Thursday, September 13, 2012

How to disable WebDAV in Plone


You can't disable WebDAV in Plone itself, it's tightly integrated in Zope.

Running WebDAV on another port would be okay, but using the webdav-address directive in buildout will only add an additional port on which Zope listens (webdav-source-server part in zope.conf). The existing port will still accept WebDAV traffic.

What you can do: Make your web server filter out the WebDAV commands. For nginx, this is done by adding
            dav_methods off;
to the server block in your nginx.conf.

For Apache, see http://stackoverflow.com/questions/9127269/how-can-i-stop-people-accessing-a-plone-server-via-webdav Also note the "Access WebDAV" permission referenced in a reply to that question.

Other links that helped me:
http://opensourcehacker.com/2011/12/28/minimal-nginx-front-end-configuration-for-plone-on-ubuntudebian-linux/
http://wiki.nginx.org/HttpDavModule

(updated 2012-09-14 to replace limit_except with dav_methods, thanks Gil Forcada)
(2012-10-07: Developer manual updated, http://collective-docs.readthedocs.org/en/latest/serving/webdav.html)

No comments: