# Mythweb issue after Apache upgrade

## jamtat

Hope this is the right forum for my questions, which relate mainly to Apache and mythweb.

So I read the news item about Apache 2.4 finally being marked stable and was aware that, on my next system upgrade, I might well run into problems after 2.2 would get removed and would be replaced by 2.4. I'm sorting out those issues and have things operating somewhere close to where I need them. The main issue I'm having is that, whereas users on my local LAN used to not get prompted for credentials while users from outside the LAN would, when attempting to access mythweb, now no user is getting prompted for log-in credentials: neither users accessing mythweb from the LAN, nor those from outside the LAN, are being prompted for credentials. So I need to fix that. This box is a dedicated MythTV FE/BE, by the way, and serves no other web pages beside mythweb.

I'm not any kind of Apache aficianado by any means. In fact, I wanted from the start to go with the simplest possible solution for serving mythweb from this machine. I initially considered lighttp but, on someone else's recommendation, tried nginx. I could not get nginx to work so I next tried apache, which did work. I don't recall a whole lot about how I managed to configure the system such that it would allow non-credentialed access from the LAN but would require credentials when accessed from outside the LAN, but I'm pretty sure I relied mostly on information I found at https://www.mythtv.org/wiki/Securing_MythWeb

Specifically, I think it was introduction of a stanza like the following (appropriately revised to accord with my system) into httpd.conf that got things working as I'd wanted: 

```
<Directory "/var/www/html/mythweb">

  Options Indexes FollowSymLinks

  AuthType Basic

  AuthName "MythTV"

  AuthUserFile /etc/httpd/conf/httpd-passwords

  Require valid-user

  Order allow,deny

  Allow from 192.168.1.

  Satisfy any

</Directory>
```

I'm pretty sure the preliminary step of creating a user and accompanying password using the htpasswd command was involved as well (something along the lines of htpasswd -c /usr/local/apache/passwd/passwords rbowen as indicated at http://httpd.apache.org/docs/2.0/howto/auth.html).

Once I'd upgraded, Apache 2.4 had problems with certain lines from that stanza and would not start. More specifically, it didn't like Order allow,deny or Satisfy any. So I had to either revise or comment out those lines: Order allow,deny was changed to Require all granted--as documentation at https://httpd.apache.org/docs/2.4/upgrading.html, linked to from the news item seemed to indicate as the appropriate revision. I did not find documentation at that page regarding the Satisfy any line, so I just commented it out. After those revisions, Apache started. But, as noted, credentials are no longer being required from outside the LAN--the situation I'm now trying to rectify.

So, can anyone help me to determine what further revision I'll need to make in order to get Apache/mythweb working as it was previously? I.e., not challenging for credentials when accessed from the LAN, but prompting for credentials when accessed from a non-LAN address? ThanksLast edited by jamtat on Fri Mar 11, 2016 4:48 pm; edited 1 time in total

----------

## jamtat

After some further reading I came up with a couple of things to try. First, I changed the line 

```
Allow from 192.168.1.
```

 to 

```
Require ip 192.168.1
```

 Then, I commented out the line I'd revised to 

```
Require all granted
```

 On restarting Apache, the system seems to be back to working as it had been--not requiring credentials when accessed from the LAN, but requiring credentials when accessed from all other addresses. So I think this is solved. I'll do another day or two of testing and, if it continues to work as expected and/or there is no further input in this thread, I'll mark this discussion as solved.

For fuller reference, the stanza from httpd.conf now looks something like the following: 

```
<Directory "/var/www/html/mythweb">

  Options Indexes FollowSymLinks

  AuthType Basic

  AuthName "MythTV"

  AuthUserFile /etc/httpd/conf/httpd-passwords

  Require valid-user

  Require ip 192.168.1.

</Directory>
```

Last edited by jamtat on Fri Mar 11, 2016 5:17 pm; edited 1 time in total

----------

## SiliconFiend

Hi James,

The snippet I posted on the MythTV mailing list was out of my /etc/apache2/modules.d/apache-mythweb.conf file. Check that directory; If not that file it might be called mythweb.conf (not sure if I renamed it). Go through and update the paths to the default Gentoo install (/var/www/localhost/htdocs/mythweb...), and uncomment and modify the appropriate lines to be compatible with Apache 2.4 (see my mailing list email). What you have is probably fine as far as authentication, but you may want to switch to AuthType Digest instead of Basic (you'll have to regenerate your AuthUserFile using htdigest instead of htpasswd. If you do switch to mythweb.conf then you should take out that section from httpd.conf.

Karl

----------

## Hu

For the benefit of future readers, SiliconFiend is likely referring to Re: MythWeb: ASX stream or direct download (over ADSL)? (newmank1), which is a response to Re: MythWeb: ASX stream or direct download (over ADSL)? (gajs-f0el).  The latter of which could have also benefited from the Apache 2.2 -> 2.4 upgrade guide referenced in Gentoo news item Upgrading Apache from 2.2 to 2.4 (2016-01-27-upgrading-to-apache-2_4).

----------

## jamtat

 *Hu wrote:*   

> The latter of which could have also benefited from the Apache 2.2 -> 2.4 upgrade guide referenced in Gentoo news item Upgrading Apache from 2.2 to 2.4 (2016-01-27-upgrading-to-apache-2_4).

 

In response to which I will simply reference my opening post in this thread:

 *jamtat wrote:*   

> So I read the news item about Apache 2.4 finally being marked stable . . .

 and, later in that same post,

 *jamtat wrote:*   

>  I had to either revise or comment out those lines: Order allow,deny was changed to Require all granted--as documentation at https://httpd.apache.org/docs/2.4/upgrading.html, linked to from the news item seemed to indicate as the appropriate revision . . .

 

If I missed something in that documentation that answers to the specific questions I raised in this thread, I would appreciate knowing what that is; I don't claim any degree of infallibility when it comes to parsing technical documentation about software whose workings I understand rather poorly. If such is not being pointed out, I don't see the need for posting the link to that documentation a second time.

----------

## Hu

The primary point of my post was to link future readers to the off-forum assistance you received.  However, the linked document also notes the availability of the compatibility module mod_access_compat from the hyperlinked Satisfy verb, which you commented out.

I first read your post when it had no answers, then days later noticed the comment from SiliconFiend.  I did not reread your entire first post before posting the cross-reference to the mailing list.  There have been several other posts lately where people failed to adequately apply the Apache upgrade guide.  I confused your post with one of those, and so included a standard reminder that the guide is useful because in each of those other posts, I believed that the poster would benefit from a reminder.

----------

## jamtat

As I indicated in my opening post, I'd looked over the Upgrading to 2.4 from 2.2 document. I saw the reference "for compatibility with old configurations, the new module mod_access_compat is provided" but was uncertain exactly what was meant. Did it mean I'd need to load some module in order to use my existing configuration file? Would I need to recompile Apache with some new flag set? Coming up with more questions than answers in that regard, I decided I'd go with what seemed the other possible option--revising existing configuration files, something with which I'd previously had at least limited experience.

I'd earlier looked at material under the Satisfy link you provide here as well. So far as I can understand that material, that argument applies to version 2.2. I was expecting, under the Upgrading to 2.4 from 2.2 document, to see something relating to that argument that would either offer the 2.4 equivalent (as the document does for Order allow,deny), or that would say something like "this argument has been deprecated under 2.4 and should be removed from configuration files." Not finding either, and being confronted with an Apache that would not start due to the presence of that argument, I decided to just comment it out. I'm not entirely certain I've taken the proper course of action in regard to that argument, but I do now have an operational Mythweb.

As to the discussion on the MythTV list, that is a thread I started almost one year ago. It concerns problems I was having, once I'd implemented authentication in Mythweb, getting streaming of asx links to work. Also in that case, I had at the time found something that would work; vlc was able to handle additional entry of log-in credentials, while other players would not. It was only while troubleshooting this Apache upgrade issue almost one year later that I ran across, in mythweb.conf, another resolution to the issue of getting asx streams to work, once authentication had been implemented in Mythweb. So that thread was only tangentially related to the upgrade issue I was trying to resolve in this thread.

Once I'd posted on the mythtv list--after an almost yearlong interlude--that alternate resolution, I came to realize that the resolution seemed geared toward Apache 2.2, and would likely not work under Apache 2.4. Being uncertain, due to inexperience and general lack of web-serving competence, whether I was correct in discerning that changes would need to be made to certain lines of the mythweb.conf file in order for this resolution to work under 2.4, I made inquiry on that list about how I thought that file might need to be revised in order for it to be compatible with 2.4. Siliconfiend responded there, posting portions of his mythweb.conf file, relevant lines from which confirmed that I had, indeed, been correct in my supposition.

Other portions of Siliconfiend's mythweb.conf file that did not seem to bear directly on the asx streaming issue, appeared relevant to my query at the beginning of this current thread: lines from that file matched fairly closely lines that I had some time ago introduced into httpd.conf and that I posted in the OP. Knowing he was a gentoo user who also ran MythTV on his gentoo machine, I asked privately whether Siliconfiend might offer some input in this thread--which he generously did. So the two threads, while overlapping in some concerns and circumstances, are not very directly related. Respectfuly, I don't see any good reason for even connecting them.

I remain uncertain what is the relation of the httpd.conf and mythweb.conf files. As it seems to me now, lines such as those included in the OP of this thread might be placed in either configuration file and the outcome would be the same: namely, implementation of authentication in MythWeb. I believe I placed the stanza to which I've referred above in httpd.conf based on reading I'd done at the MythTV wiki link I provided. And it "works"--in the sense that authentication is required for any host outside my LAN, prior to accessing mythweb. Whether I could--or should--remove that stanza from that configuration file and place it in my mythweb.conf, thereby getting the same effect, seems possible but is untested. I was hoping I might get here some further input on that issue, but am so far left guessing.

----------

## SiliconFiend

Hi James,

Sorry for the delay in replying--I forgot to tick the "Notify me when a reply is posted" box. I haven't had a lot of time to really look into this for you, either, sorry. I'll just address one of your questions, which was the difference between httpd.conf and mythweb.conf. They are just different files but the syntax rules for their content are the same. I like to have webapp-specific settings separated into its own file and for the most part avoid modifying the stock httpd.conf, and mythweb provides the mythweb.conf file for that purpose. You just need to put it in a location where it will be loaded. The end of httpd.conf has this:

```
# Supplemental configuration

#

# Most of the configuration files in the /etc/apache2/modules.d/ directory can

# be turned on using APACHE2_OPTS in /etc/conf.d/apache2 to add extra features

# or to modify the default configuration of the server.

#

# To know which flag to add to APACHE2_OPTS, look at the first line of the

# the file, which will usually be an <IfDefine OPTION> where OPTION is the

# flag to use.

Include /etc/apache2/modules.d/*.conf

```

I've chosen to put my mythweb.conf in this directory. If you want to do the same, you just need to put mythweb.conf into /etc/apache2/modules.d/ and modify the paths appropriately. I didn't use the compat module; I didn't have an extensive legacy configuration and I figured why fight the future.  :Smile: 

----------

