Deploying WebDAV on Debian 10 using WsgiDAV
Introduction
Web Distributed Authoring and Versioning (WebDAV) is a HTTP extension that provides a framework for remotely creating and modifying files on a server. WsgiDAV is a WebDAV server written in python. This guide will help you through the installation of WsgiDAV version 3.0 on a Vultr server running Debian 10. We will also obtain an SSL certificate to provide a secure connection as well as PAM authentication.
Prerequisites
- A Debian 10 system to which you have privileged access (via the root user or any sudo user.)
- The
$EDITORenvironment variable must be set to a text editor of your choice. - A registered domain name is required. Its nameservers must be configured with an
Arecord pointing to your server's IPv4 address, and optionally anAAAArecord pointing to the IPv6 address. - Familiarity with the YAML syntax is recommended.
The placeholder dav.example.com will be used for your server's domain name.
Installation
SSL certificate
We will start by updating the system and obtaining a free SSL certificate from Let's Encrypt. To do so, first update your system and install the certbot utility:
sudo apt update
sudo apt upgrade -y
sudo apt install -y certbotIn the command below, replace dav.example.com and email@domain.tld with your domain name and email address respectively before executing it:
sudo certbot certonly --standalone --agree-tos -m email@domain.tld -d dav.example.comYour server will be sent a challenge to verify that you control the domain name specified. If it succeeds, the certificate will be issued and saved, along with other files such as the private key, under /etc/letsencrypt/live/dav.example.com/.
Installing WsgiDAV
First, install the python package manager pip:
sudo apt update
sudo apt install -y python3-pipWsgiDAV requires a HTTP server that supports WSGI. We will install the default option, which is Cheroot. We will also install the lxml python library, which tends to perform better than the XML library installed by default. The PAM (Pluggable Authentication Module) python3 library is needed as well. Install the required packages using the pip tool:
sudo pip3 install wsgidav cheroot lxml python-pamConfiguring WsgiDAV
The WsgiDAV executable is stored in /usr/local/bin, so we will place the configuration file in the /usr/local/etc directory. Download the sample configuration file with the following commands:
sudo mkdir -p /usr/local/etc
sudo wget https://github.com/mar10/wsgidav/raw/master/sample_wsgidav.yaml -O /usr/local/etc/wsgidav.yamlOpen it with your editor:
sudo $EDITOR /usr/local/etc/wsgidav.yamlFind the following lines in the "SSL Support" section:
# ssl_certificate: "wsgidav/server/sample_bogo_server.crt"
# ssl_private_key: "wsgidav/server/sample_bogo_server.key"
# ssl_certificate_chain: nullReplace them with the following:
ssl_certificate: "/etc/letsencrypt/live/dav.example.com/cert.pem"
ssl_private_key: "/etc/letsencrypt/live/dav.example.com/privkey.pem"
ssl_certificate_chain: "/etc/letsencrypt/live/dav.example.com/chain.pem"Next, we will configure the share paths by mapping HTTP paths (such as /) to corresponding locations on the filesystem (such as /var/www/dir1). For demonstration purposes, we will share two directories, one of which will be read-only. Find the provider_mapping block in the "SHARES" section:
provider_mapping:
"/": "/path/to/share1"
"/pub":
root: "/path/to/share2"
readonly: true
"/share3":
provider: path.to.CustomDAVProviderClass
args: ["/path/to/share3", "second_arg"]
kwargs: {"another_arg": 42}Replace it:
provider_mapping:
"/":
root: "/var/www/html/documents"
readonly: false
"/reports":
root: "/var/www/html/reports"
readonly: trueWith these mappings, https://dav.example.com:8080/ will correspond to the /var/www/html/documents directory on the server, while https://dav.example.com:8080/reports will map to /var/www/html/reports with no write access.
For authentication, we will use the PAM driver. This removes the need for separate WebDAV user accounts and allows system users to login using their usual credentials.
In the "AUTHENTICATION" section, find these lines:
accept_basic: true
accept_digest: true
default_to_digest: true
domain_controller: nullReplace them with the following:
accept_basic: true
accept_digest: false
default_to_digest: false
domain_controller: wsgidav.dc.pam_dc.PAMDomainControllerYou can now test your server:
sudo wsgidav -c /usr/local/etc/wsgidav.yamlOpen https://dav.example.com:8080/ in your web browser. Since we configured PAM authentication, you will need to login with your Linux user account. Use Ctrl + C to stop the server before proceeding.
Installing as a service
In order to run your WebDAV server as a system service managed by systemd, create a unit file:
sudo $EDITOR /etc/systemd/system/wsgidav.serviceEnter the following:
[Unit]
Description=WsgiDAV WebDAV server
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/wsgidav -c /usr/local/etc/wsgidav.yaml
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=wsgidav_service
[Install]
WantedBy=multi-user.targetThen create a configuration file for the system logging service:
sudo $EDITOR /etc/rsyslog.d/wsgidav_service.confPopulate the file with the following:
if $programname == 'wsgidav_service' then /var/log/wsgidav.log
& stopSave and exit, then use the commands below to create the log file:
sudo touch /var/log/wsgidav.log
sudo chown root:adm /var/log/wsgidav.logFinally, load the new systemd unit file and restart the logging service before starting WsgiDAV:
sudo systemctl daemon-reload
sudo systemctl restart rsyslog.service
sudo systemctl start wsgidav.serviceYou can now use systemctl to start, stop and restart your WebDAV server. WsgiDAV's standard output and error will be logged to /var/log/wsgidav.log, and can also be accessed using sudo journalctl -u wsgidav.service.
If you want the WebDAV server to start automatically at system boot time, execute:
sudo systemctl enable wsgidav.service