Running MythWeb on a separate machine from mythbackend

So, here's something about MythTV that people may actually find useful!

MythTV has, as I mentioned, a neat web frontend called MythWeb. Obviously since I have a webserver I wanted to run MythWeb on that; doesn't make any sense to have two of my local machines exposed to the internet. To my surprise, however, these seems an obscure configuration in the Myth world; I could find only two references to it, one from 2004 and one from 2005, both mentioning in passing that it was possible, but no details. So here's a quick highlight reel about how to do it.

First, stick MythWeb on your webserver. It is a very good idea at this point to secure access to it, especially (of course) if this is a public-facing server; there's some example directives in the default config file for an htdigest setup. There's nothing specific to MythWeb about restricting access, so just look it up in Apache docs if you aren't sure. I found I also had to adjust AllowOverride to None to enforce the access restrictions, since I have a .htaccess at a lower level which would otherwise have granted access to the MythWeb directory, so keep that in mind.

Now you're going to need to tweak MythWeb's config a bit. In its config file, look for the setenv db_server parameter and change it to the hostname or IP address for the server. Also make sure the password is correct, of course.

Finally, the trickiest bit: you need to adjust your MySQL database configuration to allow access from the webserver machine...without stopping access from the local machine. This is surprisingly non-trivial. MySQL has a very strict permissions model.

On the backend machine, edit the MySQL config file - probably /etc/my.cnf. Comment out the line 'skip-networking' and add a line:

bind-address=0.0.0.0

unfortunately it doesn't seem possible to bind to two specific IP addresses with mysql; you can only do one specific address, or a wildcard. If your machine only has the loopback interface and a single network interface, this line will be fine, as it will bind to just those two, which is what you need. If it has more than that and you only want to allow access on the loopback interface and one of the real interfaces and you can't do it with a more restricted wildcard, you'll have to use firewalling to block off the ones you don't want to have access. Which sucks. If anyone knows different, let me know, I'm no MySQL expert.

The trickiest bit is the MySQL privileges. It's not actually that hard, but there are guides on the Google which hate you and want to eat your configuration. Do not follow things like this, which you can find all over the Google results, which tell you to use things like 'update user set Host blahblah...' commands. These will sort of work to allow remote access, but they will also stop access from localhost, which is a pain, and I'm damned if I can figure out how to reverse them properly. Nightmare. No. What you want to do is this:

grant all privileges on mythconverg. to 'mythtv'@'192.168.1.26' IDENTIFIED by 'your_password_here'; grant all privileges on mythconverg. to 'mythtv'@'localhost' IDENTIFIED by 'your_password_here';

where 192.168.1.26 is the IP of your webserver and your_password_here is, obviously, the password you want to use. Even if you've already created the user, these will do the right thing. You'll be able to access the database from the webserver and the backend machine, but nowhere else, with the appropriate password - and that's what we want. Yay. Obviously, if the backend machine has a firewall, you'll need to adjust it as appropriate. Now you should be able to visit http://www.yourwebserver.com/mythweb , enter the username and password if you set up restricted access, and access a working mythweb interface. Success!

For me, this is enough to make it all work. If you stumble across this page via Google, do let me know if it helps or if I messed it up somewhere.

Comments

palintech wrote on 2010-01-29 19:03:
Hi Adam, a bit of a hack for the mysql bind problem is to use the interface ip, and use it for the apps at localhost instead of 127.0.0.1 which does not support using a mysql socket. Es. bind-address=172.16.1.2 mysql will listen on 172.16.1.2 only, but on the 172.16.1.2 host you can point to 172.16.1.2 instead of 127.0.0.1 (you must adjust grants for users too). Note that you can login using localhost with mysql command line if you use sockets (mysql client does that by default): this way you don't lose root access on localhost.
adamw wrote on 2010-01-29 19:43:
Right. The only issue with that is that mythtv's own database access seems a bit finicky; mythbackend always seems to connect to 'mythtv'@'localhost' for me even if i tell it something different via mythtv-setup. Not quite sure what's going on there. So I thought it best to make sure access through that channel definitely works :) thanks for the pointer, though.