Mythweb issue after Apache upgrade

[jamtat]

Hope this is the right forum for my questions, which relate mainly to Apache and mythweb.

So I read the news item about Apache 2.4 finally being marked stable and was aware that, on my next system upgrade, I might well run into problems after 2.2 would get removed and would be replaced by 2.4. I'm sorting out those issues and have things operating somewhere close to where I need them. The main issue I'm having is that, whereas users on my local LAN used to not get prompted for credentials while users from outside the LAN would, when attempting to access mythweb, now no user is getting prompted for log-in credentials: neither users accessing mythweb from the LAN, nor those from outside the LAN, are being prompted for credentials. So I need to fix that. This box is a dedicated MythTV FE/BE, by the way, and serves no other web pages beside mythweb.

I'm not any kind of Apache aficianado by any means. In fact, I wanted from the start to go with the simplest possible solution for serving mythweb from this machine. I initially considered lighttp but, on someone else's recommendation, tried nginx. I could not get nginx to work so I next tried apache, which did work. I don't recall a whole lot about how I managed to configure the system such that it would allow non-credentialed access from the LAN but would require credentials when accessed from outside the LAN, but I'm pretty sure I relied mostly on information I found at https://www.mythtv.org/wiki/Securing_MythWeb

Specifically, I think it was introduction of a stanza like the following (appropriately revised to accord with my system) into httpd.conf that got things working as I'd wanted:

[jamtat]

After some further reading I came up with a couple of things to try. First, I changed the line

[SiliconFiend]

Hi James,

The snippet I posted on the MythTV mailing list was out of my /etc/apache2/modules.d/apache-mythweb.conf file. Check that directory; If not that file it might be called mythweb.conf (not sure if I renamed it). Go through and update the paths to the default Gentoo install (/var/www/localhost/htdocs/mythweb...), and uncomment and modify the appropriate lines to be compatible with Apache 2.4 (see my mailing list email). What you have is probably fine as far as authentication, but you may want to switch to AuthType Digest instead of Basic (you'll have to regenerate your AuthUserFile using htdigest instead of htpasswd. If you do switch to mythweb.conf then you should take out that section from httpd.conf.

Karl

[Hu]

For the benefit of future readers, SiliconFiend is likely referring to Re: MythWeb: ASX stream or direct download (over ADSL)? (newmank1), which is a response to Re: MythWeb: ASX stream or direct download (over ADSL)? (gajs-f0el). The latter of which could have also benefited from the Apache 2.2 -> 2.4 upgrade guide referenced in Gentoo news item Upgrading Apache from 2.2 to 2.4 (2016-01-27-upgrading-to-apache-2_4).

[jamtat]

[Hu]

The primary point of my post was to link future readers to the off-forum assistance you received. However, the linked document also notes the availability of the compatibility module mod_access_compat from the hyperlinked Satisfy verb, which you commented out.

I first read your post when it had no answers, then days later noticed the comment from SiliconFiend. I did not reread your entire first post before posting the cross-reference to the mailing list. There have been several other posts lately where people failed to adequately apply the Apache upgrade guide. I confused your post with one of those, and so included a standard reminder that the guide is useful because in each of those other posts, I believed that the poster would benefit from a reminder.

[jamtat]

As I indicated in my opening post, I'd looked over the Upgrading to 2.4 from 2.2 document. I saw the reference "for compatibility with old configurations, the new module mod_access_compat is provided" but was uncertain exactly what was meant. Did it mean I'd need to load some module in order to use my existing configuration file? Would I need to recompile Apache with some new flag set? Coming up with more questions than answers in that regard, I decided I'd go with what seemed the other possible option--revising existing configuration files, something with which I'd previously had at least limited experience.

I'd earlier looked at material under the Satisfy link you provide here as well. So far as I can understand that material, that argument applies to version 2.2. I was expecting, under the Upgrading to 2.4 from 2.2 document, to see something relating to that argument that would either offer the 2.4 equivalent (as the document does for Order allow,deny), or that would say something like "this argument has been deprecated under 2.4 and should be removed from configuration files." Not finding either, and being confronted with an Apache that would not start due to the presence of that argument, I decided to just comment it out. I'm not entirely certain I've taken the proper course of action in regard to that argument, but I do now have an operational Mythweb.

As to the discussion on the MythTV list, that is a thread I started almost one year ago. It concerns problems I was having, once I'd implemented authentication in Mythweb, getting streaming of asx links to work. Also in that case, I had at the time found something that would work; vlc was able to handle additional entry of log-in credentials, while other players would not. It was only while troubleshooting this Apache upgrade issue almost one year later that I ran across, in mythweb.conf, another resolution to the issue of getting asx streams to work, once authentication had been implemented in Mythweb. So that thread was only tangentially related to the upgrade issue I was trying to resolve in this thread.

Once I'd posted on the mythtv list--after an almost yearlong interlude--that alternate resolution, I came to realize that the resolution seemed geared toward Apache 2.2, and would likely not work under Apache 2.4. Being uncertain, due to inexperience and general lack of web-serving competence, whether I was correct in discerning that changes would need to be made to certain lines of the mythweb.conf file in order for this resolution to work under 2.4, I made inquiry on that list about how I thought that file might need to be revised in order for it to be compatible with 2.4. Siliconfiend responded there, posting portions of his mythweb.conf file, relevant lines from which confirmed that I had, indeed, been correct in my supposition.

Other portions of Siliconfiend's mythweb.conf file that did not seem to bear directly on the asx streaming issue, appeared relevant to my query at the beginning of this current thread: lines from that file matched fairly closely lines that I had some time ago introduced into httpd.conf and that I posted in the OP. Knowing he was a gentoo user who also ran MythTV on his gentoo machine, I asked privately whether Siliconfiend might offer some input in this thread--which he generously did. So the two threads, while overlapping in some concerns and circumstances, are not very directly related. Respectfuly, I don't see any good reason for even connecting them.

I remain uncertain what is the relation of the httpd.conf and mythweb.conf files. As it seems to me now, lines such as those included in the OP of this thread might be placed in either configuration file and the outcome would be the same: namely, implementation of authentication in MythWeb. I believe I placed the stanza to which I've referred above in httpd.conf based on reading I'd done at the MythTV wiki link I provided. And it "works"--in the sense that authentication is required for any host outside my LAN, prior to accessing mythweb. Whether I could--or should--remove that stanza from that configuration file and place it in my mythweb.conf, thereby getting the same effect, seems possible but is untested. I was hoping I might get here some further input on that issue, but am so far left guessing.

[SiliconFiend]

Hi James,

Sorry for the delay in replying--I forgot to tick the "Notify me when a reply is posted" box. I haven't had a lot of time to really look into this for you, either, sorry. I'll just address one of your questions, which was the difference between httpd.conf and mythweb.conf. They are just different files but the syntax rules for their content are the same. I like to have webapp-specific settings separated into its own file and for the most part avoid modifying the stock httpd.conf, and mythweb provides the mythweb.conf file for that purpose. You just need to put it in a location where it will be loaded. The end of httpd.conf has this: