This guide is part of the MythTV Community Documentation
Candidate for Deletion
Installation and Setup
Installing mythweb is quite easy. One command will install the plugin and all of its dependencies (ie: apache2):
sudo apt-get install mythweb
You can now access mythweb with your browser by entering this address:
You can access mythweb from other computers on your network by using the backend ip address. For example:
Security (This is important)
If you plan to use mythweb over the internet, or if you do not have a hardware firewall on your network, it is imperative that you setup proper security for mythweb. Failure to configure security properly will leave mythweb open to anyone who stumbles on your ip address, including search engines. It is best not to allow these security holes to remain open.
Note: Mythbuntu 9.04 uses the more secure digest method in: A Little More Secure
- First, set up a password file:
$ sudo htpasswd -c /etc/apache2/httpd-passwords MYUSER1
Once the password files has been created, Do Not Use the "-c" Flag again or you will overwrite the file you just created. If you wish to add additional users run the same command without that flag:
$ sudo htpasswd /etc/apache2/httpd-passwords MYUSER2
- Now that you have create that file, modify the permissions and ownership to protect the password information:
$ sudo chown www-data.www-data /etc/apache2/httpd-passwords $ sudo chmod 640 /etc/apache2/httpd-passwords
- To associate the password file with the mythweb directory you need to edit the apache configuration file:
$ gksudo gedit /etc/apache2/httpd.conf
- Cut and paste the following code to the file you have just opened, then save and close that file:
<Directory "/var/www/mythweb"> Options Indexes FollowSymLinks AuthType Basic AuthName "MythTV" AuthUserFile /etc/apache2/httpd-passwords require user MYUSER1 MYUSER2 MYUSER3 Order allow,deny Allow from all </Directory>
- Restart apache:
$ sudo /etc/init.d/apache2 restart
You will now be prompted for a username and password when first connecting to mythweb. This should give added protection from unauthorized access to your mythtv system.
A Little More Secure
This is assuming you are running Ubuntu 8.04, Apache2 have MythTV and MythWeb installed and working correctly. Instead of using htpasswd to generate the passwords we are going to use htdigest. We will also make it so that when accessing MythWeb from your local network you won't need to authenticate.
Note: Mythbuntu 9.04 stores the <Directory> directive in /etc/apache2/sites-enabled/mythweb.conf and stores the apache password file associated with mythweb at /etc/mythtv/mythweb-digest. Modify the directions below with these in mind.
Enable htdigest authentication in Apache
- Enter this at the command line:
sudo a2enmodWhen prompted for what module you want to enable enter:
The reason we use auth_digest is that it provides a little more security than basic (auth_basic).
Create your password directory
We are going to store the password file in the /etc/apache2/passwd directory. The passwd directory will not exist so we will need to make it. We are storing the passwords in this directory because this is not a directory that apache will serve out to the web. This is in case your web server becomes compromised the passwords file won't be easily accessible.
sudo mkdir /etc/apache2/passwd
Create your password FILE
- We need to generate a password file.
sudo htdigest -c /etc/apache2/passwd/passwords MythTV MYTHUSERIt will then ask you to enter a password and then to confirm that password by entering the same password again. This will create a file called "passwords" in the /etc/apache2/passwd/ directory. The "-c" option "creates" the file. It will add the user "MYTHUSER" to the realm (more on that later) "MythTV". All you need to do is change "MYTHUSER" to a username you want to use.
DO NOT use the same password that you use for your login username or the root user.
Add users to password file
If you want to add another user then run the same command above except DO NOT use the "-c" option. As explained above the "-c" option "creates" the file and will overwrite any existing files. Say you want to add "MYTHUSER2"... you would enter
sudo htdigest /etc/apache2/passwd/passwords MythTV MYTHUSER2
Grant Permissions to the new passwords file
sudo chown www-data /etc/apache2/passwd/passwords sudo chgrp www-data /etc/apache2/passwd/passwords sudo chmod 640 /etc/apache2/passwd/passwordsThe first command changes the owner to "www-data". This is the user that apache runs on in Ubuntu. The second command changes the group of the passwords file to "www-data". This is the group that Apache runs on in Ubuntu. The third command limits access to the file. It gives read and write access to the user www-data and it gives read access to the group www-data. The world (or everyone else) will not have read, write or execute permissions to that file.
Edit Apache Config
sudo nano /etc/apache2/apache2.confAdd the following to the bottom of that file.
<Directory "/var/www/mythweb"> Options Indexes FollowSymLinks AuthType Digest AuthName "MythTV" AuthUserFile /etc/apache2/passwd/passwords Require valid-user Order allow,deny Allow from 192.168.1. Satisfy any </Directory>
NOTE: You can substitute nano with gedit. If you are running Ubuntu with a desktop use gedit. If you want to use nano a few hints. Ctrl+o will save the file and Ctrl+x will close the file.
I believe the default Directory for mythweb is /var/www/mythweb. If mythweb is stored somewhere else on your machine you will have to update the first line. As you can see the AuthType is set to Digest which tells Apache that we used htdigest to generate the passwords. AuthName is the realm. Remember we had MythTV in our htdigest command. That was the specify the realm which is the AuthName. AuthUserFile points to our passwords file that we generated using htdigest. Allow from 192.168.1. will allow anyone to connect that has a IP address matching to 192.168.1. This would be anything from 192.168.1.1 through 192.168.1.255. So, if your internal network is different, say, 172.20.1.9 you would change it to Allow from 172.20. This would allow anyone with a IP address between 172.20.0.1 through 172.20.255.255 to connect without authenticating.
Tips and Tricks
- Access from the Internet
- Some internet service providers block incoming requests to port 80 for residential connections. This is a security/bandwidth limiting feature that will prevent you from accessing mythweb from the internet. You can get around this by configuring your router to forward a different port number to port 80 on your mythtv machine. A setup as described is different for each router and cannot be outlined in this wiki.