diff --git a/_posts/2018-11-03-how-to-secure-transmission-behind-apache-as-tls-reverse-proxy.md b/_posts/2018-11-03-how-to-secure-transmission-behind-apache-as-tls-reverse-proxy.md new file mode 100644 index 0000000..06f3030 --- /dev/null +++ b/_posts/2018-11-03-how-to-secure-transmission-behind-apache-as-tls-reverse-proxy.md @@ -0,0 +1,124 @@ +--- +title: "How to secure Transmission behind Apache as TLS reverse proxy ?" +date: 2018-11-03 +url: how-to-secure-transmission-behind-apache-as-tls-reverse-proxy +layout: post +category: Security +image: /img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png +description: "Three years later, a working configuration for Apache and Transmission" +--- + +[](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png) + +:warning: This post should be set within the [Tutorials](/blog/tutorials/) category, but as "secure" is present within the title... :sunglasses: + +### Introduction + +Almost three years ago, I wanted to improve a pretty basic [Transmission](https://transmissionbt.com) installation made by my father, for what we call a _seedbox_. + +Basically, the expected setup was : + +* **Apache** (_httpd_) as reverse proxy (not **NGINX** or anything else) ; + +* Transmission RPC service password-protected (we live in the 21st century, it's difficult to "hide" a service...) ; + +* A connection over TLS (we are in 2018 now, communications are not really secure by design) ; + +* Transmission RPC service socket not directly listening on Internet (why the hell would you want that ?). + +Back in the past, I couldn't manage to get it working for various reasons, but anyway, now it's done, and here is a short but complete post to guide you. + +**Note before going down** : Apache has been chosen to handle the authentication process here (with `htpasswd`). This way, we don't have to forward any HTTP header to the Transmission back-end through Apache. #keepItSimple + +### Transmission configuration + +Let's start with the easy part ! + +So the idea is about making Transmission listening on `localhost` only, and discharge him from handling the authentication part. + +Simply edit `/etc/transmission-daemon/settings.json`, and modify the lines related to RPC configuration, according to : + +{% highlight json %} + "rpc-enabled": true, + "rpc-bind-address": "127.0.0.1", + "rpc-port": 9091, + "rpc-url": "/transmission/", + "rpc-whitelist": "", + "rpc-whitelist-enabled": false, + "rpc-host-whitelist": "", + "rpc-host-whitelist-enabled": false, + "rpc-authentication-required": false, + "rpc-username": "NOT_RELEVANT", + "rpc-password": "NOT_RELEVANT", +{% endhighlight %} + +Now, you only have to take care of reloading the Transmission daemon, **NOT RESTARTING IT** (your changes would be overridden, as noted within the README file in the same directory) : + +`# systemctl reload transmission-daemon` + +### Apache configuration + +Now the tricky part ! + +I've run many many many tests to come up with a short, straightforward and comprehensive piece of configuration. You should be able to adapt it for your case pretty easily. + +For a first step, we have to create credentials for the future basic authentication : + +`# mkdir /etc/apache2/htpasswd/ && htpasswd -c /etc/apache2/htpasswd/transmission transmission` + +Choose a strong password, and store it somewhere safe (as always, isn't it ? :smirk:). + +Now, let's add a new VHOST for our reverse proxy : + +{% highlight apache %} +<VirtualHost _default_:443> + ServerName your.domain.name + + <Location "/transmission/"> + AuthType Basic + AuthName "Credentials for Transmission" + AuthUserFile "/etc/apache2/htpasswd/transmission" + Require valid-user + + ProxyPass "http://localhost:9091/transmission/" + ProxyPassReverse "http://localhost:9091/transmission/" + + # Fix for "SSL input filter read failed" + SetEnv nokeepalive + </Location> + + LogLevel Warn + ErrorLog ${APACHE_LOG_DIR}/transmission_error.log + CustomLog ${APACHE_LOG_DIR}/transmission_access.log combined + + SSLEngine On + SSLCertificateFile /path/to/your/fullchain.pem + SSLCertificateKeyFile /path/to/your/privkey.pem +</VirtualHost> +{% endhighlight %} + +The "fix" you surely notice is a mostly a workaround for [this issue](https://serverfault.com/questions/928533/connection-reset-by-peer-while-using-apache-as-reverse-proxy/938430#938430). + +> For the given configuration above, you'll need some Apache modules : +> `# a2enmod auth_basic env proxy_http ssl` +> `# systemctl restart apache2` + +Now reload your Apache configuration, and everything is supposed to work... From anywhere ! + +`# systemctl reload apache2` + +So basically again, you should be able to access the Transmission WEB interface with : <https://your.domain.name/transmission/web/>. + +[](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_2.png) + +But also with a Transmission remote client that supports TLS (for instance, [transgui](https://github.com/transmission-remote-gui/transgui)) : + +[](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_3.png) + +And at last (but not at least !), an Android remote client, like [Transdroid](https://github.com/erickok/transdroid) : + +[](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_4.png) + +> Pro tip : You'll have to tweak the remote port value under **Advanced settings** > **Port number**, and set **443** to make the default **9091** disappear ! + +PS : In this guide, I have not spoken about getting a TLS certificate, nor setting up Transmission or Apache from scratch. If you need any help, or have any question, feel free to open a discussion with comments below ! diff --git a/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png b/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png new file mode 100644 index 0000000..ae02440 --- /dev/null +++ b/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8a83af497e3bd690a11f9483c2f9c08aae148df715a505b88ee2074bc19e95bb +size 32454 diff --git a/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_2.png b/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_2.png new file mode 100644 index 0000000..22522df --- /dev/null +++ b/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_2.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fc9bc0eeac021ba66e2f0c9cabcfb624c258cbc1d094e5cf9f3f4427fd1d72e0 +size 33407 diff --git a/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_3.png b/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_3.png new file mode 100644 index 0000000..beb0777 --- /dev/null +++ b/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_3.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc0e906b7b48ec6e98b7cd66ca3e8d00aa3a0b82e97b8a2a0b93ad3ed7679732 +size 20688 diff --git a/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_4.png b/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_4.png new file mode 100644 index 0000000..98a2e73 --- /dev/null +++ b/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_4.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9fd6dc98f853da47e531fa1b8ccc7512e0efeffe4483b3fea2322d194b5dae36 +size 66078