[mythtv-users] MythWeb over HTTPS using mod_rewrite

Joe Nyland joe at joenyland.co.uk
Fri May 25 15:21:47 UTC 2012 

-----Original message-----
> From:Simon Hobson <linux at thehobsons.co.uk>
> Sent: Fri 25-May-2012 15:42
> To: Discussion about MythTV <mythtv-users at mythtv.org>
> Subject: Re: [mythtv-users] MythWeb over HTTPS using mod_rewrite
> 
> Can't directly help with the problem, but ...
> 
> I assume you've considered the security implications ? Is the 
> password being requested by the proxy or your MythWeb site behind it ?
> If you leave an open proxy then sooner or later you will find someone 
> using it to proxy connections to outside sites (to attack them while 
> hiding their origin). I see requests probing my servers to see if 
> mod-rewrite is active on a regular basis.
> 
> 
> Ah, just had a thought on your problem.
> I'd have a look at the source and see what is in the function 
> "list_update" which is called by the time navigation buttons and 
> menus. I'm just thinking that if the "http" is hard coded (rather 
> than using the protocol from the page request) then the time 
> navigation would be trying to use http instead of https.
> 
> You could also try using wireshark or similar to see what traffic is 
> actually being sent between your machine and the server.
> 
> -- 
> Simon Hobson

Hi Simon,

Thanks for the input.

Yes, I've considered the security risks of running a reverse proxy and I appreciate your concern. I am however denying normal forward proxy attempts and purely allowing *reverse* proxy attempts - i.e. connections from the internet in to my LAN. I could be wrong, but as this is reverse proxying, this does not mean I am leaving an open proxy for the internet to use.
(Don't get me wrong - If I could afford the option of running multiple IP addresses for the few services I run from my home servers, then I would by all means run a dedicated hardware firewall and separate router to secure this *properly*, but unfortunately I haven't, nor do I see the worth in doing this for my own home use :-).)

I'll have a look at the source later on and see if I can spot anything along the lines that you've suggested.

The Wireshark suggestion is a good one - thanks. Would SSL not get in the way of seeing what was actually requested from the client browser though?

Thanks for your help.

Joe

More information about the mythtv-users mailing list