Lighttpd

There are many idioms in your config that suggest that you have followed external tutorials (which is generally ok), but that you also have not spent much time reading through the official lighttpd documentation on this site: lighttpd wiki

For example, every single Let's Encrypt example on this website recommends a configuration for Let's Encrypt certificates that is different from yours. HowToSimpleSSL
lighttpd TLS docs is a longer page, but discusses the historical misuse of ssl.ca-file

Nesting $SERVER["socket"] inside other lighttpd conditions has always been wrong, and modern lighttpd version issue a warning about these incorrect configurations. Have you checked your lighttpd error log, or systemd journalctl? Have you tried lighttpd -tt -f /etc/lighttpd/lighttpd.conf

HowToRedirectHttpToHttps suggest more efficient redirection from HTTP to HTTPS.

I mention all of this because you are asking questions how to configure lighttpd authentication. You mention https://redmine.lighttpd.net/boards/2/topics/9767, but have you read the official lighttpd documentation for mod_auth? What have you tried in your attempt to authenticate with the Baikal sqlite database?

• https://discourse.pi-hole.net/t/host-website-alongside-pi-hole-interface/31832
• https://tech.borpin.co.uk/2019/03/22/letsencrypt-ssl-certificates-by-dns-challenge-with-lighttpd/

The goal was to reuse the lighttpd comming with PiHole and get some CalDav/CardDav server working in the local LAN. After I discovered, that the Apple Mac CarDav client will not work, unless the CardDav server supports HTTPS I was forced to move my domains DNS to Cloudflare and set up the certbot.

It took me a lot of time and i was totally happy after I get it finally working, but reading the documentation is sure a good idea. If I understand the HowToSimpleSSL right I can use the

ssl.pemfile
ssl.privkey

options and do not need the step with combining them in the web.pem file. That is great, since I won't need the renewal hook.

sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf does not give me any errors, also /var/log/lighttpd/pim.karlitos.net_error.log is empty.

• beside CalDav and CardDav there will be possibility to access WebDav under the domain pim.karlitos.net
• the WebDav server will be accessible with the username and credentials managed by Baikal

Any help will be very appreciated.

If you have not figured it out by now, I respond rudely to "Do it for me" requests. A request is a "Do it for me" request if you have not shared what you have tried, which gives the impression to others that you have tried nothing.

I never before delt with Web-servers or lighttpd and I am trying to understand where to start,

Start by reading the official documentation. (Ask yourself why you did not consider that the most obvious place to start.)
Examples how to configure lighttpd authentication are in mod_auth documentation.

Any help will be very appreciated.

Read the official lighttpd documentation and show what you tried.

I never before delt with Web-servers or lighttpd and I am trying to understand where to start,

I do not believe that is entirely true because if that were the case, then you should have precisely followed the tutorial you mentioned (https://www.howtoforge.de/anleitung/wie-man-webdav-mit-lighttpd-auf-debian-etch-konfiguriert/) and gotten that working before attempting to make further changes/improvements.

reading the documentation is sure a good idea

Yes. ssl.privkey was added in lighttpd 1.4.53, released Jan 2019 over three years ago and was documented on this site over three years ago.

I will now read the mod_auth documentation, but generally I never before delt with Web-servers or lighttpd and I am trying to understand where to start, so I can achieve following goal:

• beside CalDav and CardDav there will be possibility to access WebDav under the domain pim.karlitos.net
• the WebDav server will be accessible with the username and credentials managed by Baikal

Yes, lighttpd can support multiple applications under different URL-paths.
(Whether or not those applications play nicely together is specific to those applications.)

Yes, lighttpd mod_auth with mod_authn_dbi can be configured to use a sqlite database for authentication, as long as the database is configurable to work with mod_authn_dbi

It looks to me like the lighttpd mod_auth documentation -- which shows some general examples -- can be filled in using Baikal-specific details found in config/baikal.yaml.dist and Core/Resources/Db/SQLite/db.sql in the Baikal source tree.

Hello and sorry for the impression that this is a "Do it for me" request. I tried now to "do the homework" as best I could - read the documentation for mod_authn_dbi and mod_webdav

I changed the "redirection to HTTPS" according to the HowToRedirectHttpToHttps and changed the settings for the SSL. Even thought:

Nesting $SERVER["socket"] inside other lighttpd conditions has always been wrong

I am still scratching my head "what to put where", since lighttpd already complained about:

ssl.engine is valid only in global scope or $SERVER["socket"] condition

when putting all the ssl options directly under the $HTTP["host"] block and do only want HTTPS in this virtual host.

I took also a look in the Baikal sqlite database and in the users table, in the baikal.yaml file and also wen through the baikal source code It looks, like that the hashes stored in the users table in the sqlite database for baikal are identical with the value of MD5 where the realm is the value from the baikal.yaml file. Then I bumped into some errors which I resolved by installing missing Debian packages lighttpd-mod-webdav, lighttpd-modules-dbi, libdbd-sqlite3
After all that, my /etc/lighttpd/external.conf looks now like this:

server.modules += (
    "mod_openssl",
    "mod_alias",
    "mod_webdav",
    "mod_authn_dbi" 
    )

$HTTP["host"] =~ "^(www\.)?pim.karlitos.net$" {

    $SERVER["socket"] == ":443" {
        ssl.engine = "enable" 
        ssl.pemfile = "/etc/letsencrypt/live/pim.karlitos.net/fullchain.pem" # concatenation of cert.pem and chain.pem 
        ssl.privkey = "/etc/letsencrypt/live/pim.karlitos.net/privkey.pem" # Private Key 
    }

    server.name = "pim.karlitos.net" # Domain Name OR Virtual Host Name
    server.document-root = "/var/www/html/baikal/html/" 
    server.errorlog = "/var/log/lighttpd/pim.karlitos.net_error.log" 
    accesslog.filename = "/var/log/lighttpd/pim.karlitos.net_access.log" 

    $HTTP["url"] =~ "/(\.ht|Core|Specific|config)/" {
        url.access-deny = ("")
    }

    $HTTP["scheme"] == "http" {
        # redirect HTTP requests to HTTPS
        url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
        url.redirect-code = 308
    }

    url.redirect = (
        "^/.well-known/caldav"  => "/dav.php",
        "^/.well-known/carddav" => "/dav.php" 
    )

    # webdav settings
    alias.url = ( "/webdav" => "/var/www/dav" )
    $HTTP["url"] =~ "^/webdav($|/)" {
        webdav.activate = "enable" 
        webdav.is-readonly = "disable" 
        webdav.sqlite-db-name = "/var/run/lighttpd/lighttpd.webdav_lock.db" 
        auth.backend = "dbi" 
        auth.backend.dbi += (
            "sql" => "SELECT digesta1 FROM users WHERE username='?'",
            "dbtype" => "sqlite3",
            "dbname" => "db.sqlite",
            "sqlite3_dbdir" => "/var/www/html/baikal/Specific/db/" 
        )
        auth.require = ( "" => ( "method" => "digest",
                                 "realm" => "BaikalDAV",
                                 "require" => "valid-user" ) )
    }
}

Using the cadaver command-line WebDAV client I am able to connect to https://pim.karlitos.net/webdav

cadaver https://pim.karlitos.net/webdav
Authentication required for BaikalDAV on server `pim.karlitos.net':
Username: karlitos
Password: 
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
Coll:   locks                               4096  Mai  1 22:50
Coll:   temp                                4096  Mai  1 22:50

Sadly, the Joplin app gives me still following error, when trying to set the WebDAV for the a synchronization:

Error. Please check that URL, username, password, etc. are correct and that the sync target is accessible. The reported error was:
PROPFIND : Unknown error 2 (401): <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>401 Unauthorized</title> </head> <body> <h1>401 Unauthorized</h1> </body> </html> (Code 401)

In the /var/log/lighttpd/pim.karlitos.net_access.log I could see following lines:

1651578831|pim.karlitos.net|OPTIONS /webdav/ HTTP/1.1|401|347
1651578838|pim.karlitos.net|OPTIONS /webdav/ HTTP/1.1|200|0
1651578838|pim.karlitos.net|PROPFIND /webdav/ HTTP/1.1|207|662
1651578859|pim.karlitos.net|PROPFIND /webdav/ HTTP/1.1|401|347

There are no errors in the /var/log/lighttpd/pim.karlitos.net_error.log

NEVERMIND, I found the issue with Joplin: it does not support Digest authentication

But since I use HTTPS and plan to use it in my local network and access remotely only via VPN I can live with this.

Glad you figured most of it out.

For other who might find this: lighttpd can use the sqlite backend storing password digests for multiple parts of the site. See mod_auth doc.
lighttpd can use Digest auth as configured above for /webdav
lighttpd can use Basic auth and that can be configured only for /joplin (or appropriate path)

$HTTP["url"] =~ "^/joplin($|/)" {
        auth.require = ( "" => ( "method" => "Basic",
                                 "realm" => "BaikalDAV",
                                 "require" => "valid-user" ) )
}

Regarding $SERVER["socket"], please search for the string $SERVER["socket"] in lighttpd TLS doc and Configuration: File Syntax

$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    # !!! Note: must configure default ssl.pemfile and ssl.privkey for connections on this socket !!!
    #     or else connections to this socket for other vhosts will result in voluminous errors in the errorlog
    ssl.pemfile = "/etc/letsencrypt/live/CATCH-ALL.karlitos.net/fullchain.pem" # concatenation of cert.pem and chain.pem 
    ssl.privkey = "/etc/letsencrypt/live/CATCH-ALL.karlitos.net/privkey.pem" # Private Key
    # (could use pim.karlitos.net/fullchain.pem and privkey.pem here, and then do not need to also list them below)
    # !!! Note: if your full lighttpd.conf (not just external.conf) is already configured to listen on port 443,
    #     and already configured to enable TLS, and already configured with a default certificate,
    #     then omit this $SERVER["socket"] == ":443" and leave the certificate configured below for the vhost.
}

$HTTP["host"] =~ "^(www\.)?pim.karlitos.net$" {
    ssl.pemfile = "/etc/letsencrypt/live/pim.karlitos.net/fullchain.pem" # Let's Encrypt fullchain.pem
    ssl.privkey = "/etc/letsencrypt/live/pim.karlitos.net/privkey.pem"   # Let's Encrypt privkey.pem
}

when putting all the ssl options directly under the $HTTP["host"] block and do only want HTTPS in this virtual host.

That is not how TLS works. TLS negotiation, including certificate exchange, occurs at the beginning of the socket connection. The server name is sometimes, but not always, provided in the TLS SNI extension. However, certificates must be configured on the socket for the lighttpd server to send to the client during the TLS negotiation.

My joy lasted not very long, Joplin sync stopped working very soon with:

Unknown error 2 (412) - 412 Precondition Failed

I discovered, that there are already many bug reports mentioning this issue:
Sync with lighttpd webdav PUT 412 #3457
Error “412 Precondition Failed” with lighthttp WebDAV server
In this bugreport on GitHub the author states this as a bug inside lighttpd:

This is a bug in their WebDAV implementation so it needs to be reported either to mailbox.org or OpenXchange.

For various reasons described there, Joplin sends a random "If-None-Match" header with PROPFIND call. A non-buggy implementation like Nextcloud would look at >this header, see that it doesn't correspond to any resource (it's a cache miss), and thus send back what was requested.

However OpenXchange seems to look at this tag, see that there's no such resource and respond with an error. According to RFC-7232, it shouldn't because it's >just a cache miss - it should just send back the requested resource.

referencing this piece of code under "there"

I am wondering what can be done here. I opened the developer tools and commented the line out responsible for sending of the random invalid string as eTag, and the 412 error was gone. Can there be something done on the lighttpd side ?

After getting rid of the 412 error, next one popped in the Joplin app:

16:00:44: Synchronizer: Error: PUT 083a3317d84947f7b04fde04d3ec1dae.md: Unknown error 2 (403): <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>403 Forbidden</title>
 </head>
 <body>
  <h1>403 Forbidden</h1>
 </body>
</html>

    at newError (/Applications/Joplin.app/Contents/Resources/app.asar/node_modules/@joplin/lib/WebDavApi.js:415)
    at WebDavApi.exec (/Applications/Joplin.app/Contents/Resources/app.asar/node_modules/@joplin/lib/WebDavApi.js:445)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:95)
    at async FileApiDriverWebDav.put (/Applications/Joplin.app/Contents/Resources/app.asar/node_modules/@joplin/lib/file-api-driver-webdav.js:201)

This is what appeared in the pim.karlitos.net_error.log

2022-05-04 16:05:33: response.c.158) Response-Header:\nHTTP/1.1 200 OK\r\nContent-Type: application/json; charset=utf-8\r\nAccept-Ranges: bytes\r\nETag: "1997969442"\r\nLast-Modified: Wed, 04 May 2022 13:49:11 GMT\r\nContent-Length: 200\r\nExpires: Wed, 04 May 2022 14:05:33 GMT\r\nCache-Control: max-age=0\r\nDate: Wed, 04 May 2022 14:05:33 GMT\r\nServer: lighttpd/1.4.59\r\n\r\n
2022-05-04 16:05:33: mod_webdav.c.3579) XML-request-body: <?xml version="1.0" encoding="UTF-8"?>\n\t\t\t<d:propfind xmlns:d="DAV:">\n\t\t\t\t<d:prop xmlns:oc="http://owncloud.org/ns">\n\t\t\t\t\t<d:getlastmodified/><d:resourcetype/>\n\t\t\t\t</d:prop>\n\t\t\t</d:propfind>
2022-05-04 16:05:33: mod_webdav.c.4089) XML-response-body: <?xml version="1.0" encoding="utf-8"?>\n<D:multistatus xmlns:D="DAV:" xmlns:ns0="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">\n<D:response>\n<D:href>/webdav/locks/</D:href>\n<D:propstat>\n<D:prop>\n<D:getlastmodified ns0:dt="dateTime.rfc1123">Wed, 04 May 2022 14:00:44 GMT</D:getlastmodified><D:resourcetype><D:collection/></D:resourcetype></D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n
2022-05-04 16:05:33: response.c.158) Response-Header:\nHTTP/1.1 207 Multi-status\r\nContent-Type: application/xml; charset="utf-8"\r\nContent-Length: 430\r\nDate: Wed, 04 May 2022 14:05:33 GMT\r\nServer: lighttpd/1.4.59\r\n\r\n
2022-05-04 16:05:33: response.c.158) Response-Header:\nHTTP/1.1 201 Created\r\nETag: "3140308572"\r\nContent-Length: 0\r\nDate: Wed, 04 May 2022 14:05:33 GMT\r\nServer: lighttpd/1.4.59\r\n\r\n
2022-05-04 16:05:33: mod_webdav.c.3579) XML-request-body: <?xml version="1.0" encoding="UTF-8"?>\n\t\t\t<d:propfind xmlns:d="DAV:">\n\t\t\t\t<d:prop xmlns:oc="http://owncloud.org/ns">\n\t\t\t\t\t<d:getlastmodified/><d:resourcetype/>\n\t\t\t\t</d:prop>\n\t\t\t</d:propfind>
2022-05-04 16:05:33: mod_webdav.c.4089) XML-response-body: <?xml version="1.0" encoding="utf-8"?>\n<D:multistatus xmlns:D="DAV:" xmlns:ns0="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">\n<D:response>\n<D:href>/webdav/locks/</D:href>\n<D:propstat>\n<D:prop>\n<D:getlastmodified ns0:dt="dateTime.rfc1123">Wed, 04 May 2022 14:05:33 GMT</D:getlastmodified><D:resourcetype><D:collection/></D:resourcetype></D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n<D:response>\n<D:href>/webdav/locks/1_1_058bd161cea54f63a2063c26bb43d608.json</D:href>\n<D:propstat>\n<D:prop>\n<D:getlastmodified ns0:dt="dateTime.rfc1123">Wed, 04 May 2022 14:05:33 GMT</D:getlastmodified><D:resourcetype/></D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n
2022-05-04 16:05:33: response.c.158) Response-Header:\nHTTP/1.1 207 Multi-status\r\nContent-Type: application/xml; charset="utf-8"\r\nContent-Length: 724\r\nDate: Wed, 04 May 2022 14:05:33 GMT\r\nServer: lighttpd/1.4.59\r\n\r\n
2022-05-04 16:05:33: response.c.158) Response-Header:\nHTTP/1.1 403 Forbidden\r\nContent-Type: text/html\r\nContent-Length: 341\r\nConnection: close\r\nDate: Wed, 04 May 2022 14:05:33 GMT\r\nServer: lighttpd/1.4.59\r\n\r\n
2022-05-04 16:05:33: mod_webdav.c.3579) XML-request-body: <?xml version="1.0" encoding="UTF-8"?>\n\t\t\t<d:propfind xmlns:d="DAV:">\n\t\t\t\t<d:prop xmlns:oc="http://owncloud.org/ns">\n\t\t\t\t\t<d:getlastmodified/><d:resourcetype/>\n\t\t\t\t</d:prop>\n\t\t\t</d:propfind>
2022-05-04 16:05:33: mod_webdav.c.4089) XML-response-body: <?xml version="1.0" encoding="utf-8"?>\n<D:multistatus xmlns:D="DAV:" xmlns:ns0="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">\n<D:response>\n<D:href>/webdav/locks/</D:href>\n<D:propstat>\n<D:prop>\n<D:getlastmodified ns0:dt="dateTime.rfc1123">Wed, 04 May 2022 14:05:33 GMT</D:getlastmodified><D:resourcetype><D:collection/></D:resourcetype></D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n<D:response>\n<D:href>/webdav/locks/1_1_058bd161cea54f63a2063c26bb43d608.json</D:href>\n<D:propstat>\n<D:prop>\n<D:getlastmodified ns0:dt="dateTime.rfc1123">Wed, 04 May 2022 14:05:33 GMT</D:getlastmodified><D:resourcetype/></D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n
2022-05-04 16:05:33: response.c.158) Response-Header:\nHTTP/1.1 207 Multi-status\r\nContent-Type: application/xml; charset="utf-8"\r\nContent-Length: 724\r\nDate: Wed, 04 May 2022 14:05:33 GMT\r\nServer: lighttpd/1.4.59\r\n\r\n
2022-05-04 16:05:33: response.c.158) Response-Header:\nHTTP/1.1 204 No Content\r\nDate: Wed, 04 May 2022 14:05:33 GMT\r\nServer: lighttpd/1.4.59\r\n\r\n

Please review How to get support and note the information you have omitted, which includes the lighttpd version you are running. It is clear that you are trying to provide helpful info. However, you are selectively omitting information, which is not helpful.

In 2020, I posted in one of the issues you referenced: https://github.com/laurent22/joplin/issues/3457#issuecomment-665835705
Have you provided the information I requested? (request and response headers) You posted the response without the associated request headers. The 403 response to the PUT is probably a bad request from Joplin.

Can there be something done on the lighttpd side ?

Did you search the lighttpd forums for "Joplin" or "WebDAV"?
Did you find this? https://redmine.lighttpd.net/boards/3/topics/10193

Have you tested using the latest lighttpd release? If you missed the above forum post -- easily findable by searching for "Joplin" in the upper right corner of this page in the Search box -- and you're not running lighttpd 1.4.64, then you do not have the patch from https://redmine.lighttpd.net/boards/3/topics/10193, which is included in lighttpd 1.4.64.

Many thanks, I did not (yet) searched the lighttpd forum, I will do that. And I am sorry for omitting useful information. I do some more reading, I try to install the lastest lighttpd version and if nothing helps, I will continue in the topic https://redmine.lighttpd.net/boards/3/topics/10193 with more details, captured headers/traffic ...

https://redmine.lighttpd.net/boards/2/topics/10081 adjusted lighttpd handing of PROPFIND Depth: 1 on files, and the patch is in lighttpd 1.4.61.

FYI: lighttpd source code and build instructions

karlitos posted that 412 Precondition Failed does not occur with Joplin when using lighttpd 1.4.64
https://github.com/laurent22/joplin/issues/6450#issuecomment-1117938590

karlitos posted a subsequent Joplin error getting 403 Forbidden at
https://redmine.lighttpd.net/boards/3/topics/10193
Follow-ups there.