You Don’t Need Nextcloud: A Simple WebDAV File Server with rclone
As someone who enjoys self-hosting, its only natural that I would have my own cloud server to sync files between different machines and access my documents when I’m on the go. This is where many start their journey into the world of self-hosting with a desire to break free for corporate centralised services like Google and Dropbox.
For many years, the natural frontrunner was Nextcloud. It’s the de facto, go-to solution for file management and syncing capabilities. I have used Nextcloud for many years now, and it has served both myself and family well.
That was when things started to slow down and file syncing began behaving strangely. For some reason, the built‑in updating tool also stopped working, and I couldn’t be bothered to reinstall it, since installing it the first time had already been messy enough. At this point, it was becoming a security risk. Running it through the Nextcloud scanner tool, I’m embarrassed to admit I scored an “F”!
Nextcloud, like many widely used platforms, has had security vulnerabilities reported over time. A few of these include issues such as Server‑Side Request Forgery (SSRF) in the Mail app, information‑disclosure flaws in older server versions, and access‑control weaknesses that could allow unauthorized access.
It was at this point that I wanted something simpler and faster, with minimal setup and configuration. I needed a solution that was easy to fix and troubleshoot, and secure enough that it wouldn’t leave me vulnerable to attack.
I considered other tools like Seafile and SFTPGo. Both looked promising, but Seafile’s setup struck me as overly complex, while SFTPGo has had notable security issues such as XSS vulnerabilities in the WebClient and an authentication‑bypass path‑normalization flaw in earlier releases.
In the spirit of KISS (Keep it simple, stupid), I opted to go with rclone—an open‑source command‑line tool for managing and synchronizing files across various cloud storage services. It also includes a built‑in WebDAV server.
WebDAV has several advantages: it offers a lightweight, standards‑based way to expose files over HTTP(S) without the full web‑UI and extra services that Nextcloud brings, making it feel more like a headless file server. WebDAV is extensible and works with many clients, including the iOS Files app natively.
It does, however, still requires strong authentication, HTTPS, and strict access controls to avoid common WebDAV‑related risks such as misconfigured permissions or directory‑traversal issues.
Below is a convenient table covering the basic pros and cons of using WebDAV to see if it’s right for you:
| Pros | Cons |
|---|---|
| Simple and lightweight | Single‑user only |
Can be used as a mount target or sync remote with rclone |
Requires further configuration |
| Extensible and works with many WebDAV‑supported clients | No “pretty” web UI |
In this blog post, I’m going to cover how you too can create your very own WebDAV server, using rclone. To get your own simple WebDAV server up and running all you need to do is run rclone serve webdav . in your current directory. It’s a simple as that!
Yes, yes I know this is not a realistic setup. If you want a more robust solution where it runs in the background and on boot, check out the tutorial bellow.
For this tutorial, I’m assuming you have Ubuntu 24.04 (or maybe Ubuntu 26.04 LTS by the time you’re reading this) or Debian.
- Firstly, update and upgrade the system.
sudo apt update && sudo apt upgrade -y
- Next, install
rcloneandapache2-utils. The latter includes tools for HTTP Basic Authentication, which store usernames and hashed passwords that Apache (or other compatible servers) can use to restrict access to web resources. Run the following commands:
sudo -v && curl https://rclone.org/install.sh | sudo bash
sudo apt install apache2-utils -y
- Secure access to the server. To make sure only you have access to the server, we use the
htpasswdtool to create and manage password files. Create htaccess password file and follow steps to create a user and conform password. Replacemyuserwith your own username.
touch /etc/rclone/webdav.htpasswd
htpasswd -B /etc/rclone/webdav.htpasswd myuser
- Create an
rcloneuser, so the service runs under a restricted account without root access.
sudo useradd --system --home-dir /var/lib/rclone --create-home --shell /usr/sbin/nologin rclone
- Give the
rcloneuser ownership of the file directory. Gives the rclone user permission to read-write data to the data directory. Replace/path/to/fileswith your own directory.
chown -R rclone:rclone /path/to/files
- Create
systemdfile. A systemd config file ensures that our server starts on boot and runs in the background.
Description=rclone WebDAV backend
After=network.target
[Service]
Type=simple
User=rclone
Group=rclone
ExecStart=/usr/bin/rclone serve webdav /path/to/data \
--addr :8080 \
--htpasswd /etc/rclone/webdav.htpasswd \
--read-only=false \
--log-file /var/log/rclone-webdav.log
WorkingDirectory=/data/webdav
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
A few extra flags have been added to the rclone command. --addr :8080 tells rclone to listen on port 8080, --htpasswd /etc/rclone/webdav.htpasswd gives rclone access to the htpasswd file, --read-only=false ensures that we can both read and write data to our server, and --log-file /var/log/rclone-webdav.log writes all log activity, making it easier to troubleshoot when issues arise.
Optionally, If you want to take this further, you can look at using something like filestash which provides a convenient front-end interface for many file sharing protocols including WebDAV.