[mythtv-users] ssh attack

Jonathan Tidmore jtidmore at gmail.com
Mon Jan 2 22:47:48 UTC 2006


On 1/2/06, Lee <mythtv at varga.co.uk> wrote:

> What did you do in the external Apache config to get this to work?
> I've been playing with reverse proxies but can't get it to work...
>


I do a similiar thing.  I have a hardened server that proxies mythweb
connections with basic username/password authentication and it only allows
connections from a few ip addresses.  I also added output compression since
my uplink speed is slow and this allows for a faster loading of mythweb from
outside my network.  I usually have port 80 closed and just use ssh
forwarding to get in, but I sometimes open port 80 from my router and I feel
safe this setup keeps people away.

I created /etc/http/conf.d/mythweb.conf:

<IfModule mod_proxy.c>
ProxyRequests On

ProxyPass /mythweb http://mythtv.backend.server/mythweb
ProxyPassReverse /mythweb http://mythtv.backend.server/mythweb

<Proxy *>
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1
  Allow from 192.168.1.201 192.168.1.202 192.168.1.203
  Allow from 192.168.1.2 192.168.1.3
</Proxy>

<Location /mythweb>
  AuthType Basic
  AuthName "MythTV"
  AuthUserFile "/etc/httpd/passwd"
  Require user mythtv
  SetOutputFilter DEFLATE
  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/php
  BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
  SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
  Header append Vary User-Agent env=!dont-vary
</Location>

</IfModule>

Obviously change 'Allow from'  to fit your needs and
mythtv.backend.serverto your MythTV ip or hostname.  The Location
section says to authenticate
using the user 'mythtv' with the password stored in /etc/httpd/passwd.  See
'man htpasswd' about creating a proper Apache password file.  The rest of
the Location section says to gzip all html, plaintext, xml, php pages sent
out (but leave gifs, jpgs, pngs, alone) to any none IE browser.  Firefox and
Safari can deflate these files properly.

After dropping this conf file in /etc/httpd/conf.d, restart Apache.

--
-J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mythtv.org/pipermail/mythtv-users/attachments/20060102/ab9d4fd0/attachment.htm


More information about the mythtv-users mailing list