[mythtv-users] Friendly Messenger stating that "YOUR MYTHWEB IS INSECURE"

Jacob Steenhagen jacob at steenhagen.us
Mon Feb 11 14:44:15 UTC 2008 

On Feb 9, 2008 11:07 PM, Michael T. Dean <mtdean at thirdcontact.com> wrote:
> On 02/09/2008 10:13 PM, Marc wrote:
> > On Feb 9, 2008 2:35 PM, Big Wave Dave <bigwavedave at gmail.com> wrote:
> >> Now if only I could figure out how to run virtual SSL hosts, but I
> >> understand that's pretty much impossible.
> > You should take a look at:
> > http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-host
> > s-with-mod_gnutls/
>
> Then you'll have the pleasure of typing in http://mythtv.example.com/
> every time you want to go to MythWeb.
>
> I, personally, prefer an unencrypted name-based virtual host that
> redirects every request to an encrypted named application (i.e.
> https://example.com/mythtv ).  Then, I can just type in
> mythtv.example.com without the https:// cra^H^H^Hprotocol specifier.
>
> Just make sure you also disable the unencrypted version of the app
> (http://example.com/mythtv) to ensure you don't accidentally send your
> password over an unencrypted link.
>
> Mike

I guess I'll throw my couple of pennies into the mix. I use a
combination of Rewrites, Apache Auth, virtual SSL hosts, and ProxyPass
to remotely access my Mythweb install. My mythtv box is not directly
accessible from the outside world and the combination I use allows me
to proxy from my web facing computer to my internal mythweb install.
This works seamlessly (once properly configured on the server) from
any web connected PC. So, if I'm at my in-laws house I can access my
mythweb install without having to download PuTTY. It also works from
my mobile phone. For the curios, the following is the relevant section
of my Apache config:

<Location "/mythweb">
    AuthType Basic
    AuthName "MythTV for Jake & Laura"
    AuthUserFile /var/www/mythweb.htpasswd
    Require valid-user
</Location>

<VirtualHost *:80>
    ServerName mythtv.steenhagen.us
    RewriteEngine on
    RewriteRule /(.*) https://mythtv.secure.steenhagen.us/$1 [R]
</VirtualHost>

<VirtualHost *:443>
    ServerName mythtv.secure.steenhagen.us
    ProxyPass / http://mythtv.steenhagen.us/

    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn

    CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    SSLEngine on

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

    SSLCertificateFile /etc/pki/tls/certs/secure.steenhagen.us.crt
    SSLCertificateKeyFile /etc/pki/tls/private/private.key
</VirtualHost>


A couple of caveats I seem to remember from when I set it up:
1. All hosts must share the same CertificateFile and KeyFile. This can
be down with either a wildcard certificate or SubjectAltName depending
on what your signing authority accepts (I use CACert
[http://www.cacert.org] which accepts both, but I chose to use the
SubjectAltName). This is because the SSL connection gets set up with
the IP address before the requested hostname is transmitted by the
browser so Apache has no way to know until after the connection is
established.
2. This setup would prompt anytime /mythweb is requested on any
virtual host... but I only use it on the mythtv virtual host, so it's
not a big deal.

-- 
http://jacob.steenhagen.us

More information about the mythtv-users mailing list