Difference between revisions of "Securing MythWeb"
(→{{FedoraVersion}}: Added bar of port 80) |
(→Setup Security) |
||
(14 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{outdated2|Inconsistent and confusing information}} | {{outdated2|Inconsistent and confusing information}} | ||
− | This assumes you have decided to open your web server to the internet, and now you need to secure it. This guide will take you through setting up simple authentication with an Apache server. Please see the Apache [http://httpd.apache.org/docs | + | This assumes you have decided to open your web server to the internet, and now you need to secure it. This guide will take you through setting up simple authentication with an Apache server. Please see the Apache [http://httpd.apache.org/docs/2.4/howto/auth.html docs] for more specifics or more secure methods. |
There are several ways to secure [[MythWeb]]: | There are several ways to secure [[MythWeb]]: | ||
Line 10: | Line 10: | ||
These instructions assume MythWeb is installed in the default path (/var/www/html/mythweb). | These instructions assume MythWeb is installed in the default path (/var/www/html/mythweb). | ||
− | == MythWeb | + | == MythWeb htdigest == |
− | |||
You may use either ''AuthType Basic'' or ''AuthType digest'' -- "Basic" is more compatible, "Digest" is more secure. If you use "Basic", you must use ''htpasswd'' to create users. If you use "Digest", you must use ''htdigest'' to create users. | You may use either ''AuthType Basic'' or ''AuthType digest'' -- "Basic" is more compatible, "Digest" is more secure. If you use "Basic", you must use ''htpasswd'' to create users. If you use "Digest", you must use ''htdigest'' to create users. | ||
− | + | MythWeb password authentication is configured in the configuration files of the apache2 service and read at runtime rather than with each web-request as with .htaccess; for this reason this is more efficient from a computer resource point of view. For this reason this is the method that is recommended by Apache. | |
− | + | There are at least two methods of configuring password authentication within Apache2 config files; Authentication with either the Basic or Digest modules. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== {{FedoraVersion}} === | === {{FedoraVersion}} === | ||
+ | [[Image:FedoraLogo.png|50px]] | ||
When installing the <code>mythtv</code> package, the <code>mythweb</code> package is installed along side it. The default installation handles most of the SELinux contexts and permissions under <code>/usr/share/mythweb/</code>. To turn MythWeb on, simply start up the Apache server and allow to run on boot: | When installing the <code>mythtv</code> package, the <code>mythweb</code> package is installed along side it. The default installation handles most of the SELinux contexts and permissions under <code>/usr/share/mythweb/</code>. To turn MythWeb on, simply start up the Apache server and allow to run on boot: | ||
Line 59: | Line 25: | ||
# systemctl restart httpd.service | # systemctl restart httpd.service | ||
</pre> | </pre> | ||
+ | You may need to enable port 80 / 443 (HTTP / HTTPS respectively) through the firewall. See [[Installing_MythTV_on_Fedora|Installing MythTV on Fedora]] for more information. | ||
At this stage, it's probably wise to turn on <code>https</code> so that you have an extra layer of encryption when viewing from the outside web. Install the <code>mod_ssl</code> package with: | At this stage, it's probably wise to turn on <code>https</code> so that you have an extra layer of encryption when viewing from the outside web. Install the <code>mod_ssl</code> package with: | ||
Line 64: | Line 31: | ||
# yum install mod_ssl | # yum install mod_ssl | ||
</pre> | </pre> | ||
− | This should create a <code>ssl.conf</code> file in <code>/etc/httpd/conf.d/</code>. Create a new certificate using these [http://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-apache-mod_ssl-genkey.html|instructions]. Make the necessary changes to your <code>ssl.conf</code> file to point to the newly generated key and certificate at the following location: | + | This should create a <code>ssl.conf</code> file in <code>/etc/httpd/conf.d/</code>. Create a new certificate using these [http://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/s2-apache-mod_ssl-genkey.html|instructions]. Make the necessary changes to your <code>ssl.conf</code> file to point to the newly generated key and certificate at the following location (replace YOURDOMAIN with your chosen file name): |
{{Code box|ssl.conf|<pre> | {{Code box|ssl.conf|<pre> | ||
... | ... | ||
Line 96: | Line 63: | ||
... | ... | ||
</pre>}} | </pre>}} | ||
+ | |||
+ | Navigate to <code>/etc/httpd/conf.d/</code> and open <code>mythweb.conf</code>. In here make the following changes to require a user on authentication: | ||
+ | |||
+ | {{Code box|mythweb.conf| | ||
+ | <pre> | ||
+ | <IfModule mod_authz_core.c> | ||
+ | # Apache 2.4 | ||
+ | <RequireAll> | ||
+ | Require valid-user | ||
+ | </RequireAll> | ||
+ | </IfModule> | ||
+ | </pre>}} | ||
+ | And then to turn on the authentication to uncomment to following code: | ||
+ | {{Code box|mythweb.conf| | ||
+ | <pre> | ||
+ | ############################################################################ | ||
+ | # I *strongly* urge you to turn on authentication for MythWeb. It is disabled | ||
+ | # by default because it requires you to set up your own password file. Please | ||
+ | # see the man page for htdigest and then configure the following four directives | ||
+ | # to suit your authentication needs. | ||
+ | # | ||
+ | AuthType Digest | ||
+ | AuthName "MythTV" | ||
+ | AuthUserFile /etc/httpd/conf.d/mythweb-htdigest | ||
+ | Require valid-user | ||
+ | BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On | ||
+ | Order allow,deny | ||
+ | Satisfy any | ||
+ | # | ||
+ | # * If you're running Apache earlier than 2.2, you will need to use | ||
+ | # the AuthDigestFile command instead of AuthUserFile (3rd line above). | ||
+ | # | ||
+ | ############################################################################ | ||
+ | </pre>}} | ||
+ | Next, create the <code>mythweb-htdigest</code> file under the AuthName/Realm ''MythTV''. Issue the following commands, replacing USERNAME with a desired username. | ||
+ | <pre> | ||
+ | htdigest -c /etc/httpd/conf.d/mythweb-htdigest MythTV USERNAME | ||
+ | </pre> | ||
+ | Once this is complete, restart Apache using the same method as above and check to see that authentication is working correctly. | ||
+ | |||
+ | === openSUSE 10.2 === | ||
+ | |||
+ | {{Note box|Outdated information, please update openSUSE users}} | ||
+ | |||
+ | [[Image:Geeko_head48.png|25px]]These steps are for [[Opensuse_10.2|openSUSE 10.2.]] The instructions are written using "htpasswd2" instead of "htdigest2" because that is what I got to work. I'm sure you could use "htdigest2", I'm just now sure how. These steps should work fine though. | ||
+ | |||
+ | You will need to install Apache2, PHP5.1 (or preferrably PHP5.2), Mythweb | ||
+ | |||
+ | MythTV openSUSE RPMS will install the mythweb files into /srv/www/htdocs/mythweb | ||
+ | |||
+ | |||
+ | '''Configure Apache2''' | ||
+ | |||
+ | |||
+ | In YasT under Network Services->HTTP Server. | ||
+ | |||
+ | Under "Server Modules" make sure you have "env" and "rewrite" modules enabled | ||
+ | |||
+ | Under "Main Hosts" select "Directory /srv/www/htdocs " | ||
+ | |||
+ | Change Options to FollowSymLinks | ||
+ | |||
+ | Change AllowOveride to All | ||
+ | |||
+ | save and exit | ||
+ | |||
+ | |||
+ | '''Start Apache2 Web Server''' | ||
+ | |||
+ | |||
+ | YasT->System->System Services | ||
+ | |||
+ | Select apache2 and enable | ||
+ | |||
+ | save and exit | ||
+ | |||
+ | ==== Setup Security ==== | ||
+ | |||
+ | '''1.''' create a new password file with htpasswd22<br> | ||
+ | '''WARNING:''' the "-c" will wipe out the file if it already exists | ||
+ | /usr/bin/htpasswd2 -c /etc/apache2/conf.d/httpd-passwords ''userid'' | ||
+ | You will be prompted to put in a password for the ''userid''<br> | ||
+ | '''2.''' create any additional user IDs (no "-c") | ||
+ | /usr/bin/htpasswd2 /etc/apache2/conf.d/httpd-passwords ''another_userid'' | ||
+ | '''3.''' Find the user:group that apache2 is running as | ||
+ | cat /etc/apache2/uid.conf | ||
+ | You file will probably look like this | ||
+ | User wwwrun | ||
+ | Group www | ||
+ | '''4.''' Change the ownership of the password file (change "wwwrun:www" to match the "User:Group" from the previous step) | ||
+ | chown wwwrun:www /etc/apache2/conf.d/httpd-passwords | ||
+ | '''5.''' If the .htaccess exists, which it probably does if you have mythweb installed, back it up. This is just in case you mess it up and it need to start over. | ||
+ | cd /srv/www/htdocs/mythweb/ | ||
+ | cp ./.htaccess ./.htaccess.orig | ||
+ | '''6.''' Open .htaccess for modification with vi - or whatever floats your boat | ||
+ | vi ./.htaccess | ||
+ | '''7.''' The following lines should be present but commented. Remove the "#" from the start of each line, modify them to fit your setup, and save the file. Changes are immediate. Pay special attention to the bolded lines | ||
+ | '''AuthType Basic''' | ||
+ | AuthName "MythTV" | ||
+ | '''AuthUserFile /etc/apache2/conf.d/httpd-passwords''' | ||
+ | Require valid-user | ||
+ | BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On | ||
+ | |||
+ | Save the file and authentication should begin immediately. | ||
+ | |||
+ | '''8.''' If you don't want to bother with authentication when you are on the same network, add the following lines and authentication will be bypassed (assuming 192.168.1.0 is your local network). | ||
+ | Allow from 192.168.1. | ||
+ | Satisfy any | ||
+ | If you aren't sure what your network is, if you are using a router purchased from a store, you could probably get away with specifying "Allow from 192.168.". This would also cover you if you move your box from one location to another using a different third octet in the IP. With this in place, though, you should not be prompted now for authentication while on the local network. | ||
+ | |||
+ | '''UPDATE:''' I'm not 100% sure that this last step works. I tested from a remote site and was able to access MythWeb without being prompted for a password. The remote site also used the 192.168.1 network range. After removing the last two entries above, it prompted right away. | ||
+ | |||
+ | '''NOTE:''' I had the same problem with the last step not working, but after a lot of digging it turned out that there were conflicting authentication configurations in the main '''apache''' config file and in the '''sites-enabled/default''' files. These are the settings which worked for me. | ||
+ | <Directory> | ||
+ | AuthType Basic | ||
+ | AuthName "MythTV" | ||
+ | AuthUserFile /etc/apache2/conf.d/httpd-passwords | ||
+ | Require valid-user | ||
+ | Order deny,allow | ||
+ | Deny from all | ||
+ | Allow from 192.168.0 127 | ||
+ | Satisfy Any | ||
+ | </Directory> | ||
=== Ubuntu 9.10 (Karmic) === | === Ubuntu 9.10 (Karmic) === | ||
+ | {{Note box|Most likely undated}} | ||
There are a couple of differences for Karmic (and possibly other Ubuntu flavours) to get this to work. | There are a couple of differences for Karmic (and possibly other Ubuntu flavours) to get this to work. | ||
Line 234: | Line 325: | ||
Again, tailor your password file and users to your needs. You can even use separate password files if you wish! | Again, tailor your password file and users to your needs. You can even use separate password files if you wish! | ||
+ | === Securing only the "settings" section === | ||
+ | |||
+ | It is also possible to improve security on MythWeb without requiring every user to enter a username and password. Standard users will still be able to do things such as delete recordings, edit video metadata, etc, but you can at least restrict their access to dangerous pages such as the settings section. This is done on Apache by using the "LocationMatch" directive: | ||
+ | |||
+ | <pre><nowiki> | ||
+ | <LocationMatch .*web/settings> | ||
+ | AuthType Digest | ||
+ | AuthName "MythTV" | ||
+ | AuthUserFile /etc/mythtv/mythweb-digest | ||
+ | Require valid-user | ||
+ | BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On | ||
+ | Order Allow,Deny | ||
+ | Satisfy Any | ||
+ | </LocationMatch> | ||
+ | |||
+ | </nowiki></pre> | ||
+ | |||
+ | It should also be possible to restrict any individual action on Mythweb using the right regular expression in the LocationMatch. | ||
+ | |||
+ | Now restart Apache, and you're done: | ||
+ | <pre><nowiki> | ||
+ | service httpd restart | ||
+ | </nowiki></pre> | ||
+ | (this may be different on your distro) - apache like | ||
+ | <pre><nowiki> | ||
+ | apache2ctl restart | ||
+ | </nowiki></pre> | ||
=== Restart Apache === | === Restart Apache === |
Revision as of 01:24, 17 December 2014
This assumes you have decided to open your web server to the internet, and now you need to secure it. This guide will take you through setting up simple authentication with an Apache server. Please see the Apache docs for more specifics or more secure methods.
There are several ways to secure MythWeb:
- Modify the MythWeb .htaccess file to require password authentication
- Modify the Apache configuration to require password authentication
- Setup an SSH tunnel for remote access to MythWeb (assuming that you do not open your MythWeb server to the internet except for port-forwarding SSH from your router/firewall)
These instructions assume MythWeb is installed in the default path (/var/www/html/mythweb).
Contents
MythWeb htdigest
You may use either AuthType Basic or AuthType digest -- "Basic" is more compatible, "Digest" is more secure. If you use "Basic", you must use htpasswd to create users. If you use "Digest", you must use htdigest to create users.
MythWeb password authentication is configured in the configuration files of the apache2 service and read at runtime rather than with each web-request as with .htaccess; for this reason this is more efficient from a computer resource point of view. For this reason this is the method that is recommended by Apache. There are at least two methods of configuring password authentication within Apache2 config files; Authentication with either the Basic or Digest modules.
Fedora 21
When installing the mythtv
package, the mythweb
package is installed along side it. The default installation handles most of the SELinux contexts and permissions under /usr/share/mythweb/
. To turn MythWeb on, simply start up the Apache server and allow to run on boot:
# systemctl enable httpd.service # systemctl restart httpd.service
You may need to enable port 80 / 443 (HTTP / HTTPS respectively) through the firewall. See Installing MythTV on Fedora for more information.
At this stage, it's probably wise to turn on https
so that you have an extra layer of encryption when viewing from the outside web. Install the mod_ssl
package with:
# yum install mod_ssl
This should create a ssl.conf
file in /etc/httpd/conf.d/
. Create a new certificate using these [1]. Make the necessary changes to your ssl.conf
file to point to the newly generated key and certificate at the following location (replace YOURDOMAIN with your chosen file name):
... # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. SSLCertificateFile /etc/pki/tls/certs/YOURDOMAIN.com.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/pki/tls/private/YOURDOMAIN.com.key ...
Optional - bar access to port 80 by commenting out Listen 80 in /etc/httpd/conf/
:
... # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 #Listen 80 # # Dynamic Shared Object (DSO) Support ...
Navigate to /etc/httpd/conf.d/
and open mythweb.conf
. In here make the following changes to require a user on authentication:
<IfModule mod_authz_core.c> # Apache 2.4 <RequireAll> Require valid-user </RequireAll> </IfModule>
And then to turn on the authentication to uncomment to following code:
############################################################################ # I *strongly* urge you to turn on authentication for MythWeb. It is disabled # by default because it requires you to set up your own password file. Please # see the man page for htdigest and then configure the following four directives # to suit your authentication needs. # AuthType Digest AuthName "MythTV" AuthUserFile /etc/httpd/conf.d/mythweb-htdigest Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On Order allow,deny Satisfy any # # * If you're running Apache earlier than 2.2, you will need to use # the AuthDigestFile command instead of AuthUserFile (3rd line above). # ############################################################################
Next, create the mythweb-htdigest
file under the AuthName/Realm MythTV. Issue the following commands, replacing USERNAME with a desired username.
htdigest -c /etc/httpd/conf.d/mythweb-htdigest MythTV USERNAME
Once this is complete, restart Apache using the same method as above and check to see that authentication is working correctly.
openSUSE 10.2
These steps are for openSUSE 10.2. The instructions are written using "htpasswd2" instead of "htdigest2" because that is what I got to work. I'm sure you could use "htdigest2", I'm just now sure how. These steps should work fine though.
You will need to install Apache2, PHP5.1 (or preferrably PHP5.2), Mythweb
MythTV openSUSE RPMS will install the mythweb files into /srv/www/htdocs/mythweb
Configure Apache2
In YasT under Network Services->HTTP Server.
Under "Server Modules" make sure you have "env" and "rewrite" modules enabled
Under "Main Hosts" select "Directory /srv/www/htdocs "
Change Options to FollowSymLinks
Change AllowOveride to All
save and exit
Start Apache2 Web Server
YasT->System->System Services
Select apache2 and enable
save and exit
Setup Security
1. create a new password file with htpasswd22
WARNING: the "-c" will wipe out the file if it already exists
/usr/bin/htpasswd2 -c /etc/apache2/conf.d/httpd-passwords userid
You will be prompted to put in a password for the userid
2. create any additional user IDs (no "-c")
/usr/bin/htpasswd2 /etc/apache2/conf.d/httpd-passwords another_userid
3. Find the user:group that apache2 is running as
cat /etc/apache2/uid.conf
You file will probably look like this
User wwwrun Group www
4. Change the ownership of the password file (change "wwwrun:www" to match the "User:Group" from the previous step)
chown wwwrun:www /etc/apache2/conf.d/httpd-passwords
5. If the .htaccess exists, which it probably does if you have mythweb installed, back it up. This is just in case you mess it up and it need to start over.
cd /srv/www/htdocs/mythweb/ cp ./.htaccess ./.htaccess.orig
6. Open .htaccess for modification with vi - or whatever floats your boat
vi ./.htaccess
7. The following lines should be present but commented. Remove the "#" from the start of each line, modify them to fit your setup, and save the file. Changes are immediate. Pay special attention to the bolded lines
AuthType Basic AuthName "MythTV" AuthUserFile /etc/apache2/conf.d/httpd-passwords Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
Save the file and authentication should begin immediately.
8. If you don't want to bother with authentication when you are on the same network, add the following lines and authentication will be bypassed (assuming 192.168.1.0 is your local network).
Allow from 192.168.1. Satisfy any
If you aren't sure what your network is, if you are using a router purchased from a store, you could probably get away with specifying "Allow from 192.168.". This would also cover you if you move your box from one location to another using a different third octet in the IP. With this in place, though, you should not be prompted now for authentication while on the local network.
UPDATE: I'm not 100% sure that this last step works. I tested from a remote site and was able to access MythWeb without being prompted for a password. The remote site also used the 192.168.1 network range. After removing the last two entries above, it prompted right away.
NOTE: I had the same problem with the last step not working, but after a lot of digging it turned out that there were conflicting authentication configurations in the main apache config file and in the sites-enabled/default files. These are the settings which worked for me.
<Directory> AuthType Basic AuthName "MythTV" AuthUserFile /etc/apache2/conf.d/httpd-passwords Require valid-user Order deny,allow Deny from all Allow from 192.168.0 127 Satisfy Any </Directory>
Ubuntu 9.10 (Karmic)
There are a couple of differences for Karmic (and possibly other Ubuntu flavours) to get this to work.
First problem is that auth_digest module for Apache isn't loaded by default in this distro. Get it to load using:
sudo a2enmod auth_digest
Next problem is that the MythWeb configuration isn't in the .htaccess file, but is in /etc/apache2/sites-enabled/mythweb.conf file. So when the instructions tell you to uncomment the relevent sections in .htaccess, do it in the mythweb.conf file.
Create a Password File
You will need to create an htdigest password file -- a suggested location is /etc/httpd/conf, but it should be a location that gets backed up regularly.
htdigest -c /etc/httpd/conf/httpd-passwords MythTV MYUSER1
Create additional users as needed:
htdigest /etc/httpd/conf/httpd-passwords MythTV MYUSER2
Please make sure you DO NOT use the -c after the initial user, as this will overwrite the file and start from scratch.
Modify ownership of the file to match the user and group Apache is running as -- try
grep -A 2 ^User /etc/httpd/conf/httpd.conf
chown apache.apache /etc/httpd/conf/httpd-passwords chmod 640 /etc/httpd/conf/httpd-passwords
Modify .htaccess
(added 4/3/08. using .htaccess isn't supported by MythTV .21. see below.)
nano /var/www/html/mythweb/.htaccess
The following lines should be present but commented. Remove the "#" from the start of each line, modify them to fit your setup, and save the file. Changes are immediate.
AuthType Digest AuthName "MythTV" AuthUserFile /etc/httpd/conf/httpd-passwords Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
Adding the following optional lines will enforce authentication from anywhere outside your local network (assuming 192.168.1.0 is your local network):
Order deny,allow Allow from 192.168.1. 127. Deny from all Satisfy any
Authentication should begin working immediately.
The following is what I got from the Mailing List for securing Mythweb in MythTV .21 Get rid of your .htaccess files. Edit /etc/httpd/conf.d/mythweb.conf like this: Uncomment the htdigest section:
AuthType Digest AuthName "MythTV" AuthUserFile /var/www/htdigest Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On Order allow,deny Satisfy any
Then use htdigest (need to be root to do this or sudo the command) to
create your digest file:
htdigest -c /var/www/htdigest MythTV username
Then it will ask for your password.
Restart apache and it should work.
Apache Configuration
This method is slightly more efficient than the .htaccess method, but is complicated by the fact that you must restart Apache and mis-configuring the Apache configuration file will keep Apache from restarting.
Apache password file
We will start with creating an Apache password file. I put this in /etc/httpd/conf, as I back up this directory every night to one of my other systems.
htpasswd -c /etc/httpd/conf/httpd-passwords MYUSER1
Create additional users as needed:
htpasswd /etc/httpd/conf/httpd-passwords MYUSER2
Please make sure you DO NOT use the -c after the initial user, as this will overwrite the file and start from scratch.
Modify ownership of the file as follows:
chown apache.apache /etc/httpd/conf/httpd-passwords chmod 640 /etc/httpd/conf/httpd-passwords
Editing Apache Config
Now edit /etc/httpd/conf/httpd.conf, and add the following section:
<Directory "/var/www/html/mythweb"> Options Indexes FollowSymLinks AuthType Basic AuthName "MythTV" AuthUserFile /etc/httpd/conf/httpd-passwords require user MYUSER1 MYUSER2 MYUSER3 Order allow,deny Allow from all </Directory>
Modify the password file location and required users per your needs.
If you have created a link from your music storage area to /var/www/html/mythweb/music, you can add the following to separately secure web access to this:
#MythWeb music configuration <Directory "/var/www/html/mythweb/music"> Options Indexes FollowSymLinks AuthType Basic AuthName "MythTV-Music" AuthUserFile /etc/httpd/conf/httpd-passwords Require user MYUSER4 MYUSER5 Order allow,deny Allow from all </Directory>
Again, tailor your password file and users to your needs. You can even use separate password files if you wish!
Securing only the "settings" section
It is also possible to improve security on MythWeb without requiring every user to enter a username and password. Standard users will still be able to do things such as delete recordings, edit video metadata, etc, but you can at least restrict their access to dangerous pages such as the settings section. This is done on Apache by using the "LocationMatch" directive:
<LocationMatch .*web/settings> AuthType Digest AuthName "MythTV" AuthUserFile /etc/mythtv/mythweb-digest Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On Order Allow,Deny Satisfy Any </LocationMatch>
It should also be possible to restrict any individual action on Mythweb using the right regular expression in the LocationMatch.
Now restart Apache, and you're done:
service httpd restart
(this may be different on your distro) - apache like
apache2ctl restart
Restart Apache
Now restart Apache, and you're done:
service httpd restart
(this may be different on your distro)
Other options
You can do a lot more with these configuration sections, such as secure by ip address, and more. Please see the Apache docs[2].
Questions: email me at johanreinalda at yahoo dot com. Preferred is an email to Myth Users list, however. Here's the configuration I used to allow users on my LAN to access MythWeb without a password, and require outside users to authenticate via pw
<Directory "/var/www/html/mythweb"> Options Indexes FollowSymLinks AuthType Basic AuthName "MythTV" AuthUserFile /etc/httpd/conf/httpd-passwords Require valid-user Order allow,deny Allow from 192.168.1. Satisfy any </Directory>