[mythtv-users] MythWeb over HTTPS using mod_rewrite

Ronald Frazier ron at ronfrazier.net
Sat May 26 19:58:55 UTC 2012 

On Sat, May 26, 2012 at 2:30 PM, Jan Ceuleers <jan.ceuleers at gmail.com> wrote:
> On 05/26/2012 07:09 PM, Ronald Frazier wrote:
>> On Fri, May 25, 2012 at 5:01 PM, Joe Nyland <joe at joenyland.co.uk> wrote:
>>> Are you using mod_rewrite to force HTTPS, or is MythWeb actually running on
>>> HTTPS?
>>
>> No, I'm not using mod_rewrite, but I think that's really irrelevant.
>> mod_rewrite can't "force" HTTPS. HTTPS is an end to end encryption,
>> which means it can't just be switched into HTTPS mode. You have to
>> start the request all over, with the client initiating the HTTPS
>> session. So all mod_rewrite can really do is tell the browser "hey,
>> start again, but use HTTPS this time". From then on, it should behave
>> exactly the same as if HTTPS was explicitly requested.
>
> Errr, no. My mythweb server serves http, and my
> firewall-cum-reverse-proxy translates an https session on its internet
> side into an http session on the home network side.

Well, I think there's your problem. If you do HTTPS from the browser
to the proxy and then have the proxy do HTTP from the proxy to
mythweb, then mythweb is only going to see an HTTP session, so it's
most likely going to generate links that contain http:// at the
beginning. Those connections will then have to go through the
mod_rewrite process again, and I bet the POSTed forms don't survive
the rewrite.

Why don't you just run HTTPS on mythweb too? Thats what I do and it's
very simple (at least with apache). Does your proxy not support HTTPS
on the LAN side? I can't imagine it would only support it on one side.

> Also, the reverse
> proxy enforces authentication, whereas the internal mythweb server does
> not. So I only need to authenticate when I connect from the internet,
> but not locally.

That's fine. You can have the proxy do basic authentication over
HTTPS, then have your internal mythweb server also do HTTPS but
without the authentication. The important part is that the whole thing
stays HTTPS so that the links mythweb generates are still valid from
the other side of your proxy


> I attach the apache reverse proxy config file that accomplishes this.
> Sanitised in that I've removed the actual public DNS name of my reverse
> proxy, but everything else is untouched (.xperim.be is a non-existent
> domain that I use as my home network domain).
>
> Note the quite intricate ProxyPass and ProxyPassReverse rules, with and
> without slashes. These are tricky to get right.

Like I said, I've never worked with a proxy before, so please forgive
any mistakes. However, looking at this, I see:

ProxyHTMLURLMap	http://www.xperim.be/mythweb https://public.dns.name/mythweb

So what this says (I think) is that anything coming in to
https://public.dns.name/mythweb from the WAN gets directed to
http://www.xperim.be/mythweb on the LAN. Correct? So I would just make
sure mythweb supports SSL and change that line to

ProxyHTMLURLMap	https://www.xperim.be/mythweb https://public.dns.name/mythweb


-- 
Ron Frazier

More information about the mythtv-users mailing list