webDAV and CORS

Question

I see some strange behavior on my webServer. Trying to get keeWeb to accept a file from a webDAV share on a different server. If I want to add a WebDAV File which is entered in Form of:

https://FQDN:8443/webdav/file.kdbx

I see the following Headers (FF Developer Tools Headers -> Response Headers):

Access-Control-Allow-Origin:"*"
Access-Control-Allow-Methods:"GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK"
Access-Control-Allow-Headers:"origin, content-type, cache-control, accept, authorization, if-match, destination, overwrite"
Access-Control-Allow-Credentials:"true"

BUT, in the Network Tab i can see an 401: Request Method: Options Status Code: 401 Unauthorized

It seems like the CORS headers get added but the rewrite does not work. My Apache Config:

<Directory /var/www/html/webdav>

Header always set Access-Control-Allow-Origin *
Header always set Access-Control-Allow-Headers "origin, content-type, cache-control, accept, authorization, if-match, destination, overwrite"
Header always set Access-Control-Expose-Headers "ETag"
Header always set Access-Control-Allow-Methods "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK"
Header always set Access-Control-Allow-Credentials "true"

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

        DAV On
        AuthType Basic
        AuthName "Authentication Required"
        AuthUserFile /etc/httpd/.htpasswd
        Require valid-user
</Directory>

Did i miss something or could it be that on the Rewrite does not work on Apache/2.4.6 (CentOS). I really have no idea how to debug a rewrite. Is there a way to trace such things?

TommyPeanuts · Accepted Answer · 2018-05-13 15:19:20Z

The OPTIONS method must not be subject to authorisation, so put it outside of the directory requiring authentication, like this:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ blank.html [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]

<Directory "/path/to/your/directory">
  AuthType "Basic"
  AuthName "Password Manager"
  AuthBasicProvider file
  AuthUserFile "/your/htpasswd.file"
  Require user someuser

  DAV On
  Options Indexes
  Header always set Access-Control-Allow-Origin "*"
  Header always set Access-Control-Allow-Headers "origin, content-type, cache-control, accept, authorization, if-match, destination, overwrite"
  Header always set Access-Control-Expose-Headers "ETag"
  Header always set Access-Control-Allow-Methods "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK"
  Header always set Access-Control-Allow-Credentials "true"
</Directory>

user430077user430077 · Accepted Answer · 2017-08-08 08:24:27Z

I have exactly the same problem and I have been trying to solve this for months, I just gave up. Server version: Apache/2.4.10 (Raspbian) I tried this in addition to the CORS headers from Keeweb (https://github.com/keeweb/keeweb/wiki/WebDAV-Config)

    Alias /KeePass /var/www/KeePass                                                                                                                                                                               


    <Directory /var/www/KeePass>                                                                                                                                                                              
        DAV On                                                                                                                                                                                                
        AuthType Digest                                                                                                                                                                                       
        AuthName "KeePass"                                                                                                                                                                                    
        AuthUserFile /var/www/passwd.dav                                                                                                                                                                      
        <LimitExcept OPTIONS>                                                                                                                                                                                 
        Require valid-user                                                                                                                                                                                    
        </LimitExcept>                                                                                                                                                                                        
   </Directory>

Stack Exchange Network

webDAV and CORS

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
apache-2.4
webdav
cors
.

Hot Network Questions

webDAV and CORS

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged apache-2.4webdavcors.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
apache-2.4
webdav
cors
.