Well, I am an enthusiastic user of Xmarks (or Foxmarks) and played with this again and again. So this weekend, I finally decided to do it properly. I sat down, recreated the whole WebDAV stuff (even if I cheated of this HowtoForge article).

Always redirect traffic to HTTPS, since transmitting username and passwords via HTTP ain’t that secure (MITM)

Okay, so here are the shortended setup instructions:

  1. Enable mod_access, mod_auth, mod_redirect and mod_webdav in /etc/lighttpd/lighttpd.conf
  2. Create the necessary directories
  3. Create the htpasswd-file
  4. Configure the redirections
1
2
3

mkdir -p /var/www/dav/{web,auth,sql}
chown -R lighttpd:lighttpd/var/www/dav/{web,sql}
htpasswd -c /var/www/dav/auth/htpasswd chrischie

Since we just created the necessary directories, as well as a htpasswd-file containing a user we should be able to change the configuration now:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

$SERVER["socket"] == ":80" {
    $HTTP["host"] == "dav" {
        url.redirect = ( "^/(.*)" => "https://%1/$1" )
    }
}

$SERVER["socket"] == ":443" {
    $HTTP["host"] == "dav" {
        webdav.activate = "enable"
        webdav.is-readonly = "disable"
        webdav.sqlite-db-name = "/var/www/dav/sql/sqlite.db"
        auth.backend = "htpasswd"
        auth.backend.htpasswd.userfile = "/var/www/dav/auth/htaccess"
        auth.require = ( "" => ( "method" => "basic",
                                 "realm" => "webdav",
                                 "require" => "valid-user" ) )
    }
}

Now, just restart the lighttpd service and watch your WebDAV shine. Seriously, there are a couple of things you should be aware of:

  1. When using a home-grown WebDAV server with HTTPS (meaning, custom certificate), Firefox is gonna be blocking the site at first (and Xmarks is gonna fail with a rather cryptic " Error 8172"). Navigate to the URL manually and add an Exception for the certificate.
  2. Before changing the URL’s in Xmarks, I made the error and manually created directories named “bookmarks” and “passwords”, which I then entered in the respective dialogboxes in the settings window. That however made Xmarks cry horribly when running the synchronization.
1
2
3
4
5
6
7
8

------ Xmarks/3.1.0 (/Places) starting upload with https://dav ------
>>> PUT https://chrischie@dav/xmarks/bookmarks
>>> Body is: {"commands":[{"action":"insert","nid":"ROOT","args":...
>>> Callback ({status:403, errormsg:""})
Got a 403
False alarm? ({status:403, errormsg:"", auth:(void 0)})
Returned error: Forbidden(403)
Will retry at Sun May 03 2009 16:25:41 GMT+0200

After deleting the folders, it works just fine.