Publishes a new post about Transmission and Apache as TLS reverse proxy

_posts/2018-11-03-how-to-secure-transmission-behind-apache-as-tls-reverse-proxy.md

@@ -0,0 +1,124 @@
+---
+title: "How to secure Transmission behind Apache as TLS reverse proxy ?"
+date: 2018-11-03
+url: how-to-secure-transmission-behind-apache-as-tls-reverse-proxy
+layout: post
+category: Security
+image: /img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png
+description: "Three years later, a working configuration for Apache and Transmission"
+---
+
+[![A missing blog post image](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png)](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png)
+
+:warning: This post should be set within the [Tutorials](/blog/tutorials/) category,  but as "secure" is present within the title... :sunglasses:
+
+### Introduction
+
+Almost three years ago, I wanted to improve a pretty basic [Transmission](https://transmissionbt.com) installation made by my father, for what we call a _seedbox_.
+
+Basically, the expected setup was :
+
+* **Apache** (_httpd_) as reverse proxy (not **NGINX** or anything else) ;
+
+* Transmission RPC service password-protected (we live in the 21st century, it's difficult to "hide" a service...) ;
+
+* A connection over TLS (we are in 2018 now, communications are not really secure by design) ;
+
+* Transmission RPC service socket not directly listening on Internet (why the hell would you want that ?).
+
+Back in the past, I couldn't manage to get it working for various reasons, but anyway, now it's done, and here is a short but complete post to guide you.
+
+**Note before going down** : Apache has been chosen to handle the authentication process here (with `htpasswd`). This way, we don't have to forward any HTTP header to the Transmission back-end through Apache. #keepItSimple
+
+### Transmission configuration
+
+Let's start with the easy part !
+
+So the idea is about making Transmission listening on `localhost` only, and discharge him from handling the authentication part.
+
+Simply edit `/etc/transmission-daemon/settings.json`, and modify the lines related to RPC configuration, according to :
+
+{% highlight json %}
+	"rpc-enabled": true,
+	"rpc-bind-address": "127.0.0.1",
+	"rpc-port": 9091,
+	"rpc-url": "/transmission/",
+	"rpc-whitelist": "",
+	"rpc-whitelist-enabled": false,
+	"rpc-host-whitelist": "",
+	"rpc-host-whitelist-enabled": false,
+	"rpc-authentication-required": false,
+	"rpc-username": "NOT_RELEVANT",
+	"rpc-password": "NOT_RELEVANT",
+{% endhighlight %}
+
+Now, you only have to take care of reloading the Transmission daemon, **NOT RESTARTING IT** (your changes would be overridden, as noted within the README file in the same directory) :
+
+`# systemctl reload transmission-daemon`
+
+### Apache configuration
+
+Now the tricky part !
+
+I've run many many many tests to come up with a short, straightforward and comprehensive piece of configuration. You should be able to adapt it for your case pretty easily.
+
+For a first step, we have to create credentials for the future basic authentication :
+
+`# mkdir /etc/apache2/htpasswd/ && htpasswd -c /etc/apache2/htpasswd/transmission transmission`
+
+Choose a strong password, and store it somewhere safe (as always, isn't it ? :smirk:).
+
+Now, let's add a new VHOST for our reverse proxy :
+
+{% highlight apache %}
+<VirtualHost _default_:443>
+        ServerName your.domain.name
+
+        <Location "/transmission/">
+                AuthType Basic
+                AuthName "Credentials for Transmission"
+                AuthUserFile "/etc/apache2/htpasswd/transmission"
+                Require valid-user
+
+                ProxyPass "http://localhost:9091/transmission/"
+                ProxyPassReverse "http://localhost:9091/transmission/"
+
+                # Fix for "SSL input filter read failed"
+                SetEnv nokeepalive
+        </Location>
+
+        LogLevel Warn
+        ErrorLog ${APACHE_LOG_DIR}/transmission_error.log
+        CustomLog ${APACHE_LOG_DIR}/transmission_access.log combined
+
+        SSLEngine On
+        SSLCertificateFile /path/to/your/fullchain.pem
+        SSLCertificateKeyFile /path/to/your/privkey.pem
+</VirtualHost>
+{% endhighlight %}
+
+The "fix" you surely notice is a mostly a workaround for [this issue](https://serverfault.com/questions/928533/connection-reset-by-peer-while-using-apache-as-reverse-proxy/938430#938430).
+
+> For the given configuration above, you'll need some Apache modules :
+> `# a2enmod auth_basic env proxy_http ssl`  
+> `# systemctl restart apache2`
+
+Now reload your Apache configuration, and everything is supposed to work... From anywhere !
+
+`# systemctl reload apache2`
+
+So basically again, you should be able to access the Transmission WEB interface with : <https://your.domain.name/transmission/web/>.
+
+[![A missing blog post image](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_2.png)](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_2.png)
+
+But also with a Transmission remote client that supports TLS (for instance, [transgui](https://github.com/transmission-remote-gui/transgui)) :
+
+[![A missing blog post image](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_3.png)](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_3.png)
+
+And at last (but not at least !), an Android remote client, like [Transdroid](https://github.com/erickok/transdroid) :
+
+[![A missing blog post image](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_4.png)](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_4.png)
+
+> Pro tip : You'll have to tweak the remote port value under **Advanced settings** > **Port number**, and set **443** to make the default **9091** disappear !
+
+PS : In this guide, I have not spoken about getting a TLS certificate, nor setting up Transmission or Apache from scratch. If you need any help, or have any question, feel free to open a discussion with comments below !