Secure MythWeb with Mythbuntu 12.04

When you install the MythWeb module, the default security settings in Mythbuntu allow password-less access from anywhere. If you wish to be able to schedule (or watch) recordings when you are away from home then you may want to allow users on your local network to access the screens without a password, while requiring a password for connections from outside your network.

Tell Apache to require authentication for MythWeb

Open /etc/apache2/sites-enabled/mythweb.conf (remembering to gain root access) and find the commented out section that looks like this:

    ############################################################################
    # I *strongly* urge you to turn on authentication for MythWeb.  It is disabled
    # by default because it requires you to set up your own password file.  Please
    # see the man page for htdigest and then configure the following four directives
    # to suit your authentication needs.
    #
    #    AuthType           Digest
    #    AuthName           "MythTV"
    #    AuthUserFile       /var/www/htdigest
    #    Require            valid-user
    #    BrowserMatch       "MSIE"      AuthDigestEnableQueryStringHack=On
    #    Order              allow,deny

I am not convinced /var/www is a safe place to keep your htdigest file, so I changed that line to store it in /etc/mythtv/htdigest. I added an "Allow from 192.168.0." line to allow users with an ip address starting 192.168.0 to connect without a password, then a "Satisfy any" line to state that the page can only be served to an authenticated valid-user (from the Require line), or on the local network (from the Allow from line). This is what my final section looked like.

        AuthType           Digest
        AuthName           "MythTV"
    #    AuthUserFile       /var/www/htdigest
        AuthUserFile       /etc/mythtv/htdigest
        Require            valid-user
        BrowserMatch       "MSIE"      AuthDigestEnableQueryStringHack=On
        Order              allow,deny
        Allow from 192.168.0.
        Satisfy            any

Enable the Apache module which implements the Digest authentication method

You now must enable apache's auth_digest module using the a2enmod command.

sudo a2enmod auth_digest

If you forget to do this you will see errors like this in your apache error log when you attempt to connect from a non-local address:

[Mon Jul 09 23:27:21 2012] [crit] [client 69.163.149.163] configuration error:  couldn't check user.  Check your authn provider!: /mythweb

Choose a username and password for remote access

Assuming you used the same values for AuthUserFile and AuthName as I did) then you can add the first user to the password file:

sudo htdigest -c /etc/mythtv/htdigest MythTV username_to_add

The -c parameter creates a blank file so don't use it for any additional users you add. If you don't have htdigest installed, you may need to install the apache2-utils package (sudo apt-get install apache2-utils).

Ensure that only the apache server can read the password file:

sudo chown www-data /etc/mythtv/htdigest
sudo chmod 640 /etc/mythtv/htdigest

Tell Apache about the configuration changes

sudo service apache2 reload

It should now be safe to expose MythWeb to the outside world!

 

This entry was posted in Linux. Bookmark the permalink.

12 Responses to Secure MythWeb with Mythbuntu 12.04

  1. Paulo Natel says:

    Good stuff dude!
    just a small suggestion to detail the enable digest part with the actual command.
    Thanks for the help!

  2. Michael Cleland says:

    Thanks for the terrific instructions. There are so many out of date and mostly unhelpful pages for configuring mythweb's authentication, but yours is perfect.

    You might want to add that if htdigest doesn't run as a command, people might have to install it via sudo apt-get install apache2-utils

  3. Ron says:

    I have been struggling with this until I stumbled upon this page. Thanks for the instructions and also thanks “Michael Cleland” for pointing out the sudo apt-get install apache2-utils command.

  4. Charlie says:

    Thank you for the excellent instructions. I appreciate you taking the time to help the rest of us.

  5. Rob Fisher says:

    Can you please confirm that these instructions will work with MythBuntu 16.04?

  6. Leo Maxwell says:

    This is great, thank you.
    Shame the MythTv wiki is so out of date.

  7. Michael says:

    Followed this, and I got an Apache "configuration" error, which, reflected in the apache logs gives:

    "Could not open password file: /etc/mythtv/mythweb-digest"

    Not sure why it was htdigest in the above, but I renamed it to mythweb-digest:

    /etc/apache2/sites-available# mv htdigest mythweb-digest

    All fixed now (ubuntu 16.04)

Leave a Reply

Your email address will not be published. Required fields are marked *