We aren’t usually operating at peak mental capacity over here. When I do have some brain, I try to spend it on mitigating the low-brain situation. For instance, we want to make sure we keep sharing photos of Taavi. Like this one:

Taavi, chillaxing

Goals

  1. Continue to publish baby photos at the URL http://photos.theschleiers.com
  2. Make it safe for us to keep taking photos
    1. Save them to our computers first (where they get backed up), then publish
    2. Limit potential damage from making it easy (below)
  3. Make it easy for us to publish new photos
    1. Manipulate albums as network folders
    2. Sort gallery view by date (not filename — everyone’s are numbered differently)
    3. Use the same URL for uploads, because we’re not trying to have more things to keep track of

Things that didn’t work

Bekki and I both use Macs. The Finder is a WebDAV client. Having refactored all my sites to Lighttpd, I was hoping to use its WebDAV module. But it turns out the Finder is a pretty demanding WebDAV client. nginx’s WebDAV module interoperated poorly too.

I was reminded that the Finder is also an FTP client. I got as far as trying it, only to find out it’s read-only.

I reviewed which network protocols the Finder can read and write, and which servers interoperate. All signs pointed to Apache’s WebDAV implementation. I was reluctant, but accepted the need to allow Apache back into my life.

Under controlled circumstances

My internet-facing reverse proxy is still Pound. Nearly all my sites are still Lighttpd. Now there’s one site that’s Apache. I’m okay with this because:

  • Our originals are elsewhere, and backed up. What you see are copies. If an attacker gains access, they can’t make us lose photos.
  • This Apache instance runs as its own Unix user. If an attacker gains access, they can’t make me lose other stuff.
  • I learned last time around how to make a small, self-contained Apache config. I feel confident in my understanding of what it will and won’t do.

How it works

Last week, when Pound received a request for photos.theschleiers.com, it delegated to my instance of Nathan Arthur’s Gallery app.

This week, Pound delegates to Apache, and Apache delegates typical browser requests to Gallery. For you, no visible change.

When Apache receives a request from a client that looks roughly like the Finder, it requires a login, then speaks full Finder-friendly WebDAV. When Bekki or I have new photos to share, we just copy them over.

Here’s the Apache config that made it safe and easy for us to post photos from Taavi’s third week.