Setup WebDAV in Apache2 on SuSE Linux to Support Windows (XP/Vista/7) Clients
Earlier today, a colleague told me that she doesn't like using my servers because I don't have FTP setup thus, she couldn't map my server as a drive. Well, I showed her. I stand firmly against using FTP as any type of web-related solution and thus, decided on WebDAV to address my colleague's demanding needs.
Initially, I set the virtual host up for Basic Authentication but was unable to get Windows 7 and Windows XP to map the drive. Windows complained that "The network path could not be found." I tried mapping the drive from both the command line and from Windows Explorer with no luck. Then I read that theWindows webDAV client does not support Basic Authentication. If this server were on my domain, I'd use Kerberos without a second thought, but it's an Internet web server so that is out of the question. Digest Authentication it is.
I went enable mod_dav, mod_dav_fs, and mod_auth_digest in YaST under Network Services >> HTTP Server >> Server Modules and I restarted the service. I then created the folder /var/davlock, gave it the proper permissions and added the following to httpd.conf
<ifmodule mod_dav.c>
DAVLockDB /var/davlock/DAVlock
</ifModule>
Then I added the new host, sample.acme.com to my vhosts.conf file and restarted the service.
<virtualHost *:80>
ServerAdmin nobody@localhost
ServerName sample.acme.com
DocumentRoot /www/wordpress/sample
ErrorLog /var/log/apache2/sample-error_log
CustomLog /var/log/apache2/sample-access_log combined
UseCanonicalName Off
<directory "/www/wordpress/sample">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DAV On
#Auth in the house
AuthType Digest
AuthName "sample"
AuthDigestAlgorithm MD5
AuthDigestDomain http://sample.acme.com
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htdigest
AuthGroupFile /dev/null
<limitExcept GET HEAD OPTIONS POST>
require valid-user
</limitExcept>
Order allow,deny
Allow from all
</directory>
</virtualHost>
Notice AuthUserFile /etc/apache2/.htdigest. That file was created using htdigest2 (or on most other systems, htdigest).
htdigest2 -c /etc/apache2/.htdigest sample acmeuser
The -c switch creates the file, "sample" correlates with the AuthName directive and acmeuser is the username of my demanding colleague. Also take note that the way I used LimitExcept allows all non-webDAV users to have anonymous access to the site, while any webDAV activity requires a username and password.
Next, I mapped a drive in Windows with the two methods I am familiar with. First, via the command line
W:\>net use * http://sample.acme.com
Enter the user name for 'sample.acme.com': acmeuser
Enter the password for sample.acme.com:
Drive X: is now connected to http://sample.acme.com.
And then via Windows Explorer (My Computer >> Map Network Drive [be sure to click "Connect Using Different Credentials"]). Both worked flawlessly. And of course, this is all better if you can do it over HTTPS, which I plan to setup when I have time. But for now, my servers are totally in style and ready for use by people who aren't fans of vi 
.
Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)
Recently, I used my Windows-based domain's Enterprise Root Certification Authority to secure my subversion repository that is hosted on an Apache-based server. The process was rather straight-forward and relatively fast -- especially because I skipped over all of the file transfers and just used vi/notepad to copy/paste all the key info. The first step in this process is to generate a server key on the Linux machine:
ariel:~ # openssl genrsa -des3 -out ariel.corp.netnerds.net.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
................................................................................
...................................++++++
e is 65537 (0x10001)
Enter pass phrase for ariel.corp.netnerds.net.key: **********
Verifying - Enter pass phrase for ariel.corp.netnerds.net.key: **********Next, I used the key to create a certificate signing request
ariel:~ # openssl req -new -key ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net.csr
Enter pass phrase for ariel.key: **********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:LA
Locality Name (eg, city) []:Kaplan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:netnerds
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ariel.corp.netnerds.net
Email Address []:postmaster@netnerds.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Next, I concatenated the contents of ariel.corp.netnerds.net.csr and copied that into my clipboard. The request looked something like this:
-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----I then opened up my domain's CA @ http://windowsCA/certsrv and went to
- Request a certificate
Or, submit an advanced certificate request. - Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Saved Request:
-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----Certificate Template: Web Server
Note: Be sure to decline when prompted by the browser to install the certificate locally.
I then opened the file in notepad, and copied the contents back into Linux as temp.key. In order to avoid having to type the passphrase in each time Apache is restarted, I decoded the key and moved that to the Apache directory.
openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.keyNext, I copied the files into the appropriate directories in /etc/apache/ssl* and modified my /etc/apache2/vhosts.d/vhost-ssl.conf and added the appropriate file locations:
SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/ariel.corp.netnerds.net-decoded.keyFinally, I restarted the apache service and then partied to Wayne Toups.
Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache
Some things just belong on Linux. Like Subversion and Apache, for instance. I've seen the ghetto workarounds for Windows-based Apache installs and no thanks -- I'd much rather waste my time on ghetto SharePoint workarounds.
But I sure do like the way Windows-based web servers such as IIS seamlessly and securely authenticate users across a domain. I wanted Apache to do the same and, after a week of trying various methods of authentication, I found the easiest, most efficient way is to use SSL, Kerberos, and Likewise.
I start this project, as I do all of my Linux projects, by using a fresh install of SuSE Linux Enterprise Server (SLES 11). During the initial install, I made sure to use a local passwd file for authentication. Likewise takes care of all the advanced authentication methods after the install is complete. When using Likewise, do not attempt to use YaST to configure authentication or you'll run into a variety of pam and krb5 key issues.
Here are the following steps and tutorials I used to accomplish my goal of SSO
- Install and configure Likewise Open.
- Joining a domain is as easy as /opt/likewise/bin/domainjoin-cli join corp.netnerds.net Administrator, even when authenticating against Windows 2008 Active Directory.
- Setup Apache to support SSL
- Setup Apache to support Kerberos-based SSO
- My ktpass, for example, looks like this:
ktpass /out http.ktb /princ HTTP/ariel.corp.netnerds.net@CORP.NETNERDS.NET /pass SkiAlta2009 /mapuser corp\linuxweb
- My ktpass, for example, looks like this:
- Install the One-Click Installer that comes with OpenSuSE by default, but not SLES 11.
- yast -i yast2-metapackage-handler
- Add the subversion packages to the local repository.
- OCICLI http://software.opensuse.org/ymp/Subversion/SLE_11/subversion.ymp
- Go into YaST and install the necessary subversion packages.
- Follow the OpenSuSE tutorial for Setting Up a Subversion Server Using Aapache 2
- Throw a party! Just turn up Pandora's Cajun station and DANCE.
I recommend using your domain's own Certificate Authority to generate the SSL cert that Apache will use. That way, users won't be prompted to accept an untrusted self-signed SSL certificate.
Have fun!
Apache: Pre-compiled mod_auth_pam for SLES 11
This was ridiculous. Since apache-devel isn't available in SLES (and I do understand why, but give me the option at least!), I had to sync up one of my SLES machines to an OpenSuSE repository and get all of my necessary packages required to compile mod_auth_pam. I was required to downgrade quite a few packages, but whatever works, eh?
For those of you running SLES and are trying to get mod_auth_pam to work, you can grab a precompiled copy of mod_auth_pam.tgz.
This works on the standard Apache2 install that comes with SLES 11. I presume it also works on OpenSuSE 11 as well. Just download the tgz, extract the contents, and run ./install. Then you can load up Novell's step-by-step tutorial on how to get this to work. Take note at the instructions to manually change a few files because that still needs to be done.
For my future reference, here are the Apache directives I ended up using:
AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthBasicAuthoritative Off
AuthGROUP_Enabled Off
AuthUserFile /dev/null
AuthType Basic
AuthName ADDomain
require valid-userWhile this works, it isn't seamless like way mod_auth_ntlm_winbind, but it works over SSL, unlike mod_auth_ntlm_winbind.
Enable Windows NTLM Pass-through Authentication in Linux-based Apache
Thank Science for SuSE Linux Enterprise 11; it's made this process relatively easy. SLES 10 SP2 was giving me a headache because of some Windows 2008 based Active Directory authentication issues but upgrading SLES 11 took care of all that.
First thing is first, setup samba to authenticate to AD. Next, install the OpenSuSE mod_auth_ntlm_winbind RPM.
rpm --install http://download.opensuse.org/distribution/11.0/repo/oss/suse/i586/apache2-mod_auth_ntlm_winbind-0.0.0.lorikeet_svn_682-135.1.i586.rpm
The wiki for this Apache 2 module can be found here. Next, we're going to instasll pam_smb, set the proper permissions on winbindd_privileged, add the module to apache and restart the web service.
yast -i pam_smb
setfacl -m u:wwwrun:rx /var/lib/samba/winbindd_privileged
a2enmod auth_ntlm_winbind
rcapache2 restartFinally, add something to the effect of this to your Apache config file:
<directory " /srv/www/htdocs">
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</directory>Restart the service and you should be authenticating automatically. Don't forget to add the website to your browser's Intranet zone if needed.
Also, I read that, unfortunately, auth_ntlm_winbind, doesn't work over SSL but I'm going to try it anyway. In the event that it doesn't, I'll be exploring Kerberos authentication within Apache.
Rules for High Performance Websites
Last week, I attended the Web 2.0 Expo at Mascone Center in San Francisco where I watched Steve Souders of Yahoo speak. His workshop was titled High Performance Webpages and has a yet-to-be published O'reilly book by the same name (though the Rough Cuts version is currently available for download). The basis of his presentation is as follows:
These best practices have proven to reduce response times of Yahoo! properties by 25-50%. We focus on the front-end because that's where 80-90% of the end-user response time is spent. This "80-90% front-end" phenomenon is not isolated to just Yahoo!. It holds true for most web sites, including the ten most-visited U.S. web sites. In any optimization effort it’s critical to profile current performance to identify where the greatest improvement can be made. It’s clear that the place to focus for fast web pages is the front-end:
1. There is more potential for improvement by focusing on the front-end. Making the back-end twice as fast reduces response times by 5-10%, whereas making the front-end twice as fast saves 40-45%. 2. Front-end improvements typically require less time and resources than back-end performance projects. 3. Focusing on front-end improvements has proven to work. Over fifty teams at Yahoo! have reduced their end-user response times by following these 14 Rules for High Performance Websites.
Souders' presentation was especially useful for me because it made me realize that I was spending too much time on speeding up the back-end and not enough time speeding up the front-end. I passed this URL on to my developer-in-crime, Brandon, and we'll be using it as a guideline during the redevelopment of RealCajunRecipes.com.
About
-
We are IT consultants
who grew up living and loving life
in Cajun Country.
Authors
Chrissy LeMaire
Tweet to @cl
Brandon Abshire
Categories
- Oracle
- OS X & iDevices
- PowerShell
- Security
- SharePoint
- SQL Server
- VBScript
- Virtualization
- Windows
- Wordpress
