install
          For mod_dav installation, copy these three files to the
          directory where your Apache modules are located (ServerRoot):
          
Release/mod_dav.dll
expat/bin/xmlparse.dll
expat/bin/xmltok.tll

          To add mod_dav to Apache, add the following line to the
          httpd.conf file:
          
     LoadModule dav_module mod_dav.dll
     
   Step 4: Configure Apache
          See [11]the Apache configuration section below.
     _________________________________________________________________
   
Apache Configuration

   See the note on [12]upgrading from 0.9.8 and prior versions.
   
    Loading the DAV Module
    
   Apache must be informed about the mod_dav module through the Addmodule
   and LoadModule directives. LoadModule is used when mod_dav is
   dynamically loaded (i.e. built using APXS or you're on the Win32
   platform). These configuration lines are (normally) inserted
   automatically on the Unix platforms (by APXS or the Apache build
   process), but the Win32 line needs to be added manually for that
   platform.
   (this information is here for reference; if Apache does not recognize
   the mod_dav directives such as DAV, DAVLockDB, or DAVMinTimeout (see
   below), then you may be missing these configuration lines)
     * Unix platform, dynamic loading:
Loadmodule dav_module libexec/libdav.so
Addmodule mod_dav.c
     * Unix platform, statically linked:
Addmodule mod_dav.c
     * Win32 platform:
Loadmodule dav_module mod_dav.dll
Addmodule mod_dav.c
       
    Enabling DAV
    
   Configuring the mod_dav module is quite simple, actually. Within a
   <Directory> or <Location> directive in your Apache configuration file
   (i.e. httpd.conf), simply insert the following line:
   
     DAV On
     
   If the DAV directive is within a <Directory> directive, then DAV will
   be enabled for that particular directory and its subdirectories. For a
   <Location> directive, then DAV will be enabled for that portion of the
   URL namespace.
   
    The Lock Database
    
   Next, add a DAVLockDB directive at the top-level of your configuration
   file (i.e. outside of a <Directory> or <Location> directive). This
   directive should specify a filename that mod_dav will create. The
   directory should exist and should be writable by the web server
   process.
   
   In the following example, the DAV lock database will be stored in the
   /usr/local/apache/var directory (which must be writable by the server
   process). The file's name will be DAVLock when mod_dav needs to create
   it.
   (actually, mod_dav will create one or more files using this file name
   plus an extension)
   
     DAVLockDB /usr/local/apache/var/DAVLock
     
   The DAVLockDB directive can appear outside of any container or within
   a <VirtualHost>, it only needs to appear once, and a file extension
   should not be supplied.
   
    Lock Timeout Minimums
    
   An optional directive, DAVMinTimeout, specifies the minimum lifetime
   of a lock in seconds. If a client requests a lock timeout less than
   DAVMinTimeout, then the DAVMinTimeout value will be used and returned
   instead. For example, Microsoft's Web Folders defaults to a lock
   timeout of 2 minutes; 10 minutes could be used to reduce network
   traffic and the chance that the client might lose a lock due to
   network latency.
   
    Sample Configuration
    
   A sample configuration segment might look like:
...
DAVLockDB /usr/local/apache/var/DAVLock
DAVMinTimeout 600

<Location /mypages>
  DAV On
</Location>
...

    Limiting DAV Access to Authorized Users
    
   The DAV and DAVLockDB directives are the only two configuration
   changes necessary to operate a DAV server. However, it is usually best
   to secure the site to be writable only by specific users. This
   requires the use of the <Limit> directive. Here is an example:
   
<Location /mypages>
  DAV On
  <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
    Require user greg
  </Limit>
</Location>

   The above configuration will allow only authorized users to manipulate
   the site. However, it does allow them a bit more freedom than you may
   like. In particular, they may be able to place a .htaccess file into
   the target directory, altering your server configuration. The server
   may have already been configured to not read .htaccess files, but it
   is best to make sure. Also, you may want to disallow other options
   within the DAV-enabled directory -- CGI, symbolic links, server-side
   includes, etc. Here is a modified configuration with the additional
   restrictions placed on it:
   
<Location /mypages>
  DAV On
  AllowOverride None
  Options None
  <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
    Require user greg
  </Limit>
</Location>

    Using LimitExcept
    
   Rather than using the <Limit> directive and specifying an exhaustive
   list of HTTP methods to secure, it is also possible to use the
   <LimitExcept> directive. This directive applies the access
   restrictions to all methods except for the methods listed. For
   example, your configuration section might look like:
<Location /mypages>
  DAV On
  AllowOverride None
  Options None
  <LimitExcept GET HEAD OPTIONS>
    require user webadmin
  </LimitExcept>
</Location>

   Choosing to use one or the other is a matter of preference. The
   <Limit> directive is precise and explicit, but the <LimitExcept>
   directive will automatically restrict methods that are added in the
   future.
   
    PROPFIND Security
    
   In the example configurations above, the PROPFIND method was limited,
   even though it is read-only. This is because the PROPFIND method can
   be used to list all the files in the DAV-enabled directory. For
   security purposes, you probably want the exact list of files to be
   hidden.
   
   An alternative would be to limit the PROPFIND to a group of people, a
   set of domains, or a set of hosts, while the methods that modify
   content are limited to just a few authors. This scenario allows, say,
   your company's employees to browse the files on the server, yet only a
   few people can change them. Anonymous (non-authenticated) visitors
   cannot browse or modify.
   
   Finally, you can simply omit PROPFIND from the limits if your web
   server is intended as a general, read-only repository of files. This
   allows anybody to arbitrarily browse the directories and then to fetch
   the files.
   
    Other Security Issues
    
   Please refer to the [13]security section, on the main mod_dav web
   page, for more information about security issues related to DAV and
   mod_dav in particular.
   
    Upgrading from version 0.9.8 or earlier
    
   Previous versions did not contain a DAVLockDB directive. You will need
   to add that for mod_dav to operate properly.
     _________________________________________________________________
   
Setting Up the File Repository

   mod_dav requires read/write access to the filesystem where the
   documents are stored. The following discussion uses Unix as an
   example; the Win32 platform will have similar concerns when used on an
   NTFS partition (where file/directory security is present).
   
   The need for read/write access means that the owner and group of the
   files will be that of the web server. For discussion, let's say that
   your Apache configuration file contains the following directives
   (among others!):
   
User nobody
Group www

Alias /pages /home/www/davhome
<Location /pages>
  DAV On
</Location>

   In the above configuration, the web server is running as "nobody" and
   as group "www". mod_dav is going to need to read/write files in the
   /home/www/davhome directory. A directory listing might look like this:
   
drwxr-s---   2 nobody   www          1024 Jul 14 11:28 ./
drwxr-s---  18 nobody   www          1024 Oct 25 17:03 ../
drwxr-s---   2 nobody   www          1024 Oct 11 01:37 .DAV/
-rw-r--r--   1 nobody   www          2976 Jul 14 11:28 acknowledgments.html
-rw-r--r--   1 nobody   www          2755 Jul 14 11:28 demos.html
-rw-r--r--   1 nobody   www          4963 Jul 14 11:28 documentation.html
-rw-r--r--   1 nobody   www          4423 Jul 14 11:28 downloads.html
-rw-r--r--   1 nobody   www          1457 Jul 14 11:28 footnote.html
drwxr-s---   2 nobody   www          1024 Oct 18 11:52 images/
-rw-r--r--   1 nobody   www          5592 Jul 14 11:28 index.html
-rw-r--r--   1 nobody   www          2136 Jul 14 11:28 intro.html
-rw-r--r--   1 nobody   www          5456 Jul 14 11:28 news.html
-rw-r--r--   1 nobody   www          3125 Jul 14 11:28 tutorial.html

   In this example, the web server will have no problem reading and
   writing the files in the /home/www/davhome file repository.
   
   NOTE: the file repository is considered "private" to mod_dav and the
   web server. Modifying files via FTP or through filesystem commands
   should not be allowed. This is for a couple reasons:
    1. External access may create files and directories with ownership or
       privileges that would prevent mod_dav from operating properly.
    2. mod_dav does not use filesystem locking to protect the files from
       modification. Note that filesystem locking isn't even a guarantee
       [against changes] on many operating systems.
     _________________________________________________________________
   
Other Notes

   The DAV spec ([14]RFC 2518) does not incorporate a security model. It
   relies on any web server and file system security that the
   administrator configures.
   
   On Unix machines, the web server process must have permission to write
   to the DAV-enabled directories and any files to be modified.
   
   Local manipulation of files in a DAV-enabled directory is a bad thing.
   Specifically, DAV file locks are implemented by mod_dav, not the file
   system.
     _________________________________________________________________
   
Expat Build and Install

   James Clark's Expat parser is available from:
   
     [15]http://www.jclark.com/xml/
     
   For Windows
          Extract the Expat parser .zip into the directory where the
          mod_dav files are located, using the folders stored in the zip.
          Expat will be extracted into the expat/ subdirectory.
          
   For Unix
          Note that the expat Makefile does not automatically build the
          expat library. Add this rule to the Makefile:
          
  libexpat.a: $(OBJS)
        ar -rc $@ $(OBJS)
        ranlib $@
        
          (don't forget to use tabs before the ar and ranlib lines there)
          
          Then type: make libexpat.a
          
          And copy libexpat.a to /usr/local/lib and xmlparse/xmlparse.h
          to /usr/local/include. If you wish to use a different
          directory, then you will need to pass that to ./configure using
          the --with-expat command line option.
     _________________________________________________________________
   
   
    [16]Greg Stein
    
   Last modified: Tue Dec 14 04:08:19 PST 1999

References

   1. http://www.webdav.org/mod_dav/install.html#unix
   2. http://www.webdav.org/mod_dav/install.html#win32
   3. http://www.webdav.org/mod_dav/install.html#apache
   4. http://www.webdav.org/mod_dav/install.html#repository
   5. http://www.webdav.org/mod_dav/install.html#notes
   6. http://www.webdav.org/mod_dav/install.html#expat
   7. http://www.webdav.org/mod_dav/
   8. http://www.webdav.org/mod_dav/install.html#expat
   9. http://www.webdav.org/mod_dav/install.html#apache
  10. http://www.webdav.org/mod_dav/install.html#expat
  11. http://www.webdav.org/mod_dav/install.html#apache
  12. http://www.webdav.org/mod_dav/install.html#add-lockdb
  13. http://www.webdav.org/mod_dav/index.html#security
  14. http://www.webdav.org/specs/index.html#dav
  15. http://www.jclark.com/xml/
  16. mailto:gstein@lyra.org
