Gray Matter @


Linux, Nginx and WebDAV

RT Cunningham | July 20, 2020 (UTC) | Linux

Linux, Nginx and WebDAVWhen it comes to keeping your data safe, it’s pretty easy. Keeping it private is much harder. You can trust cloud service providers to keep your data safe, but can you trust them to keep it private? Server breaches have exposed my usernames, passwords and other private data more times than I care to remember, and I don’t trust any of them anymore.

Linux and Nginx

Linux is a Unix variant. Nginx runs well on Unix variants. I don’t know if it runs well on anything else but the last time I checked, it didn’t run very well on Windows.

I started out using Apache as my web server, like many people before me. When I discovered Nginx, it was like a breath of fresh air. Apache consumed way more memory than Nginx unless it was configured in a specific way. I didn’t have what it took to apply the proper voodoo with Apache, so I did the next best thing and switched to Nginx. I never looked back.

There are certain ways to configure Nginx to perform specific duties, reverse proxying being one of them. I was never concerned with doing anything but serving web pages.

Nginx and WebDAV

There are two places to store data online. One is a server that someone else controls and the other is a server that you control. I prefer using a server I can control.

This website is an example. I edit all the configuration files on my laptop computer, and they’re automatically saved on my mounted WebDAV server.

My KeePass compatible database file is stored on the same WebDAV server, but not through a mounted directory. I use KeeWeb to access the WebDAV server and KeePass database directly. KeeWeb can also access a KeePass database on Dropbox, Google Drive, and OneDrive as well as a local file system.

Some password managers are free and some are commercial. If you take the time to set up a web server with an inexpensive web hosting provider, you won’t pay much more than a commercial password manager. You can do a lot more than manage passwords with a web server.

WebDAV Security

Security through obscurity is a real thing. No one knows about my WebDAV server because the server name isn’t published anywhere. It doesn’t have an obvious name like “webdav”, “files” or any such nonsense as part of it.

I access the physical server (a DigitalOcean droplet) using SSH public key authentication on a nonstandard port. The virtual host (called a “server” by Nginx) is password protected and the KeePass database is password protected. It’s about as safe and private as it can get.

The WebDAV server is mounted on my laptop computer using the fstab file: /mnt/name davfs defaults,uid=username,gid=username,_netdev,auto 0 0

Before I could use it, I had to install the davfs2 package:

sudo apt install davfs2

After that, I had to insert the URL, the username and the password in the /etc/davfs2/secrets file. The username and password are defined at the web server. The line looks like this: username password

The Web Server “Server” Configuration Block

This was the hardest part to figure out, believe it or not.

server {
    listen                           443 ssl http2;
    server_name            ;
    root                             /home/;
    location / {
        auth_basic                       "Restricted";
        auth_basic_user_file             /etc/nginx/.password;
        dav_methods                      PUT DELETE MKCOL COPY MOVE;
        dav_ext_methods                  PROPFIND OPTIONS;
        dav_access                       user:rw group:rw all:r;
        client_body_temp_path            /home/;
        client_max_body_size             0;
        create_full_put_path             on;

There really isn’t much to explain. Since I’m using a wildcard SSL certificate, it’s stored at the HTTP level instead of the SERVER level. I used the “htpasswd” utility (designed for Apache) to create the password file. Since there isn’t an index file of any kind and the web directory isn’t exposed, accessing it through a web browser generates a “file not found” (404) error. My visible server only includes files from the WebDAV server, so it isn’t an issue for me.

The first time I accessed the mounted directory, I had “Nemo” (my file manager) memorize the password. Accessing it isn’t as fast as the local file system, but it isn’t as slow as something like FTP, which I rarely use nowadays.

My droplet costs me $5.00 a month, and it runs the latest version of Ubuntu Server. Keeping it up-to-date is as simple as connecting via SSH and running “apt-dist-upgrade”. Updating it is at least 10 times faster than updating my local Linux Mint operating system.

Image Attribution: Clker-Free-Vector-Images at Pixabay
Edited and updated. Originally published at one of my other websites in May 2020.

Share: Facebook | Twitter

These Posts May Also Be Interesting:

Gray Matter @
Copyright © 2020, 2021
RT Cunningham

Blogroll and Other Links: