Securing MythWeb
This assumes you have decided to open your web server to the internet, and now you need to secure it. This guide will take you through setting up simple authentication. Please see the Apache [1] for more specifics or more secure methods.
There are several ways to secure MythWeb:
- Modify the MythWeb .htaccess file to require password authentication
- Modify the Apache configuration to require password authentication
- Setup an SSH tunnel for remote access to MythWeb (assuming that you do not open your MythWeb server to the internet except for port-forwarding SSH from your router/firewall)
These instructions assume Fedora Core, with Myth Web installed in the default path /var/www/html/mythweb
Contents
MythWeb .htaccess
The simplest option is to edit /var/www/html/mythweb/.htaccess and read the comments there about what to uncomment to secure MythWeb. This option does not require Apache to be restarted, but is slightly less efficient than adding the options to the Apache config.
You may use either AuthType Basic or AuthType digest -- "Basic" is more compatible, "Digest" is more secure. If you use "Basic", you must use htpasswd to create users. If you use "Digest", you must use htdigest to create users.
openSUSE 10.2
These steps are for openSUSE 10.2. The instructions are written using "htpasswd2" instead of "htdigest2" because that is what I got to work. I'm sure you could just "htdigest2", I'm just now sure how. These steps should work fine though.
1. create a new password file with htpasswd22
WARNING: the "-c" will wipe out the file if it already exists
/usr/bin/htpasswd2 -c /etc/apache2/conf.d/httpd-passwords userid
You will be prompted to put in a password for the userid
2. create any additional user IDs (no "-c")
/usr/bin/htpasswd2 /etc/apache2/conf.d/httpd-passwords another_userid
3. Find the user:group that apache2 is running as
cat /etc/apache2/uid.conf
You file will probably look like this
User wwwrun Group www
4. Change the ownership of the password file (change "wwwrun:www" to match the "User:Group" from the previous step)
chown wwwrun:www /etc/apache2/conf.d/httpd-passwords
5. If the .htaccess exists, back it up
cd /srv/www/htdocs/mythweb/ cp ./.htaccess ./.htaccess.orig
6. Open .htaccess for modification with nano or vi - whatever floats your boat
nano ./.htaccess
7. The following lines should be present but commented. Remove the "#" from the start of each line, modify them to fit your setup, and save the file. Changes are immediate. Pay special attention to the bolded lines
AuthType Basic AuthName "MythTV" AuthUserFile /etc/apache2/conf.d/httpd-passwords Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
Authentication should begin immediately.
8. If you don't want to bother with authentication when you are on the same network, add the following lines and authentication will be bypassed (assuming 192.168.1.0 is your local network).
Allow from 192.168.1. Satisfy any
You should not be prompted now for authentication while on the local network.
Other Linux
Create a Password File
You will need to create an htdigest password file -- a suggested location is /etc/httpd/conf, but it should be a location that gets backed up regularly.
htdigest -c /etc/httpd/conf/httpd-passwords MythTV MYUSER1
Create additional users as needed:
htdigest /etc/httpd/conf/httpd-passwords MythTV MYUSER2
Please make sure you DO NOT use the -c after the initial user, as this will overwrite the file and start from scratch.
Modify ownership of the file to match the user and group Apache is running as -- try
grep -A 2 ^User /etc/httpd/conf/httpd.conf
chown apache.apache /etc/httpd/conf/httpd-passwords chmod 640 /etc/httpd/conf/httpd-passwords
Modify .htaccess
nano /var/www/html/mythweb/.htaccess
The following lines should be present but commented. Remove the "#" from the start of each line, modify them to fit your setup, and save the file. Changes are immediate.
AuthType Digest AuthName "MythTV" AuthUserFile /etc/httpd/conf/httpd-passwords Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
Adding the following optional lines will enforce authentication from anywhere outside your local network (assuming 192.168.1.0 is your local network):
Allow from 192.168.1. Satisfy any
Authentication should begin working immediately.
Apache Configuration
This method is slightly more efficient than the .htaccess method, but is complicated by the fact that you must restart Apache and mis-configuring the Apache configuration file will keep Apache from restarting.
Apache password file
We will start with creating an Apache password file. I put this in /etc/httpd/conf, as I back up this directory every night to one of my other systems.
htpasswd -c /etc/httpd/conf/httpd-passwords MYUSER1
Create additional users as needed:
htpasswd /etc/httpd/conf/httpd-passwords MYUSER2
Please make sure you DO NOT use the -c after the initial user, as this will overwrite the file and start from scratch.
Modify ownership of the file as follows:
chown apache.apache /etc/httpd/conf/httpd-passwords chmod 640 /etc/httpd/conf/httpd-passwords
Editing Apache Config
Now edit /etc/httpd/conf/httpd.conf, and add the following section:
<Directory "/var/www/html/mythweb"> Options Indexes FollowSymLinks AuthType Basic AuthName "MythTV" AuthUserFile /etc/httpd/conf/httpd-passwords require user MYUSER1 MYUSER2 MYUSER3 Order allow,deny Allow from all </Directory>
Modify the password file location and required users per your needs.
If you have created a link from your music storage area to /var/www/html/mythweb/music, you can add the following to separately secure web access to this:
#MythWeb music configuration <Directory "/var/www/html/mythweb/music"> Options Indexes FollowSymLinks AuthType Basic AuthName "MythTV-Music" AuthUserFile /etc/httpd/conf/httpd-passwords Require user MYUSER4 MYUSER5 Order allow,deny Allow from all </Directory>
Again, tailor your password file and users to your needs. You can even use separate password files if you wish!
Restart Apache
Now restart Apache, and you're done:
service httpd restart
(this may be different on your distro)
Other options
You can do a lot more with these configuration sections, such as secure by ip address, and more. Please see the Apache docs[2].
Questions: email me at johanreinalda at yahoo dot com. Preferred is an email to Myth Users list, however. Here's the configuration I used to allow users on my LAN to access MythWeb without a password, and require outside users to authenticate via pw
<Directory "/var/www/html/mythweb"> Options Indexes FollowSymLinks AuthType Basic AuthName "MythTV" AuthUserFile /etc/httpd/conf/httpd-passwords Require valid-user Order allow,deny Allow from 192.168.1. Satisfy any </Directory>