HTTPS secure WebUI Login?
HTTPS secure WebUI Login?
Hey there guys,
Is there any chance of making the WebUI use (or have an option to use) HTTPS to login? I love Transmission, but I don't like the idea of my login details being sent in cleartext across the internet.
Is there any chance of making the WebUI use (or have an option to use) HTTPS to login? I love Transmission, but I don't like the idea of my login details being sent in cleartext across the internet.
-
- Web Interface Developer
- Posts: 351
- Joined: Thu Mar 23, 2006 10:32 pm
Re: HTTPS secure WebUI Login?
I use lighttpd to proxy the webui connection with SSL. This is the important part of my lighttpd.conf.
Code: Select all
server.modules += ( "mod_proxy" )
$HTTP["url"] =~ "^/transmission/web/" {
server.document-root = "/usr/local/share/"
expire.url = ( "" => "access 1 hours" )
} else $HTTP["url"] =~ "^/transmission/(rpc|upload)" {
proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 10000 ) ) )
}
Re: HTTPS secure WebUI Login?
The same here with Nginx (assuming transmission is on the same server and listening on port 9091) :
And of course, you have to configure Transmission to listen on localhost only ("rpc-bind-address": "127.0.0.1" in settings.json) !
Code: Select all
server {
listen 80;
server_name bittorrent.domain.com;
rewrite ^(.*) https://bittorrent.domain.com$1 permanent;
}
server {
listen 443;
server_name bittorrent.domain.com;
ssl on;
ssl_certificate /etc/ssl/certs/mycert.crt;
ssl_certificate_key /etc/ssl/private/mycert.key;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect false;
proxy_pass http://127.0.0.1:9091;
}
}
Re: HTTPS secure WebUI Login?
sounds cool -- however, it really would be way cooler if no additional software (here: a proxy) and complex & error-prone configuration were necessary.
So, is there any hope that Transmission will one fine day support https in the web interface (at least for the login)?
For the time being a question to gornack: that mycert.crt file comes from where? How can I create it?
And a question for softwareelves: why don't you need a certificate file for your proxy solution (using lighttpd) but gornack (using Nginx) needs one?
Or would it be possible (on OS X) to use the running Apache httpd for https access to the Transmission web interface? How would one configure that?
thx,
Alcuin.
So, is there any hope that Transmission will one fine day support https in the web interface (at least for the login)?
For the time being a question to gornack: that mycert.crt file comes from where? How can I create it?
And a question for softwareelves: why don't you need a certificate file for your proxy solution (using lighttpd) but gornack (using Nginx) needs one?
Or would it be possible (on OS X) to use the running Apache httpd for https access to the Transmission web interface? How would one configure that?
thx,
Alcuin.
Re: HTTPS secure WebUI Login?
Depending on your platform, STunnel may be the easiest way to go.
http://www.stunnel.org/
Simply set up a proxy on port 443 (or other) on your outward-facing interface, and the local side to 127.0.0.1:transmissionweb, though you'll have to have a self-signed (dummy) cert in place (though I think if you install stunnel from source it will actually build one as part of its make install).
If you want to make your own dummy cert, they also provide instructions on how to do that with the openssl tool (which would be a prerequisite for stunnel anyway, for its openssl libraries):
http://www.stunnel.org/faq/certs.html#ToC5
(Actually, I just downloaded the source file and built it on my Snow Leopard laptop, it built without error and the 'make install' prompted me for dummy info for the dummy cert.. For 'Common Name', use the hostname of your system that others would use for it to access it remotely, or '*.domain.com' substituting your domain. Either way, users will have to accept the dummy cert as valid when they first use it anyway.
This page has a pretty simple layout of the stunnel configuration format:
http://www.freebsddiary.org/stunnel-v3-to-v4.php
)
http://www.stunnel.org/
Simply set up a proxy on port 443 (or other) on your outward-facing interface, and the local side to 127.0.0.1:transmissionweb, though you'll have to have a self-signed (dummy) cert in place (though I think if you install stunnel from source it will actually build one as part of its make install).
If you want to make your own dummy cert, they also provide instructions on how to do that with the openssl tool (which would be a prerequisite for stunnel anyway, for its openssl libraries):
http://www.stunnel.org/faq/certs.html#ToC5
(Actually, I just downloaded the source file and built it on my Snow Leopard laptop, it built without error and the 'make install' prompted me for dummy info for the dummy cert.. For 'Common Name', use the hostname of your system that others would use for it to access it remotely, or '*.domain.com' substituting your domain. Either way, users will have to accept the dummy cert as valid when they first use it anyway.
This page has a pretty simple layout of the stunnel configuration format:
http://www.freebsddiary.org/stunnel-v3-to-v4.php
)
Re: HTTPS secure WebUI Login?
Yes, Apache can do it, its called reverse-proxy.alcuin wrote:Or would it be possible (on OS X) to use the running Apache httpd for https access to the Transmission web interface? How would one configure that?
The general idea was shown here http://forum.transmissionbt.com/viewtop ... 133#p29731, just change the place, instead of adding the 3rd part (Apache config file) with the regular server, put it in the SSL server (I don't know how Mac OS X names the files, in Solaris its httpd.conf and extra/httpd-ssl.conf, in Gentoo Linux its in vhosts.d/00_default_vhost.conf and 00_default_ssl_vhost.conf (and it could be in any other virtual host, or in httpd.conf if a flat configuration is used).
Re: HTTPS secure WebUI Login?
Hi everyone... I can see some pretty old posts here, but after several days of trying to access the transmission webui on my VPS over https, I was wondering if anybody might be able to point out what I might be doing wrong?..
I am running lighttpd and have ssl set up so that, when logged onto my VPN (which I do to test these settings without having to change any iptables) I can access my static file root securely over https. The problem I have is that when I try to access the transmission webui over https I get a 500 Internal Server Error. Tailing the lighttpd error log shows that this is happening:
My config for this is:
I have tried to fix the error by disabling the rpc-whitelist, messing around with rpc-bind-address and changing permissions to 777 for any folders that contain the word 'transmission', but it won't budge. The same error every time. I am running out of steam trying to get this to work!
It's probably obvious, but I'm pretty new to this kind of thing, and I would enormously appreciate any kind of assistance or any ideas at all about how I can access the webui via a https lighttpd proxy. (I have a hunch the problem is on the lighttpd side rather than the transmission side, but who knows, it could be both).
Please and thankyou very much in advance!
Tod
I am running lighttpd and have ssl set up so that, when logged onto my VPN (which I do to test these settings without having to change any iptables) I can access my static file root securely over https. The problem I have is that when I try to access the transmission webui over https I get a 500 Internal Server Error. Tailing the lighttpd error log shows that this is happening:
Code: Select all
2011-06-28 19:53:38: (mod_proxy.c.403) connect failed: 9 Permission denied 13
2011-06-28 19:53:38: (mod_proxy.c.939) proxy-server disabled: 127.0.0.1 9091 9
2011-06-28 19:53:38: (mod_proxy.c.1316) no proxy-handler found for: /velocimax/web
Code: Select all
url.rewrite-once += ( "^/velocimax[/]?$" => "/velocimax/web" )
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
$HTTP["url"] =~ "^/velocimax/" {
proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 9091 ) ) )
}
}
It's probably obvious, but I'm pretty new to this kind of thing, and I would enormously appreciate any kind of assistance or any ideas at all about how I can access the webui via a https lighttpd proxy. (I have a hunch the problem is on the lighttpd side rather than the transmission side, but who knows, it could be both).
Please and thankyou very much in advance!
Tod
Re: HTTPS secure WebUI Login?
One mistake is the first line of your code, rewrite to .../transmission/web not just /web.
That should explain the "Permission denied" error, since /web doesn't exist as a path. Or I could be wrong, I don't use lighttp.
That should explain the "Permission denied" error, since /web doesn't exist as a path. Or I could be wrong, I don't use lighttp.
Re: HTTPS secure WebUI Login?
Why dont you just use ssh and tunnel in. This is the technique i use.
For example :
ssh -L 9999:127.0.0.1:16080 me@distant.machine.edu
would open a tunnel from the client where I sit on port 9999 to port 16080 to the machine were transmission runs, in this case the machine is called : distant.machine.edu. This assume that transmission listens to port 16080.
Then, on the client, just go in safari to
http://127.0.0.1:9999
For example :
ssh -L 9999:127.0.0.1:16080 me@distant.machine.edu
would open a tunnel from the client where I sit on port 9999 to port 16080 to the machine were transmission runs, in this case the machine is called : distant.machine.edu. This assume that transmission listens to port 16080.
Then, on the client, just go in safari to
http://127.0.0.1:9999
Re: HTTPS secure WebUI Login?
nice one .. i got around to trying this a few times and it works quite wellsimonpie wrote:Why dont you just use ssh and tunnel in. This is the technique i use.
For example :
ssh -L 9999:127.0.0.1:16080 me@distant.machine.edu
would open a tunnel from the client where I sit on port 9999 to port 16080 to the machine were transmission runs, in this case the machine is called : distant.machine.edu. This assume that transmission listens to port 16080.
Then, on the client, just go in safari to
http://127.0.0.1:9999
Re: HTTPS secure WebUI Login?
You can try the following configuration for apache : http://jc.coynel.net/2013/08/securing-t ... ps-server/
Hope this helps.
Hope this helps.
Re: HTTPS secure WebUI Login?
Was searching for a solution to this, and this works perfectly if you don't want to set up a web server. I was able to automate this using Coccinellida, and connect the tunnel with a few clicks when necessary. Thanks for the great solution.simonpie wrote:Why dont you just use ssh and tunnel in. This is the technique i use.
For example :
ssh -L 9999:127.0.0.1:16080 me@distant.machine.edu
would open a tunnel from the client where I sit on port 9999 to port 16080 to the machine were transmission runs, in this case the machine is called : distant.machine.edu. This assume that transmission listens to port 16080.
Then, on the client, just go in safari to
http://127.0.0.1:9999
http://coccinellida.sourceforge.net/
http://projects.tynsoe.org/en/stm/ (alternative)