RT Cunningham

WebDAV and Nginx - Setting Up a Bulletproof WebDAV Server Isn’t Easy

WebDAV I have a WebDAV server set up. After much testing and minor changes, it’s pretty much bulletproof for my purposes. I’m the only person capable of connecting to it and with only one connection method.

I’ll be adding a WebDAV directory to my current domain as soon as I finish the project I’m working on. It won’t be as strict as the server because it won’t matter if the files are read by others.

The Nginx WebDAV Server Block

I displayed the code when I wrote about the Buttercup Password Manager. I’ll repeat it here, with minor changes:

server {
    listen                            443 ssl http2;
    server_name                       servername.tld;
    root                              /home/servername.tld;
    auth_basic                        "Restricted";
    auth_basic_user_file              /etc/nginx/.passwords;
    dav_methods                       PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods                   PROPFIND OPTIONS;
    dav_access                        user:rw group:rw all:r;
    client_body_temp_path             /home/servername.tld/temp;
    client_max_body_size              0;
    create_full_put_path              on;

I inserted these lines before the “auth_basic” line:

    if ($cookie_NAME  = VALUE) {
        set $loggable 0;
    if ($cookie_NAME != VALUE) {
        return 403;

Since I’m using SSL/TLS for everything, my cookies are encrypted. The files on the server are encrypted. Getting a file from the server would be a feat in itself. Decrypting it without knowing the master password would be another feat. I’m not worried about it. The files are more secure than they would be with any other online password manager.


Before I set up my WebDAV server, I knew very little (next to nothing) about it. I found the foundation reference here.

If you’re new to setting up SSL on Nginx, the example I gave may throw you off. Except for the listen line, the SSL configuration is at the HTTP level instead of the SERVER level. That’s because I use a LetsEncrypt wildcard certificate for all the subdomains.

The basic authorization does almost the same thing as the cookie check. With the cookie check, however, visitors (other than me) will get a 403 forbidden error code and nothing else. Also, no one can connect using a file manager, not even me. [Note: I only add the cookie check when I want to restrict access to a web browser extension.]

WebDAV Security

There are five methods or levels of security (of various effectiveness):

I check my access and error logs frequently (using an automated script). I should never even see the host name appear.

WebDAV Gotchas

While I was setting things up, I found I had to make the group writable on the server. That means file permissions of 775/664 instead of 755/644. I spent a few hours trying to figure it out.

Since “www-data” is the server user name, I added my chosen user name to its group and vice-versa.


RT Cunningham
August 6, 2019 7:00 pm
Web Development