Talk:Restricting Access to MythWeb: Apache Access Controls

From MythTV Official Wiki
Jump to: navigation, search

Design Notes

  • Still a work in progress! Let me get the thing finished (72 hours max) and then people can edit it any way they like.
  • I'm not discussing Digest authentication other than to mention it's existance for the follwing reasons.
  1. Folks don't exactly need it.
  2. Just changing Authtype to from Basic to Digest will definitely turn it on, but it's not really doing anything especially more secure than Basic authentication that way.
  3. Fully explaining the difference in "security" (since these are mainly and primarily granularity issues that are not needed for a kiosk-type deployment of Apache) between Basic and Digest authentication would easily double the documentation's size and scope. No thanks.
  • To keep the length of the page down and make it clear to people that it's the steps that are important and not the fine details, distribution-specific issues should be handled by simply mentioning the differences in their own sections (at the bottom), like:
  1. Location of the default httpd.conf
  2. Default DocumentRoot location
  3. Location of the httpd configuration file directory (/etc/httpd or /etc/apache2)
  4. The names of the role user and group accounts the httpd runs as
  5. The name of the htpasswd/htdigest binaries, because some distributions like to be rude and rename the things.
  6. Whether or not you have to do anything special to enable mod_basic/mod_basic_auth (I don't know of any distros that don't include at least this)
  • What will be explained (which should take care of better than 90% of the installs):
  1. How to enable a simple username/password auth
  2. How to enable IP-based restrictions
  3. How to combine these two so that local LAN users aren't asked to supply a password
  • ssh tunneling and Apache+SSL are entirely separate issues, being that those are all about encrypting the pipe and do not actually perform any gatekeeper functions. (...and if someone thinks they need browser certs for this, they should probably up their dosage.)
  • Although I'm trying to avoid explaining "Unix 101" things, the sample commands are written the way they are to avoid "problems" from people who will invariably just blindly cut and paste most of it.

-- Dagmar d'Surreal 13:24, 11 March 2008 (UTC)