Securing the Transmission Web GUI behind an HTTPS server

The transmission web interface makes it possible to control the bittorrent client remotely with a web browser. When ones run a seedox, this is typically the only way to access it.

While is is convenient, I never fancied having this in place for three reasons :

  • even if this is password-protected, this uses the HTTP protocol, hence the login/password is transferred in plain text over the Internet
  • I don’t fully trust the security of a HTTP server embedded in an application which real purpose is another business, I guess the developpers have other things to worry about
  • this requires yet-another port to open in the firewall

As I already have apache running on this machine with HTTPS, I have decided to run the transmission web interface behind it using mod_ssl and mod_proxy.

Here is how this is done in the apache *.conf file:

SSLProxyEngine on
ProxyPass /seedbox/ http://localhost:9091/transmission/
ProxyPassReverse http://localhost:9091/transmission/ /seedbox

To enable the two modules in apache, type the following in a shell:

sudo a2enmod mod_proxy
sudo a2enmod mod_ssl

An voila! You can then access the transmission web interface by accessing the following URL :

https://myhost/seedbox/web/

You see that you need to specify the /web/ piece at the end. Accessing https://myhost/seedbox/ only will lead to an error. I played with this further, see the end of the article.

Don’t forget then to block the regular transmission web port on your firewall:

iptables -t filter -A INPUT -p tcp --dport 9091 -j DROP

If you want to add a second layer of security (Transmission will ask you for a password as well), you can ask apache to restrict the access to the URL by adding this in the apache site configuration file:

<Location /seedbox/web/>
  AuthType Basic
  AuthName "Password Required"
  AuthUserFile <full path to password file>
  Require valid-user
</Location>

Configuring for an easier URL
You notice that the URL required to access the interface needs to be the whole https://myhost/seedbox/web/. It is possible to allow access through https://myhost/seedbox/ but this requires a bit of « hacking » for the RPC calls and is not a very clean solution. It does the trick, though. The key is in the apache *.conf file :

ProxyPass /rpc http://localhost:9091/seedbox/rpc
ProxyPass /seedbox http://localhost:9091/seedbox/web
ProxyPassReverse http://localhost:9091/seedbox/rpc /rpc
ProxyPassReverse http://localhost:9091/seedbox/web /seedbox
· · Posted in · Tagged , , ,

2 Responses

  1. developej
    developej · at · · Reply

    and don’t forget the trailing / after web, or you will get an error

  2. trans-user
    trans-user · at · · Reply

    Great article, thanks. Works wonders.

Leave a Reply