WebDAV Isn't Dead Yet

I should have titled this post “I hate S3”.

📢 What is the status quo?

FTP is dead (yay), SFTP is too dependent on SSH and unix authentication. AWS made S3 pervasive and now every webapp that needs to store files assumes you’ll be able to connect it S3. This is good for Amazon, but painful for everyone else.

📢 But who is WebDAV useful for?

Most people working on personal projects, self-hosting, or just need filesystem-over-HTTP-ish capabilities do not need S3, they just need a place for their files behind some form of authentication. I stopped reaching for S3 and started running from S3 a while ago and I think you should consider doing the same.

Here are my core requirements:

authentication
write files
efficiently sync files
ensure those files aren’t publicly accessible by default
relatively easy to make those files public

Here’s what I don’t need:

advanced ACLs and roles
signed URLs
versioning (the V in WebDAV is actually versioning, but still…)
tiered storage
lifecycle rules
quotas, but could be done at the filesystem level (e.g., ZFS)
many things I can’t think of right now

This list probably resonates with you as well. I just don’t think we should be encouraging people to run Openstack Swift, CEPH, Minio, or unfinished projects like Garage just to achieve file-storage-over-HTTP.

And with Minio recently killing off most of their admin UI and making people suffer through crafting JSON policy files and uploading them with the mc tool… just let it go. It’s not worth your time.

How would you access WebDAV to manage files if you’ve never tried before? Lots of tools support it:

MacOS Finder (Go->Connect to Server… enter https://…) and iOS Files
Windows Explorer (Map Network Drive, Connect to a Web site…)
rclone
curl
Popular things like CyberDuck, WinSCP, Filezilla…

It’s broadly available as you can see even though it’s considered by many to be archaic or obsolete. Your webserver that you’re running probably already supports it and you just need to integrate auth and setup a vhost / domain for it: Apache, Nginx, Caddy, Lighttpd, IIS … You’ll even find support in OwnCloud/NextCloud too.

In fact, you’re already using WebDAV and you just don’t realize it. This is how your contacts and calendars are synced on your devices. The CardDAV and CalDAV protocols are somewhat like extensions to WebDAV so it suits those purposes more efficiently, and they are not likely to go away any time soon.

So here’s how I’m using it with Apache. I already have a few things that work optimally in Apache so I didn’t choose another webserver, but I will note that Caddy probably has the simplest configuration for ensuring individual users get dropped into a private directory. A lot of out-of-the-box WebDAV solutions will be exposing all of the files to anyone who can authenticate which is silly, but it’s solvable. I’ll admit that Apache’s config is probably the most convoluted and verbose to achieve a multi-user setup with some semblance of privacy, but it’s not impossible.

My setup is using LDAP auth, but you can plug in your own obviously.

Behold:

# DAV specific modules you want
LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so

# Ancient fixes Apache includes in example config, kept just because...
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[01234]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
BrowserMatch " Konqueror/4" redirect-carefully

<VirtualHost *:443>
    ServerName webdav.example.com
    DocumentRoot /usr/local/www/webdav
    SSLEngine on
    # other SSL settings left to you

    # This is really important when serving WebDAV
    # or some operations fail due to an index attempting to be served
    DirectoryIndex disabled

    DavLockDB "/tmp/DavLock"
    DavMinTimeout 600
    DavDepthInfinity On

    <Directory /usr/local/www/webdav/>
        DAV On
        AllowOverride None

        AuthType Basic
        AuthName WebDAV
        AuthBasicProvider ldap
        AuthLDAPURL ldaps://ldapserver:636/ou=users,dc=example,dc=com?uid
        AuthLDAPRemoteUserAttribute uid
        <Limit GET HEAD POST PUT OPTIONS MOVE DELETE COPY LOCK UNLOCK PROPFIND PROPPATCH MKCOL DUPLICATE>
            Require ldap-group cn=webdav,ou=groups,dc=example,dc=com
            Require valid-user
        </Limit>
    </Directory>

    # Force users to only be able to see files in the subdirectory matching their username
    RewriteEngine On
    # Only rewrite if NOT already in user's directory
    RewriteCond %{REQUEST_URI} !^/%{LA-U:REMOTE_USER}/
    RewriteCond %{LA-U:REMOTE_USER} ^(.+)$
    RewriteRule ^(.*)$ /%1$1 [L]
</VirtualHost>

And now if there’s a subdirectory under /usr/local/www/webdav matching the user’s name and writable by the webserver, they’ll be able to authenticate and use the storage space.

So what am I using this with?

Joplin, a self hosted notes app that syncs to my own server
Keepassium, Keepass app well integrated into iOS/MacOS
VLC
Infuse
Publishing this static blog with rclone (it’s faster than rsync over NFS/SMB, and I won’t need a VPN when I’m roaming!)

While writing this article I came across an interesting project under development, Altmount. This would allow you to “mount” published content on Usenet and access it directly without downloading it… super interesting considering I can get multi-gigabit access to Usenet pretty easily.

Don’t sleep on WebDAV, give it a chance. It’s not dead yet.