{"id":140,"date":"2012-07-09T23:09:40","date_gmt":"2012-07-09T23:09:40","guid":{"rendered":"http:\/\/francisfisher.me.uk\/problem\/?p=140"},"modified":"2016-03-15T19:46:35","modified_gmt":"2016-03-15T19:46:35","slug":"secure-mythweb-with-mythbuntu-12-04","status":"publish","type":"post","link":"https:\/\/francisfisher.me.uk\/problem\/2012\/secure-mythweb-with-mythbuntu-12-04\/","title":{"rendered":"Secure MythWeb with Mythbuntu 12.04"},"content":{"rendered":"

When you install the MythWeb module, the default security settings in Mythbuntu allow password-less access from anywhere. If you wish to be able to schedule (or watch) recordings when you are away from home then you may want to allow users on your local network to access the screens without a password, while requiring a password for connections from outside your network.<\/p>\n

Tell Apache to require authentication for MythWeb<\/h2>\n

Open \/etc\/apache2\/sites-enabled\/mythweb.conf (remembering to gain root access) and find the commented out section that looks like this:<\/p>\n

\u00a0\u00a0\u00a0 ############################################################################\r\n\u00a0\u00a0\u00a0 # I *strongly* urge you to turn on authentication for MythWeb.\u00a0 It is disabled\r\n\u00a0\u00a0\u00a0 # by default because it requires you to set up your own password file.\u00a0 Please\r\n\u00a0\u00a0\u00a0 # see the man page for htdigest and then configure the following four directives\r\n\u00a0\u00a0\u00a0 # to suit your authentication needs.\r\n\u00a0\u00a0\u00a0 #\r\n\u00a0\u00a0\u00a0 # \u00a0\u00a0 AuthType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Digest\r\n\u00a0\u00a0\u00a0 # \u00a0\u00a0 AuthName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"MythTV\"\r\n\u00a0\u00a0\u00a0 #\u00a0\u00a0\u00a0 AuthUserFile\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/www\/htdigest\r\n\u00a0\u00a0\u00a0 # \u00a0\u00a0 Require\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 valid-user\r\n\u00a0\u00a0\u00a0 # \u00a0\u00a0 BrowserMatch\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"MSIE\"\u00a0\u00a0\u00a0\u00a0\u00a0 AuthDigestEnableQueryStringHack=On\r\n\u00a0\u00a0\u00a0 #  \u00a0 Order\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 allow,deny<\/pre>\n
I am not convinced \/var\/www is a safe place to keep your htdigest file, so I changed that line to store it in \/etc\/mythtv\/htdigest. I added an \"Allow from 192.168.0.\" line to allow users with an ip address starting 192.168.0 to connect without a password, then a \"Satisfy any\" line to state that the page can only be served to an authenticated valid-user (from the Require line), or on the local network (from the Allow from line). This is what my final section looked like.<\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AuthType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Digest\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AuthName\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"MythTV\"\r\n\u00a0\u00a0\u00a0 #\u00a0\u00a0\u00a0 AuthUserFile\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/www\/htdigest\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AuthUserFile\u00a0\u00a0 \u00a0\u00a0\u00a0 \/etc\/mythtv\/htdigest\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Require\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 valid-user\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BrowserMatch\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"MSIE\"\u00a0\u00a0\u00a0\u00a0\u00a0 AuthDigestEnableQueryStringHack=On\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Order\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 allow,deny\r\n\u00a0\u00a0 \u00a0    Allow from 192.168.0.\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Satisfy\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 any<\/pre>\n
Enable the Apache module which implements the Digest authentication method<\/h2>\n
You now must enable apache's auth_digest module using the a2enmod command.<\/p>\n
sudo a2enmod auth_digest<\/pre>\n
If you forget to do this you will see errors like this in your apache error log when you attempt to connect from a non-local address:<\/p>\n
[Mon Jul 09 23:27:21 2012] [crit] [client 69.163.149.163] configuration error:\u00a0 couldn't check user.\u00a0 Check your authn provider!: \/mythweb<\/pre>\n
Choose a username and password for remote access<\/h2>\n
Assuming you used the same values for AuthUserFile and AuthName as I did) then you can add the first user to the password file:<\/p>\n
sudo htdigest -c \/etc\/mythtv\/htdigest MythTV username_to_add<\/pre>\n
The -c parameter creates a blank file so don't use it for any additional users you add. If you don't have htdigest installed,\u00a0you may need to install the apache2-utils package (sudo apt-get install apache2-utils).<\/p>\n
Ensure that only the apache server can read the password file:<\/p>\n
sudo chown www-data \/etc\/mythtv\/htdigest\r\nsudo chmod 640 \/etc\/mythtv\/htdigest<\/pre>\n
Tell Apache about the configuration changes<\/h2>\n
sudo service apache2 reload<\/pre>\n
It should now be safe to expose MythWeb to the outside world!<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
When you install the MythWeb module, the default security settings in Mythbuntu allow password-less access from anywhere. If you wish to be able to schedule (or watch) recordings when you are away from home then you may want to allow users on your local network to access the screens without a password, while requiring a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false},"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/posts\/140"}],"collection":[{"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/comments?post=140"}],"version-history":[{"count":11,"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/posts\/140\/revisions"}],"predecessor-version":[{"id":380,"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/posts\/140\/revisions\/380"}],"wp:attachment":[{"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/media?parent=140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/categories?post=140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/francisfisher.me.uk\/problem\/wp-json\/wp\/v2\/tags?post=140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}