When you install the MythWeb module, the default security settings in Mythbuntu allow password-less access from anywhere. If you wish to be able to schedule (or watch) recordings when you are away from home then you may want to allow users on your local network to access the screens without a password, while requiring a password for connections from outside your network.
Tell Apache to require authentication for MythWeb
Open /etc/apache2/sites-enabled/mythweb.conf (remembering to gain root access) and find the commented out section that looks like this:
############################################################################ # I *strongly* urge you to turn on authentication for MythWeb. It is disabled # by default because it requires you to set up your own password file. Please # see the man page for htdigest and then configure the following four directives # to suit your authentication needs. # # AuthType Digest # AuthName "MythTV" # AuthUserFile /var/www/htdigest # Require valid-user # BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On # Order allow,deny
I am not convinced /var/www is a safe place to keep your htdigest file, so I changed that line to store it in /etc/mythtv/htdigest. I added an "Allow from 192.168.0." line to allow users with an ip address starting 192.168.0 to connect without a password, then a "Satisfy any" line to state that the page can only be served to an authenticated valid-user (from the Require line), or on the local network (from the Allow from line). This is what my final section looked like.
AuthType Digest AuthName "MythTV" # AuthUserFile /var/www/htdigest AuthUserFile /etc/mythtv/htdigest Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On Order allow,deny Allow from 192.168.0. Satisfy any
Enable the Apache module which implements the Digest authentication method
You now must enable apache's auth_digest module using the a2enmod command.
sudo a2enmod auth_digest
If you forget to do this you will see errors like this in your apache error log when you attempt to connect from a non-local address:
[Mon Jul 09 23:27:21 2012] [crit] [client 69.163.149.163] configuration error: couldn't check user. Check your authn provider!: /mythweb
Choose a username and password for remote access
Assuming you used the same values for AuthUserFile and AuthName as I did) then you can add the first user to the password file:
sudo htdigest -c /etc/mythtv/htdigest MythTV username_to_add
The -c parameter creates a blank file so don't use it for any additional users you add. If you don't have htdigest installed, you may need to install the apache2-utils package (sudo apt-get install apache2-utils).
Ensure that only the apache server can read the password file:
sudo chown www-data /etc/mythtv/htdigest sudo chmod 640 /etc/mythtv/htdigest
Tell Apache about the configuration changes
sudo service apache2 reload
It should now be safe to expose MythWeb to the outside world!
12 replies on “Secure MythWeb with Mythbuntu 12.04”
Good stuff dude!
just a small suggestion to detail the enable digest part with the actual command.
Thanks for the help!
done!
Thanks for the terrific instructions. There are so many out of date and mostly unhelpful pages for configuring mythweb's authentication, but yours is perfect.
You might want to add that if htdigest doesn't run as a command, people might have to install it via sudo apt-get install apache2-utils
Done! Thanks for the suggestion.
I have been struggling with this until I stumbled upon this page. Thanks for the instructions and also thanks “Michael Cleland” for pointing out the sudo apt-get install apache2-utils command.
Glad to be of help!
Thank you for the excellent instructions. I appreciate you taking the time to help the rest of us.
Can you please confirm that these instructions will work with MythBuntu 16.04?
I got impatient and gave these instructions a try on MythBuntu 16.04 and I am happy to report that it seems to work fine.
good to know 🙂
This is great, thank you.
Shame the MythTv wiki is so out of date.
Followed this, and I got an Apache "configuration" error, which, reflected in the apache logs gives:
"Could not open password file: /etc/mythtv/mythweb-digest"
Not sure why it was htdigest in the above, but I renamed it to mythweb-digest:
/etc/apache2/sites-available# mv htdigest mythweb-digest
All fixed now (ubuntu 16.04)