[mythtv-users] ssh attack
Jonathan Tidmore
jtidmore at gmail.com
Mon Jan 2 22:47:48 UTC 2006
On 1/2/06, Lee <mythtv at varga.co.uk> wrote:
> What did you do in the external Apache config to get this to work?
> I've been playing with reverse proxies but can't get it to work...
>
I do a similiar thing. I have a hardened server that proxies mythweb
connections with basic username/password authentication and it only allows
connections from a few ip addresses. I also added output compression since
my uplink speed is slow and this allows for a faster loading of mythweb from
outside my network. I usually have port 80 closed and just use ssh
forwarding to get in, but I sometimes open port 80 from my router and I feel
safe this setup keeps people away.
I created /etc/http/conf.d/mythweb.conf:
<IfModule mod_proxy.c>
ProxyRequests On
ProxyPass /mythweb http://mythtv.backend.server/mythweb
ProxyPassReverse /mythweb http://mythtv.backend.server/mythweb
<Proxy *>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.1.201 192.168.1.202 192.168.1.203
Allow from 192.168.1.2 192.168.1.3
</Proxy>
<Location /mythweb>
AuthType Basic
AuthName "MythTV"
AuthUserFile "/etc/httpd/passwd"
Require user mythtv
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/php
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
</Location>
</IfModule>
Obviously change 'Allow from' to fit your needs and
mythtv.backend.serverto your MythTV ip or hostname. The Location
section says to authenticate
using the user 'mythtv' with the password stored in /etc/httpd/passwd. See
'man htpasswd' about creating a proper Apache password file. The rest of
the Location section says to gzip all html, plaintext, xml, php pages sent
out (but leave gifs, jpgs, pngs, alone) to any none IE browser. Firefox and
Safari can deflate these files properly.
After dropping this conf file in /etc/httpd/conf.d, restart Apache.
--
-J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mythtv.org/pipermail/mythtv-users/attachments/20060102/ab9d4fd0/attachment.htm
More information about the mythtv-users
mailing list