Back Midas Rome Roody Rootana
  Midas DAQ System  Not logged in ELOG logo
Entry  11 Jul 2019, Konstantin Olchanski, Bug Report, problems with the default mhttpd configuration 
    Reply  11 Jul 2019, Konstantin Olchanski, Bug Report, problems with the default mhttpd configuration, also elogd 
    Reply  11 Jul 2019, Konstantin Olchanski, Bug Report, rework of mhttpd configuration 
       Reply  11 Jul 2019, Stefan Ritt, Bug Report, rework of mhttpd configuration 
          Reply  12 Jul 2019, Konstantin Olchanski, Bug Report, rework of mhttpd configuration 
Message ID: 1618     Entry time: 11 Jul 2019     In reply to: 1616     Reply to this: 1619
Author: Konstantin Olchanski 
Topic: Bug Report 
Subject: rework of mhttpd configuration 
> Ubuntu LTS 18.04 does not run a restrictive firewall and access to mhttpd ports 8080 and 8443 is not 
blocked.

Clearly, the present defaults settings of mhttpd are out of date.

The best I remember our internal discussions, we have converged on the following new default settings:

- mhttpd only listens on the localhost interface
- only accepts http (not https)
- password protection is off

These settings allow one to easily test midas on a laptop or on a single-user computer.

They also happen to be the correct settings when using an https proxy (i.e. apache httpd).

If the https proxy cannot be on the same computer, (i.e. ALPHA at CERN):

- one would enable mhttpd to listen on the external network interface
- this will enable the mhttpd access controls (ODB /expt/security/mhttpd hosts/allowed hosts)
- one would allow the https proxy machine access to mhttpd by adding it's hostname to "allowed hosts".

In the case where a separate https proxy cannot be used:

- one would enable https on the external network interface
- one would have to obtain an https certificate (there is possibility of adding certbot integration to mhttpd, 
if there is demand for this)
- this will activate the mhttpd password protection, so one would have to define a username and password 
in the .htdigest file (this is done by the mongoose web server library).

I was planning to implement these changes when I update the mongoose web server library to the latest 
version (fixes a memory leak and improves/simplifies multithreading).

But maybe I should implement them sooner.

I am also thinking of adding a proxy function to mhttps (same as "ProxyPass" in apache httpd), set ODB 
/Proxy/webcam to "http://webcam_on_private_network/magic_webcam_url", and access to 
https://midas/webcam will return the data from the webcam without having to set this up in apache httpd 
(requires root access, etc).

K.O.
ELOG V3.1.4-2e1708b5