Categories
Internet

Secure DNS

I use various Comodo tools to protect my Windows based computers. One service offering that I noticed recently was their Secure DNS that provides an alternative to the DNS provided by my ISP. Making the change is straight forward in DHCP or resolver configuration. If you need instructions they can be found here.

The IP addresses for Comodo’s Secure DNS are:-

156.154.70.22
156.154.71.22

Other secure DNS providers include

Google Public DNS

8.8.8.8
8.8.4.4

OpenDNS

208.67.222.222
208.67.220.220

Categories
Linux MythTV

MythWeb in the DMZ

These instructions have been written specifically for installing MythWeb on an Ubuntu 9.10 host.

Preparation

Build an Apache2 web host in the DMZ and setup password login using .htaccess in the web server’s document root.

Use individual user ID’s and a group called ‘authorised-users’ to control access to the server. See htpasswd.

Configure port forwarding on your firewall to forward port 8090 aimed at the public interface to port 80 on the DMZ web server’s interface. To access the web page, point the browser at http://mythweb.dyndns.local:8090/

Test that the security works from a friend’s computer with internet access.

Installation

The default installation for MythWeb is directly on the MythTV host backend. There is no easy installation option for installing MythWeb on another host. However, it is possible to checkout MythWeb individually from SVN and install manually which is the approach I am taking.

Install Subversion if not already installed.

sudo apt-get install subversion

From the web document root, checkout MythWeb from SVN

cd /var/www
sudo svn co http://svn.mythtv.org/svn/branches/release-0-22-fixes/mythplugins/mythweb

This will create a subdirectory /var/www/mythweb containing the MythWeb software.

File System Permissions

Determine the user currently running Apache as this information will be required to set access to the MythWeb data.

ps aux | grep -i apache | awk ‘{ print $1 }’

This should display a list of user ID’s running Apache.


root
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
www-data
vince

The most frequently occurring ID is the one to use. So, www-data is the user running Apache on my system.

sudo chgrp -R www-data /var/www/mythweb/data
sudo chmod g+rw /var/www/mythweb/data

Create a subdirectory to hold TV Channel icons instead of storing them in User’s home directories.

sudo mkdir /var/www/mythweb/data/tv_icons
sudo chown www-data:www-data /var/www/mythweb/data/tv_icons

Required Apache Modules

Ensure the required Apache modules are installed by executing the following:-

sudo a2enmod rewrite
sudo a2enmod deflate
sudo a2enmod headers
sudo a2enmod auth_digest
sudo /etc/init.d/apache2 restart

Configuring Apache for MythWeb

Copy the sample Apache configuration file to the additional configuration directory ‘sites-available’.

sudo cp /var/www/mythweb/mythweb.conf.apache /etc/apache2/sites-available/mythweb.conf

Edit the file using your favourite text editor and make the following changes.


# If you intend to use authentication for MythWeb (see below), you will
# probably also want to uncomment the following rules, which disable
# authentication for MythWeb's download URLs so you can properly stream
# to media players that don't work with authenticated servers.
#
<LocationMatch .*/pl/stream/[0-9]+/[0-9]+>
Allow from all
</LocationMatch>
#
<LocationMatch .*/music/stream.php>
Allow from all
</LocationMatch>

Change the paths for the MythWeb directories in the following section:-

#
# CHANGE THESE PATHS TO MATCH YOUR MYTHWEB INSTALLATION DIRECTORY!  e.g.
#
#    /var/www
#    /home/www/htdocs
#    /var/www/html/mythweb
#    /srv/www/htdocs/mythweb
#
<Directory "/var/www/mythweb/data">
Options -All +FollowSymLinks +IncludesNoExec
</Directory>
<Directory "/var/www/mythweb" >

Configure authentication using htdigest, check how this works or not with .htaccess method and update the preparation stage accordingly

############################################################################
# I *strongly* urge you to turn on authentication for MythWeb.  It is disabled
# by default because it requires you to set up your own password file.  Please
# see the man page for htdigest and then configure the following four directives
# to suit your authentication needs.
#
AuthType           Digest
AuthName           "MythTV"
AuthUserFile       /var/www/htdigest
Require            valid-user
BrowserMatch       "MSIE"      AuthDigestEnableQueryStringHack=On
Order              allow,deny
Satisfy            any
#

Change the value for db_server from ‘localhost’ to the hostname of the MythTV Backend with the MySQL database. Ensure that the MythWeb host can resolve the hostname that you use. Edit /etc/hosts to include a valid entry for the backend if it can’t.

#
# Use the following environment settings to tell MythWeb where you want it to
# look to connect to the database, the name of the database to connect to, and
# the authentication info to use to connect.  The defaults will usually work
# fine unless you've changed mythtv's mysql.txt file, or are running MythWeb on
# a different server from your main backend.  Make sure you have mod_env enabled.
#
setenv db_server        "pc204"
setenv db_name          "mythconverg"
setenv db_login         "mythtv"
setenv db_password      "mythtv"

Change the email address to receive error alerts on to one that you currently use.

# If you want MythWeb to email php/database errors (and a backtrace) to you,
# uncomment and set the email address below.
#
#   setenv error_email       “alerts@vlara.co.uk
#

Enable mod_deflate

# Enable mod_deflate.  This works MUCH more reliably than PHP's built-in
# gzip/Zlib compressors.  It is disabled here because many distros seem not
# to enable mod_deflate by default, but I strongly recommend that you
# enable this section.
#
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
#
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/x-javascript
#
# This is helpful for mod_deflate -- it prevents proxies from changing
# the user agent to/from this server, which can prevent compression from
# being enabled.  It is disabled here because many distros seem not to
# enable mod_headers by default, but I recommend that you enable it.
#
Header append Vary User-Agent env=!dont-vary

Activate the configuration changes by executing the following commands:-

sudo a2ensite mythweb.conf
sudo /etc/init.d/apache2 reload

Network Access To MySQL from the DMZ

The MythWeb host in the DMZ will not have direct access to MySQL on the MythTV backend. The firewall will be blocking communication from the DMZ to the inside network. You need to open up ‘pin holes’ in the firewall to permit access from MythWeb to MythTV on ports 3306, 6543 and 6544. I created rules for TCP and UDP until I can test which are required. I suspect only TCP is required.

MySQL on the MythTV backend also needs to be reconfigured to allow access from remote hosts. Edit the file /etc/mysql/my.cnf and change the bind_address from 127.0.0.1 to the IP address of the MythTV host.

Testing MythWeb

Playing Flash Videos from the ‘Recorded Programs’ results in an error ‘Netstream not found’ this is most likely due to a problem with the firewall blocking the traffic between the browser and the server. Fortunately, Adobe have a very handy web page that tests the connection capability with their Flash Media Server that can be used to help diagnose the problem.

Create a firewall rule to allow port 1935 (macromedia-fcs) Real Time Messaging Protocol (RTMP) between MythWeb and MythTV.

A work in progress…