Restricting Access to MythWeb: Apache Access Controls

From MythTV Official Wiki
Revision as of 10:58, 11 March 2008 by Dagmar d'Surreal (talk | contribs) (Initial start)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

If you have elected to enable the web interface for MythTV in a manner that would make it accessible from the Internet, or perhaps wish to simply be extra careful about who is allowed to access MythWeb and from where, there are numerous ways Apache's access control mechanisms can keep things under control for you. With just a few minutes' work, one can have Apache restricting access to MythWeb based on IP addresses (where the user is connecting from), usernames and passwords, or some combination of both (for example, requiring passwords only when the user is connecting from outside the local LAN).

Access control file permission caveats

Something one should keep in mind when working with Apache's access control files is that there are three things you should avoid, and one thing you should do.

  • You should not make these files writable by the Apache role user or role group, ever. Doing so might allow an attacker to be able convince Apache to modify the access controls in order to gain further leverage over your system.
  • You should not store these files (excepting .htaccess) under the DocumentRoot of the webserver where Apache might show them to a remote user as if they were just another web page. This could expose configuration details that might (again) let an attacker gain further leverage on your system.
  • You should not make these files world-readable, ever. Apache runs as a particular user and group id, and the configuration files belonging to those should be all that is needed for Apacahe to be able to read it's configuration information. World-readable files may allow users with a local unix account to be able to read configuration data that might let them gain further leverage on your system.
  • You should make these files explicitly readable by Apache by using the chgrp and chmod commands to make the files read-only for the role group your Apache httpd runs as (most distributions name this 'httpd' or 'apache', but occasionally 'nobody' or 'nouser').

For those who have been paying attention, yes there are more directives here than the number of commands actually needed to implement them, but it's important that you know why these things are so, particularly if you are planning on making you MythWeb installation available over the Internet where some really malicious people could get at it.

.htaccess or httpd.conf

There are two ways to convey configuration tokens to Apache, and in general there isn't any significant difference between them for the (very small) scale at which we'll be working. Pick whichever one you are more comfortable with and stick with it. Remember that access control problems happen most often in the wee hours of the morning, so it's simply a matter of self-preservation that access control rules need always be as simple (and as obvious) as possible to reduce the chances one might make a mistake a sleep-addled brain wouldn't notice.

If you like to your configurations modular--with all the related files in the same place for ease of backups and/or upgrades--you will probably wish to use an .htaccess file in the MythWeb directory. If you followed the INSTALL documentation that came with MythWeb carefully, you should have implemented an AllowOverride directive that will allow an .htaccess file (if present) to dictate what is needed. If you like to keep all of your configuration data in one and only one place, then you will most likely be interested in putting the access control directives directly into Apache's main configuration file, usually called httpd.conf and usually (depending on your distribution) found in the /etc/httpd directory.

Retrieved from "http://www.mythtv.org/wiki?title=Restricting_Access_to_MythWeb:_Apache_Access_Controls&oldid=30248"