After upgrading from Apache 2.2 to 2.4, many developers encounter HTTP 405 errors when trying to list WebDAV directories, particularly when using PROPFIND requests. The working and non-working configurations appear identical at first glance, making this especially frustrating.
Apache 2.4 introduced several authorization changes that affect WebDAV:
# Old 2.2 syntax:
Order allow,deny
Allow from all
# New 2.4 syntax:
Require all granted
The working configuration shows successful 207 responses while the problematic one returns 405. This suggests the
Let's examine the critical sections:
<Directory /home/web/notworking/dev/>
Options Indexes FollowSymLinks
DAV On
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /etc/apache2/htpasswd-webdav
Require valid-user
</Directory>
Three potential solutions:
- Explicitly enable PROPFIND in Directory section
- Add proper Method permissions
- Ensure proper module loading order
# In httpd.conf or apache2.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule authz_core_module modules/mod_authz_core.so
Here's a verified working setup:
<VirtualHost *:80>
ServerName webdav.example.com
DocumentRoot /var/www/webdav
<Directory /var/www/webdav>
DAV On
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
<LimitExcept GET POST OPTIONS>
Require valid-user
</LimitExcept>
<Limit GET POST OPTIONS PROPFIND>
Require all granted
</Limit>
</Directory>
</VirtualHost>
Enable verbose logging:
LogLevel debug
ErrorLog /var/log/apache2/webdav_error.log
CustomLog /var/log/apache2/webdav_access.log combined
Ensure proper filesystem permissions:
chown -R www-data:www-data /home/web/notworking/dev
find /home/web/notworking/dev -type d -exec chmod 775 {} \;
find /home/web/notworking/dev -type f -exec chmod 664 {} \;
If using SELinux:
chcon -R -t httpd_sys_content_t /home/web/notworking/dev
semanage fcontext -a -t httpd_sys_content_t "/home/web/notworking/dev(/.*)?"
restorecon -Rv /home/web/notworking/dev
When upgrading from Apache 2.2 to 2.4, many administrators encounter unexpected 405 errors with WebDAV operations, particularly during directory listing (PROPFIND requests). The core issue often lies in subtle configuration differences between versions.
Apache 2.4 introduced significant security changes in authorization handling. The working configuration shows proper authentication setup:
<Limit GET POST PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require valid-user
</Limit>
However, the non-working configuration might have hidden permission issues. Let's examine the critical components:
While both directories show identical permissions:
drwxr-xr-x 7 www-data www-data 26 Dec 24 12:07 dev
The actual SELinux context (if enabled) or parent directory permissions might differ. Verify with:
namei -l /home/web/notworking/dev/
ls -laZ /home/web/notworking/
Ensure these modules are loaded in correct order:
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule authz_core_module modules/mod_authz_core.so
Here's a robust virtual host configuration that works in Apache 2.4:
<VirtualHost *:80>
ServerName webdav.example.com
DocumentRoot /var/www/webdav
<Directory /var/www/webdav>
DAV On
Options Indexes FollowSymLinks
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /etc/apache2/webdav.passwd
AuthBasicProvider file
<RequireAny>
Require method GET POST OPTIONS
Require method PROPFIND
Require valid-user
</RequireAny>
DirectorySlash Off
AllowOverride None
</Directory>
ErrorLog ${APACHE_LOG_DIR}/webdav_error.log
CustomLog ${APACHE_LOG_DIR}/webdav_access.log combined
</VirtualHost>
When troubleshooting, enable these logging directives:
LogLevel debug
DavLockDB "/var/lock/apache2/DAVlock"
Some WebDAV clients (like Cyberduck) may need specific settings. Test with different clients or the command line:
curl -X PROPFIND --user username:password \
-H "Depth: 1" \
http://webdav.example.com/
- Verify RequireAll/RequireAny directives
- Check for conflicting .htaccess files
- Test with DirectorySlash On/Off
- Validate authentication provider chain