Restricting Access to MythWeb: Apache Access Controls

From MythTV Official Wiki
Jump to: navigation, search

If you have elected to enable the web interface for MythTV in a manner that would make it accessible from the Internet, or perhaps wish to simply be extra careful about who is allowed to access MythWeb and from where, there are numerous ways Apache's access control mechanisms can keep things under control for you. With just a few minutes' work, one can have Apache restricting access to MythWeb based on IP addresses (where the user is connecting from), usernames and passwords, or some combination of both (for example, requiring passwords only when the user is connecting from outside the local LAN).

Access control file permission caveats

Something one should keep in mind when working with Apache's access control files is that there are three things you should avoid, and one thing you should do.

  • You should not make these files writable by the Apache role user or role group, ever. Doing so might allow an attacker to be able convince Apache to modify the access controls in order to gain further leverage over your system.
  • You should not store these files (excepting .htaccess) under the DocumentRoot (the directory that is the "root") of the webserver where Apache might show them to a remote user as if they were "just another web page". This could expose configuration details that might (again) let an attacker gain further leverage on your system.
  • You should not make these files world-readable, ever. Apache runs as a particular user and group id, and the configuration files belonging to those should be all that is needed for Apacahe to be able to read it's configuration information. World-readable files may allow users with a local unix account to be able to read configuration data that might let them gain further leverage on your system.
  • You should make these files explicitly readable by Apache by using the chgrp and chmod commands to make the files read-only for the role group your Apache httpd runs as (most distributions name this 'httpd' or 'apache', but occasionally 'nobody' or 'nouser').

For those who have been paying attention, yes there are more directives here than the number of commands actually needed to implement them, but it's important that you know why these things are so, particularly if you are planning on making your MythWeb installation available over the Internet where some really malicious people could get at it.

.htaccess or httpd.conf

There are two ways to convey configuration tokens to Apache, and in general there isn't any significant difference between them for the (very small) scale at which we'll be working. Pick whichever one you are more comfortable with and stick with it. Remember that access control problems happen most often in the wee hours of the morning, so it's simply a matter of self-preservation that access control rules need always be as simple (and as obvious) as possible to reduce the chances one might make a mistake a sleep-addled brain wouldn't notice.

If you like to your configurations modular--with all the related files in the same place for ease of backups and/or upgrades--you will probably wish to use an .htaccess file in the MythWeb directory. If you followed the INSTALL documentation that came with MythWeb carefully, you should have implemented an AllowOverride directive that will allow an .htaccess file (if present) to dictate what is needed. If you like to keep all of your configuration data in one and only one place, then you will most likely be interested in putting the access control directives directly into Apache's main configuration file, usually called httpd.conf and usually (depending on your distribution) found in the /etc/httpd directory.

The main difference between them is that when you use .htaccess Apache automatically "knows" that the directives in it apply to that directory and all subdirectories. When you put these directives in httpd.conf, they simply need to be enclosed in a set of <Directory "/path/to/actual/files"></Directory> tags so that Apache knows what directories they apply to. For the remainder of this documentation, you will be expected to understand that any changes to httpd.conf will require that extra step. In general, using .htaccess tends to be less confusing to new users.

Username/passwd protection

The first method of restricting access to MythWeb we'll go over will be simple username/password controls. The passwords and usernames Apache uses are not the same ones that the system uses to allow you to login to the machine. They will be kept in a special file which (again) should not be stored under the DocumentRoot. Usually this file will be named htpasswd or htdigest but for the sake of clarity and because these files can be named pretty much anything you want, we're going to simply name the file passwd. For the purposes of this documentation, we'll also assume you are putting these files in the /etc/httpd directory (particularly since it's outside of the DocumentRoot).

There are two mechanisms for authentication that can be used by most Apache packages "out of the box". The first is called "Basic" authentication, and the second is called "Digest" authentication (which is only more secure when it is set up using a much more involved process than we're going to get into here). There is no difference between these two methods from the user's point of view. With Apache 2.0 enabling Basic authentication requires the mod_auth module, and Apache 2.2 changes things slightly, using mod_auth_basic and mod_authn_file. This information is being supplied for the sake of completeness because most Linux distributions will already have both of these modules compiled and included in the default Apache configuration, so one normally won't have to worry about it. The links to the Apache documentation are provided for the people who want to know the gory details about them, and in the interests of keeping this documentation short and to the point, they will not be explained here. Most installers won't even need to care.

Setting up username/password protection is really simple. The configuration tokens one needs for Basic authentication are as follows:

AuthType           Basic
AuthName           "MythWeb"
AuthUserFile       /etc/httpd/passwd
Require            valid-user

You can put these in a file called .htaccess in the top MythWeb directory as-is, or you can put them in your httpd.conf enclosed in <Directory></Directory> tags as discussed earlier. Note that wit some less feature-laden browsers (handhelds/PDAs and cell phones for the masochists out there) Digest authentication may not work at all. Again, remember that only the Apache daemon needs to be able to read this file and should not be allowed to write to it. The following commands may likely set the permissions on the .htaccess file to what you want:

chown root .htaccess       # Makes root the owner of the file
chgrp apache .htaccess     # Assigns the file to the apache group as well
chmod 750 .htaccess        # Grants full access to the file owner...
                           #     ...but only read access to the group

Once these directives are in place, you will need to create the /etc/httpd/passwd file and then store some usernames and passwords in it. Simply using the `touch` command (or any text editor) will be enough to create the new passwd file, but you can also pass the -c argument to htpasswd/htdigest and they will create a new password file, obliterating any existsing usernames and passwords in the process. Storing the passwords in a lightly-encrypted form is done with the htpasswd command. If you are using Basic authentication, you can create the new password file and add a username/password pair (replace "mythuser" with the username you prefer) to it with just one command, like so:

htpasswd -c /etc/httpd/passwd mythuser

This command will prompt you for the password you want for that username. You can issue the exact same command later to change the password for a username, or you can use the -D argument to delete the username entirely. Just be careful not to use the -c option after the file has already been created as this will cause htpasswd to destroy the old file (and all the usernames/passwords in it along with it) and create a new one from scratch.

Don't forget to set the correct permissions on /etc/httpd/passwd when you're done creating this file. The default ownership may not be what you want. For example, the following is probably very close to what you would need to set the file permissions correctly.

chown root /etc/httpd/passwd     # Makes root the owner of the file
chgrp apache /etc/httpd/passwd   # Assigns the file to the apache group as well
chmod 750 /etc/httpd/passwd      # Grants full access to the file owner...
                                 #     ...but only read access to the group

Removing Restrictions Internally

While any outwardly facing web interface should be secured, users may choose to leave access unrestricted from inside their own network. In the same location, in the same file as before Apache must be told to grant access when any of the requirements are met, rather than require they all be met:

Order           deny,allow
Deny from       all
Satisfy         any

Now you can grant access to machines individually, or to a network as a whole:

Allow from      192.168.1.2 192.168.1.3 192.168.2.2 my-pc.my-domain.com
Allow from      192.168.1 192.168.2 my-domain.com