MythWeb is one of the most popular add-ons to the MythTV core system. MythWeb is a web based application that lets you browse listings, schedule recording, manage recordings, and more from the convenience of a web browser. It is much easier to perform many MythTV functions through MythWeb as opposed to using the on-screen functions on a TV.
MythWeb has one critical problem. It's not secure. I've seen it argued that it's not really a problem, but let's not split hairs here...it's something that you need to deal with.
Why do you need to secure it? The most important reason in my mind has to do with keeping your recordings. If for any reason a web-crawler happens to go through MythWeb, it is very likely that the web crawler will "click" all the delete links. As some people on the MythTV Mailing list have unfortunate enough to learn the hard way, all your recordings will be gone.
The most common way to secure your MythWeb installation is through the use of Apache's built-in user authentication.
The first step is to create a new password file with your first user. This file can really be store just about anywhere, but the same location as your apache configuration files would be a good choice. You don't want this to be in any public web directory. I am choosing /etc/httpd/mythweb-passwords for this, so if you chose somewhere else, substitute your path as appropriate. I am naming my first user "mythtv". As with the file path, you can put in a different username if you desire.
At a shell command line, run:
htpasswd -c /etc/httpd/mythweb-passwords mythtv htpasswd /etc/httpd/mythweb-passwords user2
You will be prompted to provide and verify a password for the user.
If you plan to add more users, run the same command again, but remove the "-c". The "-c" creates a new file. If you are adding additional users, the file will already exist. I also added "user2" so the example will show how to add additional users.
Now you want to secure that file. The first step is to find out what user your webserver runs as. We are going to change the ownership of the file to that user, then restrict the permissions.
I found which user my apache server runs as by running "ps aux | grep httpd". Most of my httpd instances are running as "apache". I say most, because the first process (the core service itself) is running as root, but it's followed by a handful running as the "apache" user. So in my case "apache" is the real user. This is also specified in your httpd.conf file.
To change the ownership and permissions, run the following from the command line:
chown apache:apache /etc/httpd/mythweb-passwords chmod 640 /etc/httpd/mythweb-passwords
Now we need to tell Apache where and how to use the authentication. Locate your httpd.conf file and open it in your favorite text editor.
You need to add the following to http.conf:
<Directory "/var/www/html/mythweb">
Options Indexes FollowSymLinks
AuthType Basic
AuthName "MythWeb"
AuthUserFile /etc/httpd/mythweb-passwords
require user mythtv user2
Order allow,deny
Allow from all
</Directory>
Directory is the filesystem directory you want to secure, in my case it is "/var/www/html/mythweb", but yours may be different.
Now restart apache, on my system I do it with "/etc/rc.d/init.d/httpd restart".
Now, when you try to access MythWeb, you should be prompted for a username and password. More importantly other users (and spiders) will as well. They won't know your password. When a spider (or malicious user) comes around now, it won't be able to get in, and you won't risk losing your recordings.
why not just secure apache
Well it is securing apache,
PfQKkwZebPgj
PtjzldYItedFEy
QflbqXXZiw