?

Log in

No account? Create an account
entries friends calendar profile http://web.figure1.net/~jlindqui Previous Previous Next Next
MythWeb from behind the firewall - Jason Lindquist
Idle ramblings of an idle mind
jlindquist
jlindquist
MythWeb from behind the firewall
Backstory: I've been using a dedicated Linux box as my personal DVR for several years now, running MythTV. It's been an adventure, for like my TiVo, MythTV (using Hauppauge PVR cards with tuners and hardware MPEG-2 encoders) will record in the same format used on DVDs. Unlike the TiVo, the act of extracting video and building a DVD is fairly painless. Also, since MythTV has much more available in terms of RAM and disk resources, not to mention a totally open architecture, it has a very nice web front-end so I can manage recordings and schedules from somewhere beyond my living room.

Around the 0.18 or 0.19 release, the MythWeb module was heavily rewritten. It became a lot more powerful, but the side effect was that it broke compatibility with the reverse-proxy module in Apache 1.3. It would still work, but you had to mirror the MythTV's web server directory tree structure in the firewall. The 1.3 proxy modules could only rewrite HTTP protocol headers. An Apache module, mod_proxy_html, exists to rewrite links inside the body of an HTML document, but it was only compatible with Apache 2.0 and later. I didn't get around to upgrading from 1.3 until I was forced to rebuild the services/firewall host this spring when the original box began to die. The solution works very nicely, but I had a couple of speed bumps worth documenting...
MythWeb lives at http://isn2.figure1.net/mythweb/. Of course you can't see that, it's on a 192.168.0.0/16 network. So I can't see it from work, or from school, or from... anywhere beyond my living room. Which was the point. So I have Apache on my server host doing reverse-proxy work to let me at it as http://web.figure1.net/isn2/mythweb/. (This way, I can also reach any other services that live on that box.) This is the Apache 2.2 configuration to pull it off:
# libxml2 required for proxy_html
LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module    /usr/local/libexec/mod_proxy_html.so

# mod_proxy_html requirements
Include /web/conf/extra/proxy_html.conf

<IfModule proxy_module>
<IfModule proxy_http_module>

<VirtualHost *:80>

    ProxyRequests off

# Proxy through to isn2
# Let me reach the internal net MythTV box from the outside world

    ProxyPass /isn2/ http://isn2.figure1.net/
    ProxyHTMLURLMap http://isn2.figure1.net /isn2
    <Location /isn2/>
        Order Deny,Allow
        Deny from all
        Allow from 192.168.0
        Allow from 127.0.0.1
        ProxyPassReverse /
        ProxyHTMLLogVerbose On
        SetOutputFilter proxy-html
        ProxyHTMLExtended On
        ProxyHTMLURLMap / /isn2/
        ProxyHTMLURLMap /isn2 /isn2
        RequestHeader unset Accept-Encoding
    </Location>

</VirtualHost>

</IfModule>
</IfModule>


I've deleted some extra Allow from ... lines that enable the high school and my office, but with that setup, it's reachable from, say, an ssh-tunneled port or protected proxy server. It's important to include the proxy_html.conf file that comes with the mod_proxy_html distribution. Without it, links contained in stylesheets and JavaScript will not be properly rewritten--breaking MythWeb entirely! Also, libxml2.so might live somewhere else on your system, so check its location. And for God's sake, turn on authentication in mythweb/.htaccess on the MythTV box. No sense letting everybody at work tweak your recording settings. (And remember, the realm component of htdigest authentication is case-sensitive. It MUST match the AuthName setting in .htaccess!
Leave a comment