Menu

Linux Lines

Close

Linux, Nginx and WebDAV - Keeping Your Data Private and Safe

Linux, Nginx and WebDAVWhen it comes to keeping your safe, it’s pretty easy. Keeping it private is much harder. You can trust cloud service providers to keep your data safe, but can you trust them to keep it private? Server breaches have exposes my user names, passwords and other private data more times than I care to remember and I don’t trust any of them anymore.

Linux and Nginx

Linux is a Unix variant. Nginx runs well on Unix variants. I don’t know if runs well on anything else but the last time I checked, it didn’t run very well on Windows.

I started out using Apache as my web server, like many people before me. When I discovered Nginx, it was like a breath of fresh air. Apache consumed way more memory than Nginx unless it was configured in a specific way. I didn’t have what it took to apply the proper voodoo with Apache, so I did the next best thing and switched to Nginx. I never looked back.

There are certain ways to configure Nginx to perform specific duties, reverse proxying being one of them. I was never concerned with doing anything but serving web pages.

Nginx and WebDAV

There are two places to store data online. One is a server that someone else controls and the other is a server that you control. I prefer using a service I can control.

This website is an example. The administrative interface is on my laptop computer. When I publish an article, the local addresses get changed to the online addresses as the article is saved on a mounted WebDAV server. A routine scans for images that exist locally but not online and then copies them to the appropriate directory.

My KeePass compatible database file is stored on the same WebDAV server, but not through a mounted directory. I use KeeWeb to access the WebDAV server and KeePass database directly. KeeWeb can also access a KeePass database on Dropbox, Google Drive, and OneDrive as well as a local file system.

Some password managers are free and some are commercial. If you take the time to set up a web server with an inexpensive web hosting provider, you won’t pay much more than a commercial password manager. You can do a lot more than manage passwords with a web server.

WebDAV Security

Security through obscurity is a real thing. No one knows about my WebDAV server because the server name isn’t published anywhere. It doesn’t have an obvious name like “webdav”, “files” or any such nonsense as part of it.

I access the physical server (a DigitalOcean droplet) using SSH public key authentication on a nonstandard port. The virtual host (called a “server” by Nginx) is password protected and the KeePass database is password protected. It’s about as safe and private as it can get.

The WebDAV server is mounted on my laptop computer using the fstab file:

https://name.example.org /mnt/name davfs defaults,uid=username,gid=username,_netdev,auto 0 0

Before I could use it, I had to install the davfs2 package:

sudo apt install davfs2

The Web Server “Server” Configuration Block

This was the hardest part to figure out, believe it or not. I’ll show it to you and explain what needs to be explained.

server {
    listen                           443 ssl http2;
    server_name                      name.example.org;
    root                             /home/name.example.org;
    auth_basic                       "Restricted";
    auth_basic_user_file             /etc/nginx/.password;
    dav_methods                      PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods                  PROPFIND OPTIONS;
    dav_access                       user:rw group:rw all:r;
    client_body_temp_path            /home/name.example.org/temp;
    client_max_body_size             0;
    create_full_put_path             on;
}

There isn’t much to explain. Since I’m using a wildcard SSL certificate, it’s stored at the HTTP level instead of the SERVER level. I used the “htpasswd” utility (designed for Apache) to create the password file. Since there isn’t an index file of any kind and the web directory isn’t exposed, accessing it through a web browser generates a “file not found” (404) error. My real server name includes files from the WebDAV server, so it isn’t an issue for me.

The first time I accessed the mounted directory, I had “Nemo” (my file manager) memorize the password. Accessing it isn’t as fast as the local file system, but it isn’t as slow as something like FTP, which I rarely use nowadays.

My droplet costs me $5.00 a month and it runs the latest version of Ubuntu Server. Keeping it up-to-date is as simple as connecting via SSH and running “apt-dist-upgrade”. Updating it is at least 10 times faster than updating my local Linux Mint operating system.

Image Attribution: Clker-Free-Vector-Images at Pixabay

Share: Facebook | Twitter

By RT Cunningham
May 3, 2020
Interfaces