[mythtv-users] ssh attack

Michael Heironimus mkh01 at earthlink.net
Tue Jan 3 05:16:56 UTC 2006


On Mon, Jan 02, 2006 at 02:47:48PM -0800, Jonathan Tidmore wrote:
> On 1/2/06, Lee <mythtv at varga.co.uk> wrote:
> 
> > What did you do in the external Apache config to get this to work?
> > I've been playing with reverse proxies but can't get it to work...
> >
> 
> 
> I do a similiar thing.  I have a hardened server that proxies mythweb
> connections with basic username/password authentication and it only allows
> connections from a few ip addresses.  I also added output compression since
> my uplink speed is slow and this allows for a faster loading of mythweb from
> outside my network.  I usually have port 80 closed and just use ssh
> forwarding to get in, but I sometimes open port 80 from my router and I feel
> safe this setup keeps people away.
> 
> I created /etc/http/conf.d/mythweb.conf:
> 
> <IfModule mod_proxy.c>
> ProxyRequests On
> 
> ProxyPass /mythweb http://mythtv.backend.server/mythweb
> ProxyPassReverse /mythweb http://mythtv.backend.server/mythweb
> 
> <Proxy *>
>   Order deny,allow
>   Deny from all
>   Allow from 127.0.0.1
>   Allow from 192.168.1.201 192.168.1.202 192.168.1.203
>   Allow from 192.168.1.2 192.168.1.3
> </Proxy>
> 
> <Location /mythweb>
>   AuthType Basic
>   AuthName "MythTV"
>   AuthUserFile "/etc/httpd/passwd"
>   Require user mythtv
>   SetOutputFilter DEFLATE
>   AddOutputFilterByType DEFLATE text/html text/plain text/xml text/php
>   BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
>   SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
>   Header append Vary User-Agent env=!dont-vary
> </Location>
> 
> </IfModule>
> 
> Obviously change 'Allow from'  to fit your needs and
> mythtv.backend.serverto your MythTV ip or hostname.  The Location
> section says to authenticate
> using the user 'mythtv' with the password stored in /etc/httpd/passwd.  See
> 'man htpasswd' about creating a proper Apache password file.  The rest of
> the Location section says to gzip all html, plaintext, xml, php pages sent
> out (but leave gifs, jpgs, pngs, alone) to any none IE browser.  Firefox and
> Safari can deflate these files properly.

In general you don't want to use "ProxyRequests on" or the "<Proxy ...>"
directives for a reverse proxy. Those allow operation as an outbound
proxy. The configuration above allows connections to /mythweb from
anywhere, access to a reverse proxy just uses a Location block with the
same access control directives used for local content.

It's probably worthwhile to run the proxy with SSL on the external side
to protect your authentication. Since you'd only be using it for
encryption rather than server authentication a self-signed certificate
would be fine.

The directives above explicitly enable deflate compression if the
User-Agent is IE, as well as enabling it by default. Reasonably modern
versions of IE can handle deflate compression for everything except
PDFs.

-- 
Michael Heironimus


More information about the mythtv-users mailing list