使用 Nginx 搭建 Webdav 服務
一、 自簽名根證書
1. 生成根證書金鑰
openssl genrsa -out ./root.key 2048
2. 生成根證書
openssl req -x509 -new -key ./root.key -out ./root.pem -days 365
互動資訊
Country Name (2 letter code) []:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) []:HZG
Organization Name (eg, company) []:www.hzg.com
Organizational Unit Name (eg, section) []:HZG
Common Name (eg, fully qualified host name) []:HZG
Email Address []:123456789@qq.com
二、生成應用證書
1. 生成應用證書金鑰
openssl genrsa -out webdav.key 2048
2. 生成應用證書請求
openssl req -new -key webdav.key -out webdav.csr
3. 建立證書附加用途檔案
基於域名的證書
這裡解決的問題是瀏覽器訪問網頁驗證證書域名的問題,儲存為 webdav.ext 檔案,生成證書的時候使用
基於域名的證書
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
DNS.1=hzgwebdav.com
DNS.2=*.hzgwebdav.com
基於IP的證書
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
IP.1=192.168.0.1
IP.2=192.168.0.2
4. 簽發證書
openssl x509 -req -in webdav.csr -CA root.pem -CAkey root.key -CAcreateserial -out webdav.crt -days 365 -sha256 -extfile webdav.ext
三、Nginx 部署 Webdav 服務
1. 生成 Webdav 使用者密碼檔案
echo hzg:$(openssl passwd -crypt 12345678)>/path/certs/webdav/webdavpasswd
2. Nginx WebDav 配置
注意 Nginx 需要安裝以下模組
nginx-dav-ext-module
ngx_http_headers_module
dav_ext_lock_zone zone=davlock:10m;
# Http 配置
server {
listen 8080;
server_name hzgwebdav.com *.hzgwebdav.com;
location / {
root /path/webdav;
autoindex_localtime on;
set $dest $http_destination;
if (-d $request_filename) { # 對目錄請求、對URI自動新增"/"
rewrite ^(.*[^/])$ $1/;
set $dest $dest/;
}
if ($request_method ~ (MOVE|COPY)) { # 對MOVE|COPY方法強制新增Destination請求頭
more_set_input_headers 'Destination: $dest';
}
if ($request_method ~ MKCOL) {
rewrite ^(.*[^/])$ $1/ break;
}
client_body_temp_path /tmp;
dav_methods PUT DELETE MKCOL COPY MOVE; # DAV支援的請求方法
dav_ext_methods PROPFIND OPTIONS LOCK UNLOCK; # DAV擴充套件支援的請求方法
dav_ext_lock zone=davlock; # DAV擴充套件鎖繫結的記憶體區域
create_full_put_path on; # 啟用建立目錄支援
dav_access user:rw group:r all:r; # 設定建立的檔案及目錄的訪問許可權
auth_basic "Authorized Users WebDAV";
auth_basic_user_file /path/certs/webdav/webdavpasswd;
}
}
# Https 配置
server {
listen 443 ssl;
server_name hzgwebdav.com *.hzgwebdav.com;
autoindex on;
ssl_certificate "/path/certs/webdav/webdav.crt";
ssl_certificate_key "/path/certs/webdav/webdav.key";
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling off;
location / {
root /path/webdav;
autoindex_localtime on;
set $dest $http_destination;
if (-d $request_filename) { # 對目錄請求、對URI自動新增"/"
rewrite ^(.*[^/])$ $1/;
set $dest $dest/;
}
if ($request_method ~ (MOVE|COPY)) { # 對MOVE|COPY方法強制新增Destination請求頭
more_set_input_headers 'Destination: $dest';
}
if ($request_method ~ MKCOL) {
rewrite ^(.*[^/])$ $1/ break;
}
client_body_temp_path /tmp;
dav_methods PUT DELETE MKCOL COPY MOVE; # DAV支援的請求方法
dav_ext_methods PROPFIND OPTIONS LOCK UNLOCK; # DAV擴充套件支援的請求方法
dav_ext_lock zone=davlock; # DAV擴充套件鎖繫結的記憶體區域
create_full_put_path on; # 啟用建立目錄支援
dav_access user:rw group:r all:r; # 設定建立的檔案及目錄的訪問許可權
auth_basic "Authorized Users WebDAV";
auth_basic_user_file /path/certs/webdav/webdavpasswd;
}
}