135 lines
6.1 KiB
Markdown
135 lines
6.1 KiB
Markdown
---
|
|
title: "How to secure Transmission behind Apache as TLS reverse proxy ?"
|
|
date: 2018-11-03
|
|
url: how-to-secure-transmission-behind-apache-as-tls-reverse-proxy
|
|
layout: post
|
|
category: Security
|
|
image: /img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png
|
|
description: "Three years later, a working configuration for Apache and Transmission"
|
|
---
|
|
|
|
[![A missing blog post image](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png)](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_1.png)
|
|
|
|
:warning: This post should be set within the [Tutorials](/blog/tutorials/) category, but as "secure" is present within the title... :sunglasses:
|
|
|
|
### Introduction
|
|
|
|
Almost three years ago, I wanted to improve a pretty basic [Transmission](https://transmissionbt.com) installation made by my father, for what we call a _seedbox_.
|
|
|
|
Basically, the expected setup was :
|
|
|
|
* **Apache** (_httpd_) as reverse proxy (not **NGINX** or anything else) ;
|
|
|
|
* Transmission RPC service password-protected (we live in the 21st century, it's difficult to "hide" a service...) ;
|
|
|
|
* A connection over TLS (we are in 2018 now, communications are not really secure by design) ;
|
|
|
|
* Transmission RPC service socket not directly listening on Internet (why the hell would you want that ?).
|
|
|
|
Back in the past, I couldn't manage to get it working for various reasons, but anyway, now it's done, and here is a short but complete post to guide you.
|
|
|
|
**Note before going down** : Apache has been chosen to handle the authentication process here (with `htpasswd`). This way, we don't have to forward any HTTP header to the Transmission back-end through Apache. #keepItSimple
|
|
|
|
### Transmission configuration
|
|
|
|
Let's start with the easy part !
|
|
|
|
So the idea is about making Transmission listening on `localhost` only, and discharge him from handling the authentication part.
|
|
|
|
Simply edit `/etc/transmission-daemon/settings.json`, and modify the keys related to RPC configuration, according to :
|
|
|
|
{% highlight json %}
|
|
{
|
|
"rpc-enabled": true,
|
|
"rpc-bind-address": "127.0.0.1",
|
|
"rpc-port": 9091,
|
|
"rpc-url": "/transmission/",
|
|
"rpc-whitelist": "",
|
|
"rpc-whitelist-enabled": false,
|
|
"rpc-host-whitelist": "127.0.0.1",
|
|
"rpc-host-whitelist-enabled": true,
|
|
"rpc-authentication-required": false,
|
|
"rpc-username": "NOT_RELEVANT",
|
|
"rpc-password": "NOT_RELEVANT"
|
|
}
|
|
{% endhighlight %}
|
|
|
|
Now, you only have to take care of reloading the Transmission daemon, **NOT RESTARTING IT** (your changes would be overridden, as noted within the README file in the same directory) :
|
|
|
|
`# systemctl reload transmission-daemon`
|
|
|
|
### Apache configuration
|
|
|
|
Now the tricky part !
|
|
|
|
I've run many many many tests to come up with a short, straightforward and comprehensive piece of configuration. You should be able to adapt it for your case pretty easily.
|
|
|
|
For a first step, we have to create credentials for the future basic authentication :
|
|
|
|
`# mkdir /etc/apache2/htpasswd/ && htpasswd -c /etc/apache2/htpasswd/transmission transmission`
|
|
|
|
Choose a strong password, and store it somewhere safe (as always, isn't it ? :smirk:).
|
|
|
|
Now, let's add a new VHOST (`/etc/apache2/sites-available/transmission.conf`) for our reverse proxy :
|
|
|
|
{% highlight apache %}
|
|
<VirtualHost _default_:443>
|
|
ServerName your.domain.name
|
|
|
|
<Location "/transmission/">
|
|
AuthType Basic
|
|
AuthName "Credentials for Transmission"
|
|
AuthUserFile "/etc/apache2/htpasswd/transmission"
|
|
Require valid-user
|
|
|
|
ProxyPass "http://localhost:9091/transmission/"
|
|
ProxyPassReverse "http://localhost:9091/transmission/"
|
|
|
|
# Fix for "SSL input filter read failed"
|
|
SetEnv nokeepalive
|
|
</Location>
|
|
|
|
LogLevel Warn
|
|
ErrorLog ${APACHE_LOG_DIR}/transmission_error.log
|
|
CustomLog ${APACHE_LOG_DIR}/transmission_access.log combined
|
|
|
|
SSLEngine On
|
|
SSLCertificateFile /path/to/your/fullchain.pem
|
|
SSLCertificateKeyFile /path/to/your/privkey.pem
|
|
|
|
Header always set Strict-Transport-Security: "max-age=63072000"
|
|
</VirtualHost>
|
|
{% endhighlight %}
|
|
|
|
> The "fix" you surely notice is mostly a workaround for [this issue](https://serverfault.com/questions/928533/connection-reset-by-peer-while-using-apache-as-reverse-proxy/938430#938430).
|
|
|
|
Don't forget to enable the new VHOST :
|
|
|
|
`# a2ensite transmission`
|
|
|
|
> For the given configuration above, you'll have to enable some new Apache modules, if they are not already loaded :
|
|
> `# a2enmod auth_basic env headers proxy_http ssl`
|
|
> `# systemctl restart apache2`
|
|
|
|
Now reload your Apache configuration, and everything is supposed to work... From anywhere (see below) !
|
|
|
|
`# systemctl reload apache2`
|
|
|
|
So, now you should be able to access your Transmission WEB interface from : <https://your.domain.name/transmission/web/>.
|
|
|
|
[![A missing blog post image](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_2.png)](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_2.png)
|
|
|
|
But also from a Transmission remote client that supports TLS (for instance, [transgui](https://github.com/transmission-remote-gui/transgui)) :
|
|
|
|
[![A missing blog post image](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_3.png)](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_3.png)
|
|
|
|
And at last (but not at least !), from an Android remote client, like [Transdroid](https://github.com/erickok/transdroid) :
|
|
|
|
[![A missing blog post image](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_4.png)](/img/blog/how-to-secure-transmission-behind-apache-as-tls-reverse-proxy_4.png)
|
|
|
|
> Pro tip 1 : You'll have to enable the HTTPS scheme under server's **Advanced settings** by checking **Use SSL**.
|
|
> Pro tip 2 : You'll also have to tweak the remote port value under server's **Advanced settings** > **Port number**, by setting it to **443** to make the default **9091** disappear !
|
|
> Pro tip 3 : And finally, you'll have to tweak the remote folder path under server's **Advanced settings** > **Folder**, by setting it to **/transmission/** to match the expected VHOST location.
|
|
|
|
PS : In this guide, I have not spoken about getting a TLS certificate, nor setting up Transmission or Apache from scratch. If you need any help, or have any question, feel free to open a discussion with comments below !
|