Securing the Transmission Web GUI behind an HTTPS server
The transmission web interface makes it possible to control the bittorrent client remotely with a web browser. When ones run a seedox, this is typically the only way to access it.
While is is convenient, I never fancied having this in place for three reasons :
- even if this is password-protected, this uses the HTTP protocol, hence the login/password is transferred in plain text over the Internet
- I don’t fully trust the security of a HTTP server embedded in an application which real purpose is another business, I guess the developpers have other things to worry about
- this requires yet-another port to open in the firewall
As I already have apache running on this machine with HTTPS, I have decided to run the transmission web interface behind it using mod_ssl and mod_proxy.
Here is how this is done in the apache *.conf file:
SSLProxyEngine on ProxyPass /seedbox/ http://localhost:9091/transmission/ ProxyPassReverse http://localhost:9091/transmission/ /seedbox
To enable the two modules in apache, type the following in a shell:
sudo a2enmod mod_proxy sudo a2enmod mod_ssl
An voila! You can then access the transmission web interface by accessing the following URL :
https://myhost/seedbox/web/
You see that you need to specify the /web/
piece at the end. Accessing https://myhost/seedbox/
only will lead to an error. I played with this further, see the end of the article.
Don’t forget then to block the regular transmission web port on your firewall:
iptables -t filter -A INPUT -p tcp --dport 9091 -j DROP
If you want to add a second layer of security (Transmission will ask you for a password as well), you can ask apache to restrict the access to the URL by adding this in the apache site configuration file:
<Location /seedbox/web/> AuthType Basic AuthName "Password Required" AuthUserFile <full path to password file> Require valid-user </Location>
Configuring for an easier URL
You notice that the URL required to access the interface needs to be the whole https://myhost/seedbox/web/
. It is possible to allow access through https://myhost/seedbox/
but this requires a bit of « hacking » for the RPC calls and is not a very clean solution. It does the trick, though. The key is in the apache *.conf file :
ProxyPass /rpc http://localhost:9091/seedbox/rpc ProxyPass /seedbox http://localhost:9091/seedbox/web ProxyPassReverse http://localhost:9091/seedbox/rpc /rpc ProxyPassReverse http://localhost:9091/seedbox/web /seedbox
and don’t forget the trailing / after web, or you will get an error
Great article, thanks. Works wonders.