https://github.com/emsi76/unifi_rclone.webdav

Simple Webdav Server for Unifi Dream Machine based on RClone
https://github.com/emsi76/unifi_rclone.webdav

bash rclone udm unifi webdav

Last synced: 18 days ago
JSON representation

Simple Webdav Server for Unifi Dream Machine based on RClone

• Host: GitHub
• URL: https://github.com/emsi76/unifi_rclone.webdav
• Owner: emsi76
• License: mit
• Created: 2024-10-20T16:01:51.000Z (2 months ago)
• Default Branch: main
• Last Pushed: 2024-10-21T15:35:17.000Z (2 months ago)
• Last Synced: 2024-10-22T01:08:16.563Z (2 months ago)
• Topics: bash, rclone, udm, unifi, webdav
• Language: Shell
• Homepage:
• Size: 126 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# unifi_rclone.webdav



Transform your Unifi gateway to a NAS with this simple Webdav Server for Unifi Dream Machine (UDM) based on rclone.







  
Configurable webdav port and root path - which can also be configured to your disk (hdd/sdd)

  
User/pass management with htpasswd



  
Secured with https using the certs of the UDM

  
Http(s) basic auth additionally hardened to ban users with more than 10 failed logins in the current hour

  
Low consumption of resources (CPU / Mem)





Easy 1 step installation and 2 step configuration should not take more than some minutes! :-)  





  This set of scripts installs rclone as WebDav Server - see rclone serve webdav and set it up as service on your UDM as well as a second service to ban users with more than x failed logins in current hour.



Important Notes



  


  
Applying changes in UnifiOS of your Unifi Dream Machines (UDM) may lead to loss of warranty.

  
No liability for damage or malfunctions of your Dream Machine caused by the installation of this utility.

  
Operating a WebDav Server on your UDM and so letting users uploading (big) files can cause the disk storage to run out of space with corresponding consequences for the stability of the entire system (especially if you are using the internal disk as webdav root).

  
The default installation creates a 'webdav' WebDav user with default password 'webdav'. Be aware to change the users/passwords under the htpasswd file especially before opening ports of your firewall.

  
Upgrading your Dream Machine firmware typically requires to install again.

  
WebDav data under the root folder currently is persitent after reboot or even firmware update. But future upgrades could lead to data loss depending on what unifi is changing in the UnifiOS (for critical WebDav data: please backup root folder before update).

  




*** Use it at your own risk! ***





Successfully tested on (only one device so far due to lack of hardware):





  

  

  Family: UniFi Dream Machine (UDM)

  Model: UniFi Dream Machine Pro (UDM-Pro)

  


Firmware: 4.0.20 (4.0.20)

Firmware: 4.0.21 (4.0.21)



  

  


Installation

SSH into your UDM and enter:
 


sudo -v ; curl https://raw.githubusercontent.com/emsi76/unifi_rclone.webdav/refs/heads/main/setup.sh | sudo bash -s -- -i


Configuration

2-Step quick config:
 




  


    Environment parameters

    


      there are 4 config items under 'rclone_webdav.env' with following defaults:


      # Defining the Port of the Webdav Server

RCLONE_WEBDAV_PORT= 55007

# Defining the root folder of the WebDav Server

RCLONE_WEBDAV_ROOT_PATH= /data/rclone/root

# Defining the path of the log file

RCLONE_WEBDAV_LOG_PATH=/data/rclone/log.txt

# Defining the number of max failed logins per hour for a user before beeing banned from htpasswd

RCLONE_WEBDAV_FAILED_LIMIT=10

    

    
You can set the path to your disk (ssd/hdd) as RCLONE_WEBDAV_ROOT_PATH if you have a corresponding storage.

    



      To make your changes effective just run the installation commmand again (see installation above)!

    

  

  


    User Management

    


      Basic user managment can be done via htpasswd file in '/data/rclone' folder.

      Default  WebDav user is 'webdav' with default password 'webdav'.

      Please change the default by generating your own user/pass to add via e.g. with :


      web2generators htpasswd-generator or htpasswd generator

    

    


      Users with more than configured failed logins will be banned. This is achieved by a dedicated service which puts a preceding '#' character to the username in the htpasswd file. Please remove the preceding '#' character in the htpasswd file manually to unban the corresponding user after investiagtion of the cause.

    

  

 

Don't forget to add a firewall rule (or a port forward rule), if you want to access the webdav server from WAN (and read the Security considerations before).


Update

Same as Installation (existing config, htpasswd and root folder won't be touched, remove then manually if you want fresh one).

  

Use (tested WebDav Clients)

Connect with your preferred WebDav Client via https to the url/ip of your UDM using the configured port (defaults: 55007).

Depending on the ssl certs you are using on your UDM you will have to trust the cert.


Following clients were successfully tested:



  

  

    Client Type

    Client

    App Version(s)

  

  

    Browser

    Safari

    18.0.1 (MacOS)

  

  

    Browser

    Edge

    130.0.2849.52 (MacOS)

  

  

    App

    Enpass

    6.11.4 (MacOS / iOS)

   

  

    App

    Banking4

    8.62 (MacOS / iOS)

   

  

    App

    PhotoSync

    4.9.1 (iOS)

   

  


Uninstallation

sudo -v ; curl https://raw.githubusercontent.com/emsi76/unifi_rclone.webdav/refs/heads/main/setup.sh | sudo bash -s -- -u


(argument '-u' for uninstallation instead of '-i' for installation)






You will have to remove your config files (htpasswd and rclone_webdav.env) as well as default webdav_root folder by yourself with:
 

rm -r /data/rclone






If you defined an own WebDav root folder, then also remove manually.



Security considerations

Rclone uses http basic authentication. Even additionally secured with https (using the certs of the UDM) the authentication scheme remains poor and is especially unprotected against brute force attacks, because by default endless login failures are allowed. For this reason, this Webdav server is additionally secured with another service that ensures a maximum number of failed attempts per user and hour. In this case, the user is blocked until he is manually unblocked in the httpaswd file (by removing the preceding '#' character). The latter makes the server vulnerable for Denial of Service (DoS) for known usernames. It is why you should use non trivial username (like 'admin', 'user', 'guest',...) and do not share the username to third parties. In addition it is also not recommended to connect to this webdav server from public devices as the authentication scheme is also poor in the handling of sessions (no logout). Lastly be aware that all users managed in htpasswd will have access to the whole webdav root. In summary I recommend the following rules to keep secure:




  


Do not use standard usernames ('admin', 'user', 'guest',...)

  


Do not connect to this Webdav server from public devices/computers, that are not in your ownership or shared with third parties..

  


Do not share usernames with third parties.



Tips



  


    Find out the path to your added disk (hdd/sdd) with df -h and check the one with corresponding size:
 


    

    
In this case: /dev/md3 mounted as /volume1 with 1,7 TB available size is the added Disk, so any folder of /volume1 can be configured as RCLONE_WEBDAV_ROOT_PATH

  



Thanks



to Unifi for the great hardware/firmware accessible via ssh/bash

to rclone for the webdav server software which this utility is based on

to Glenn R. unifi-lets-encrypt making it even possible to run the webdav server with https and let's encrypt certs of UDM

to fail2ban for the idea of hardening http basic auth by tailing the log file to ban