Dav backended web servers

My father-in-law asked a question about email the other day that perplexed me. We recently got him a Mac and he was complaining about the “spinning beach ball of death” when he tried to send a message. It turns out that the message was 50 full sized digital photos for my brother-in-law. After he explained that detail it made sense that Mail was choking. I told him that the mail was simply too big and that the better way to share the pictures would be to post them in a website. I also promised to come up with a solution for him in a week or so and give him a helping hand getting everything posted.

Normal people would look at Picasa or Flickr or something but neither of those sites interest me. Most of the photo sites on the web  want you to sign up which infringes on my privacy. They grant you some promotion through search engines for the privilege but Bapa doesn’t need the world to be able to see his photo album. To my “Open source guy” brain the immediate solution would be to create the site and then setup something like coppermine or gallery2 but both of those solutions require me to teach Bapa how to post to a photo web site. Picasa and Flickr have the same issue.

Fortunately for me, Bapa has a Mac. The Mac has a set of wonderfully integrated tools for doing exactly this sort of thing. I decided that the easiest thing to do would be to Apache and mod_dav to grant access to some web space. And then use apache to publish a site from within the web space. The Apache config is actually pretty simple. You use two virtual hosts. One points to the backend and one points the actual site. Here’s the apache2 config for the backend:

<VirtualHost *:80>
    ServerName      backend.example.com
    ServerAlias     backend

    ServerAdmin     webmaster@example.com

    DocumentRoot    /home/www/sites/backend.example.com/
    DAVLockDB       /var/www/DavLockDb

    <Directory "/home/www/sites/backend.example.com/Dav/">
        Dav On
        AuthName    "Photo DAV Fileshare"
        AuthType    Basic
        AuthLDAPURL ldap://ldap-slave.example.com/ou=people,dc=example,dc=com?uid
        <LimitExcept GET HEAD OPTIONS PROPFIND>
            require valid-user
        </LimitExcept>
    </Directory>

    ErrorLog        /home/www/sites/backend.example.com/log/error_log
    CustomLog       /home/www/sites/backend.example.com/log/access_log common
</VirtualHost>

The goal here is to provide DAV access to the web sites storage so the Macintosh toolkit sees it as just another place to store files. The Directory setting tell Apache to provide the Dav directory and everything below it as a shared file system using the DAV protocol. In this case authentication is provided via LDAP but that could easily be changed to .htaccess files.

The actual web sites virtual host config is here.The trick is in setting DocumentRoot to be a subdirectory of the Dav provided above.

<VirtualHost *:80>
    ServerName      photos.example.com
    ServerAlias     photos

    ServerAdmin     bapa@example.com
    DocumentRoot    /home/www/sites/backend.example.com/Dav/photos

    ErrorLog        /home/www/sites/backend.example.com/log/error_log
    CustomLog       /home/www/sites/backend.example.com/log/access_log common
</VirtualHost>

The result is that Bapa can attach the file structure that contains his photo share as a DAV imported file system from his Mac (Finder: Go -> Connect to Serverhttp://backend.example.com/Dav/photos. Then tell iWeb to publish his website into that space et voilá: his pages are magically published to the web under photos.example.com.

This is about 90% of your setup. You will want to secure things to make sure that they aren’t easily broken. Apache accesses the Dav as user: www so it’s pretty important to make sure that the DAV directory is protected from tampering by having it owned by root:

# mkdir -p /home/www/sites/backend.example.com/Dav/photos
# chown root:root /home/www/sites/backend.example.com/Dav
# chmod 775 /home/www/sites/backend.example.com/Dav
# chown root:www /home/www/sites/backend.example.com/Dav/photos
# chmod 775 /home/www/sites/backend.example.com/Dav/photos

These permissions setup the Dav share so that an object stored in the root of the Dav may only be deleted or removed by its owner. The DocumentRoot of the photos site can be written into by the www user. This isn’t meant as absolution security as much as a means to keep down support calls.

Caveats

In this example I’m doing nothing to protect Bapa’s password from interlopers on the net. In reality you would want the DAV to be provided over https to protect the password. A VPN connection is another possibility.