search

loganmarchione / docker-webdav-nginx

Runs a Nginx WebDav server in Docker
MIT License
24 stars 9 forks source link

Improvements... #39

Open madcoda9000 opened 1 week ago

madcoda9000 commented 1 week ago

Hello,

at first i want to thank you for that image. This is by far the best webdav image I've seen for a wile!

I just want to suggest two improvements for further versions, maybe...

  1. make it possible to provide more than one user. It would be nice to habe different logins.
  2. consider implementing cors for nginx. There are many apps that dont want to connect to your webdav instance, because of a missing cors policy (can be done by using add_header).

Best Regards Sascha

loganmarchione commented 1 week ago

Hey, thanks for the feedback! A couple questions:

  1. Currently, the user check is just an if/then statement to see if an env var is set. I can implement more than one user, but it would be kind of clunky (like WEBDAV_USER2=user2 and WEBDAV_PASS2=password2). I guess what I'm saying is, I can't arbitrarily add infinite users. What are your thoughts on three users?
  2. What is your use-case for this? I am admittedly only user cadaver to put things into the webdav location. In my case, this container is running behind a Traefik reverse proxy, so maybe I'm not hitting a CORS issue? Looking at a couple examples here and here, what do you suggest for some values like Access-Control-Allow-Origin and Access-Control-Max-Age? I obviously can't hard-code the Access-Control-Allow-Origin hostname, so maybe a * in that case?
madcoda9000 commented 6 days ago

Hello,

thank you for getting back on this.

  1. yes three would be fine :-). 2.In my case the container is running behind an nginx reverse proxy. I'was trying to get keeweb working with webdav. Technically it is working but ther is the error message that cors is not enabled.

And yes, ccess-Control-Allow-Origin * would do the trick.

loganmarchione commented 5 days ago

I just pushed 1.0.1 with the ability to add multiple users (I suppose infinite users) by passing this variable

WEBDAV_USERS=user1:password1,user2:password2

It's a breaking change, so you'll need to update the variable to use the new syntax.

Still working out how I want to implement the CORS stuff...

madcoda9000 commented 5 days ago

Ahhh, that is awesome!

Regarding your question about CORS.

simply modify your webdav.conf from this:

server {
  listen 80 default_server;
  server_name _;

  root /var/www/webdav;
  autoindex on;

  client_max_body_size 250M;
  charset UTF-8;

  location /public {
    dav_methods            PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods        PROPFIND OPTIONS;
    dav_access             user:rw group:rw;

    create_full_put_path   on;

    error_log              /dev/stdout;
    access_log             /dev/stdout;
  }

  location /restricted {
    auth_basic             "Restricted";
    auth_basic_user_file   /etc/nginx/webdav_credentials;

    dav_methods            PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods        PROPFIND OPTIONS;
    dav_access             user:rw group:rw;

    create_full_put_path   on;

    error_log              /dev/stdout;
    access_log             /dev/stdout;
  }

}

to this:

server {
  listen 80 default_server;
  server_name _;

  root /var/www/webdav;
  autoindex on;

  client_max_body_size 250M;
  charset UTF-8;

  location /public {
    dav_methods            PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods        PROPFIND OPTIONS;
    dav_access             user:rw group:rw;

    create_full_put_path   on;

    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK' always;
    add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-Accept-Charset,X-Accept,origin,accept,if-match,destination,overwrite' always;
    add_header 'Access-Control-Expose-Headers' 'ETag' always;
    add_header 'Access-Control-Max-Age' 1728000 always;

    error_log              /dev/stdout;
    access_log             /dev/stdout;
  }

  location /restricted {
    auth_basic             "Restricted";
    auth_basic_user_file   /etc/nginx/webdav_credentials;

    dav_methods            PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods        PROPFIND OPTIONS;
    dav_access             user:rw group:rw;

    create_full_put_path   on;

    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK' always;
    add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-Accept-Charset,X-Accept,origin,accept,if-match,destination,overwrite' always;
    add_header 'Access-Control-Expose-Headers' 'ETag' always;
    add_header 'Access-Control-Max-Age' 1728000 always;

    error_log              /dev/stdout;
    access_log             /dev/stdout;
  }

}
loganmarchione commented 4 days ago

I considered that, but opening CORS up to * is a security risk. I'm wondering if there is a way that the user can pass an env var in, which gets injected into the Access-Control-Allow-Origin header...