On Mon, Jan 02, 2006 at 02:47:48PM -0800, Jonathan Tidmore wrote: > On 1/2/06, Lee <[EMAIL PROTECTED]> wrote: > > > What did you do in the external Apache config to get this to work? > > I've been playing with reverse proxies but can't get it to work... > > > > > I do a similiar thing. I have a hardened server that proxies mythweb > connections with basic username/password authentication and it only allows > connections from a few ip addresses. I also added output compression since > my uplink speed is slow and this allows for a faster loading of mythweb from > outside my network. I usually have port 80 closed and just use ssh > forwarding to get in, but I sometimes open port 80 from my router and I feel > safe this setup keeps people away. > > I created /etc/http/conf.d/mythweb.conf: > > <IfModule mod_proxy.c> > ProxyRequests On > > ProxyPass /mythweb http://mythtv.backend.server/mythweb > ProxyPassReverse /mythweb http://mythtv.backend.server/mythweb > > <Proxy *> > Order deny,allow > Deny from all > Allow from 127.0.0.1 > Allow from 192.168.1.201 192.168.1.202 192.168.1.203 > Allow from 192.168.1.2 192.168.1.3 > </Proxy> > > <Location /mythweb> > AuthType Basic > AuthName "MythTV" > AuthUserFile "/etc/httpd/passwd" > Require user mythtv > SetOutputFilter DEFLATE > AddOutputFilterByType DEFLATE text/html text/plain text/xml text/php > BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html > SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary > Header append Vary User-Agent env=!dont-vary > </Location> > > </IfModule> > > Obviously change 'Allow from' to fit your needs and > mythtv.backend.serverto your MythTV ip or hostname. The Location > section says to authenticate > using the user 'mythtv' with the password stored in /etc/httpd/passwd. See > 'man htpasswd' about creating a proper Apache password file. The rest of > the Location section says to gzip all html, plaintext, xml, php pages sent > out (but leave gifs, jpgs, pngs, alone) to any none IE browser. Firefox and > Safari can deflate these files properly.
In general you don't want to use "ProxyRequests on" or the "<Proxy ...>" directives for a reverse proxy. Those allow operation as an outbound proxy. The configuration above allows connections to /mythweb from anywhere, access to a reverse proxy just uses a Location block with the same access control directives used for local content. It's probably worthwhile to run the proxy with SSL on the external side to protect your authentication. Since you'd only be using it for encryption rather than server authentication a self-signed certificate would be fine. The directives above explicitly enable deflate compression if the User-Agent is IE, as well as enabling it by default. Reasonably modern versions of IE can handle deflate compression for everything except PDFs. -- Michael Heironimus
_______________________________________________ mythtv-users mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
