配置基于Nginx的WebDav服务
配置 WebDav 和 TLS1.3
环境:Debian10+Nginx/1.16.1
编译Nginx
检查Nginx版本:nginx -V
确认已安装所需依赖:
apt install zlib1g-dev
apt install libgd-dev
apt install libgeoip-dev
支持WebDav需要with-http_dav_module和nginx-dav-ext-module两个模块。
获取Nginx:wget -c https://nginx.org/download/nginx-1.16.1.tar.gz && tar zxf nginx-1.16.1.tar.gz && rm nginx-1.16.1.tar.gz
进入nginx源码目录,下载所需模块源码以供编译:
nginx-dav-ext-modulegit clone https://github.com/arut/nginx-dav-ext-module.git
headers-more-nginx-modulegit clone https://github.com/openresty/headers-more-nginx-module.git
支持TLS 1.3协定的OpenSSL版本wget -c https://www.openssl.org/source/openssl-1.1.1d.tar.gz && tar zxf openssl-1.1.1d.tar.gz && rm openssl-1.1.1d.tar.gz
修改编译参数:
./configure --add-module=./headers-more-nginx-module /
--with-openssl=./openssl-1.1.1d /
--add-module=./nginx-dav-ext-module
编译make
备份mv /usr/sbin/nginx /usr/sbin/nginx_bak
确认版本./objs/nginx -v
复制替换cp objs/nginx /usr/sbin/nginx
添加server段相关配置(此处定义了子目录访问配置,按需调整):
server {
...
ssl_protocols TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
location /webdav {
# 配置索引根目录,调整目录权限为www-data
alias /path/to/file;
autoindex on;
autoindex_localtime on;
autoindex_exact_size off;
# 美化索引
# add_after_body /path/to/.autoindex.html;
# 解决部分webdav客户端重命名报错
# 须编译添加模块 headers-more-nginx-module
set $dest $http_destination;
if (-d $request_filename) {
rewrite ^(.*[^/])$ $1/;
set $dest $dest/;
}
if ($request_method ~ (MOVE|COPY)) {
more_set_input_headers 'Destination: $dest';
}
if ($request_method ~ MKCOL) {
rewrite ^(.*[^/])$ $1/ break;
}
# 口令输入提示信息
auth_basic "user&&passwd";
# 用户口令文件
auth_basic_user_file /path/to/htpasswd;
#
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:rw group:rw all:r;
# 临时中转目录,提高安全性
client_body_temp_path /tmp/webdav;
# 上传文件容量限制,0为不限制
client_max_body_size 0;
create_full_put_path on;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
需禁止对dirdeny目录的访问并返回403 Forbidden,可增加location段配置:
location /dirdeny {
deny all;
return 403;
}
生成用户口令文件/etc/nginx/.htpasswd:
- 使用
htpasswd -c /etc/nginx/.htpasswd username创建用户。可能需要apt-get install apache2-utils以支持htpasswd - 也可以使用在线htpasswd生成器 http://tool.oschina.net/htpasswd 将生成结果保存至htpasswd文件中
- 或使用如下命令:
# 创建新用户user echo -n 'user:' | sudo tee /etc/nginx/htpasswd # 设定用户密码 openssl passwd -apr1 | sudo tee -a /etc/nginx/htpasswd Password: # 输入用户的密码
重载ngninx服务配置:service nginx restartservice nginx status
即可在webdav客户端添加服务器http://example.com/webdav/ 或直接浏览器访问。
Nginx报错
若Nginx报错:nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument或者openresty.service: Failed to parse PID from file /run/openresty.pid: Invalid argument
可运行以下命令解决:
mkdir -p /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" >/etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx.service