Please read and follow the previous Synology setup posts before installing WebDAV.
- Securing Synology NAS
- Synology - Map Domain with DDNS
- Synology - Setup Let's Encrypt SSL Certificates
Go to the Package Center on your Synology NAS device. Install the 'WebDAV Server'.
There are very few options to configure in WebDAV. But there are some security issues and permission issues to consider. Please feel free to change the permissions described below.
WebDAV Settings Tab
Go to the main menu and then open WebDAV Server. Enable HTTPS. Optionally change the default port from 5006 to whatever you desire as long as it isn't in use already. (1025 - 65535) You may choose to enable the WebDAV log as well. Finally you have the option of limiting the speed. Click 'Apply' once you are done.
Create a WebDAV Group and User
By default only the administrators group has access to WebDAV. However, I don't want to allow administrative access from the web. So I will create a new group and a new WebDAV user. This user should also have 2FA enabled for increased security.
Go to: Control Panel > Group
- Group name = webdav (Or whatever you prefer)
- Group description = WebDAV Access Group
Skip the shared folder permissions as of now. We will be creating one or more shared folders for WebDAV.
Allow 'WebDAV Server' application permissions.
Go to: Control Panel > User
- Name = <choose_name> (I used 'webby' for now)
- Description = WebDAV User Access
- Email = optional
- Password = Create a password that meets your password rules requirements.
- Click 'Next'.
Add the user to the 'webdav' group. By default it is already part of the users group. Click 'Next'.
Skip granted shared folder access for now.
Allow the user to access the 'webDAV Server' application.
Create One or More Shared Folders
I don't like the idea of opening every folder in the root directory to WebDAV. I will create one folder for uploads with RW access. And add one or more folders with RO access. This may include some of the existing shared folders.
Go to: Control Panel > Shared Folders
First we will create an upload folder with RW permissions. Click 'Create'.
- Name = upload
- Description = WebDAV Upload Folder
- Click 'Next'
Optionally encrypt this folder. Click 'Next' and then 'Apply'. Now we can setup our basic folder permissions.
- Local users:
- admin - No access
- Your new Admin user - will have RW by default. - No access
- webby (or whatever WebDAV user you created) -
- Local groups:
- administrators - RW
- webdav - RW
- System internal user:
- I need to experiment a bit more. Right now all system IDs have no access. But a few may need RO and possibly RW access.
There are some interesting advanced permissions. I need to experiment a bit more before adding any recommended setup steps for those permissions.
Pick one of your existing shared folders. Edit it. Change the group permissions for the webdav group to RO.
Verify DSM Access with New User
First verify that your new user has DSM access and set the password. Verify you can see your new 'upload' folder and whatever RO folder you chose. Upload a test file to your upload directory.
Add WebDAV SSL Certificate
Go to: Control Panel > Security > Certificate
Select your new SSL certificate. Then select 'Configure'. For the 'WebDAV Server' service change the certificate from the default synology.com certificate to your new SSL certificate. Click 'OK'.
Verify WebDAV Access
First we need to edit our hosts file. When we setup our SSL certificate we updated our hosts file and mapped 'syno.lab.example.com' to our internal private IP address (192.168.x.y). Now we need to disable this temporarily while we test out WebDAV. This is a good reason why you may want to get 2 Let's Encrypt SSL certificates with different subdomains.
- notepad C:\Windows\System32\drivers\etc\hosts
- put a hash tag in front of the 192.168.x.y address for your NAS
- save the file
- NOTE: Re-enable this mapping and test WebDAV access from your internal LAN as well. You may want to eliminate SMB access or other access methods and simply use WebDAV.
In Windows we can now map a network drive to our new WebDAV setup. Open File Explorer and then right click on 'This PC'. Select 'Map network drive'. Then fill out the new window as shown below.
- Drive - choose any free drive letter you desire
- Folder = https://syno.lab.example.com:5006
- Check 'Connect using different credentials
- Click finish and then enter your ID and password
- webby (The ID we created above)
- passw0rd - Enter your password
Again verify that you can upload a file.
You may want to run 'tcpdump' on your NAS to see if any packets are hitting it.
tcpdump -i eth0 -lnpt tcp and port 5006
Limit Administrators Group WebDAV Access
You can access WebDAV with the new administrator ID you previously created. It actually won't have access to the upload folder. But I don't want administrative access available from the web.
Go to: Control Panel > Group
Select the 'administrators' group and then click 'Edit'. Go to the 'Applications' tab. Scroll down to the WebDAV Server line. Change the permissions from 'Allow' to either 'Deny' or 'By IP'. I am setting up 'By IP' and I will whitelist my internal private subnet. Typically home routers use a /24 subnet from the 192.168/16 network. If your home network is 192.168.55.0/24 you would enter the information as shown below. Adjust the subnet as required.
Limit WebDAV Access for the Admin User
We also need to limit WebDAV access by subnet for the newly created admin user. Go to the user panel in the control panel. Edit your administrator ID. And go to the Applications tab and repeat the steps above. Limit WebDAV access by IP to your local subnet.
Now verify your admin ID can access WebDAV locally but not from the internet.
2FA Not Available for WebDAV
Unfortunately 2FA is not available via WebDAV. At least not at this time. This is another reason to select strong passwords and to limit which folders are accessible over the web.
There are numerous WebDAV clients available for IOS and Android. Choose your favorite and have remote access to your files.
This is actually a better place to store your Keepass database. And other files that you may need to access away from home but want to keep away from prying eyes.
Although access via a VPN is probably a bit more secure. But that is debatable.