HTTPS secure WebUI Login?

Feature requests not specific to either the Mac OS X or GTK+ versions of Transmission
Post Reply
timefalls
Posts: 1
Joined: Sat Jul 18, 2009 9:17 pm

HTTPS secure WebUI Login?

Post by timefalls »

Hey there guys,

Is there any chance of making the WebUI use (or have an option to use) HTTPS to login? I love Transmission, but I don't like the idea of my login details being sent in cleartext across the internet.
softwareelves
Web Interface Developer
Posts: 351
Joined: Thu Mar 23, 2006 10:32 pm

Re: HTTPS secure WebUI Login?

Post by softwareelves »

I use lighttpd to proxy the webui connection with SSL. This is the important part of my lighttpd.conf.

Code: Select all

server.modules += ( "mod_proxy" )

$HTTP["url"] =~ "^/transmission/web/" {
    server.document-root = "/usr/local/share/"
    expire.url = ( "" => "access 1 hours" )
} else $HTTP["url"] =~ "^/transmission/(rpc|upload)" {
    proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 10000 ) ) )
}
gornack
Posts: 1
Joined: Thu Aug 06, 2009 12:43 pm

Re: HTTPS secure WebUI Login?

Post by gornack »

The same here with Nginx (assuming transmission is on the same server and listening on port 9091) :

Code: Select all

server {
  listen   80;
  server_name bittorrent.domain.com;
  rewrite ^(.*) https://bittorrent.domain.com$1 permanent;
}

server {
  listen   443;
  server_name bittorrent.domain.com;
 
  ssl on;
  ssl_certificate /etc/ssl/certs/mycert.crt;
  ssl_certificate_key    /etc/ssl/private/mycert.key;

  location / {
    proxy_set_header    X-Real-IP  $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    Host $http_host;
    proxy_redirect      false;
    proxy_pass          http://127.0.0.1:9091;
  }
}
And of course, you have to configure Transmission to listen on localhost only ("rpc-bind-address": "127.0.0.1" in settings.json) !
alcuin
Posts: 3
Joined: Mon Jul 27, 2009 9:40 am

Re: HTTPS secure WebUI Login?

Post by alcuin »

sounds cool -- however, it really would be way cooler if no additional software (here: a proxy) and complex & error-prone configuration were necessary.

So, is there any hope that Transmission will one fine day support https in the web interface (at least for the login)?

For the time being a question to gornack: that mycert.crt file comes from where? How can I create it?
And a question for softwareelves: why don't you need a certificate file for your proxy solution (using lighttpd) but gornack (using Nginx) needs one?

Or would it be possible (on OS X) to use the running Apache httpd for https access to the Transmission web interface? How would one configure that?

thx,
Alcuin.
OtisWild
Posts: 2
Joined: Sun Dec 06, 2009 8:09 pm

Re: HTTPS secure WebUI Login?

Post by OtisWild »

Depending on your platform, STunnel may be the easiest way to go.

http://www.stunnel.org/

Simply set up a proxy on port 443 (or other) on your outward-facing interface, and the local side to 127.0.0.1:transmissionweb, though you'll have to have a self-signed (dummy) cert in place (though I think if you install stunnel from source it will actually build one as part of its make install).

If you want to make your own dummy cert, they also provide instructions on how to do that with the openssl tool (which would be a prerequisite for stunnel anyway, for its openssl libraries):

http://www.stunnel.org/faq/certs.html#ToC5

(Actually, I just downloaded the source file and built it on my Snow Leopard laptop, it built without error and the 'make install' prompted me for dummy info for the dummy cert.. For 'Common Name', use the hostname of your system that others would use for it to access it remotely, or '*.domain.com' substituting your domain. Either way, users will have to accept the dummy cert as valid when they first use it anyway.

This page has a pretty simple layout of the stunnel configuration format:
http://www.freebsddiary.org/stunnel-v3-to-v4.php

)
rb07
Posts: 1400
Joined: Sun Aug 24, 2008 3:14 am

Re: HTTPS secure WebUI Login?

Post by rb07 »

alcuin wrote:Or would it be possible (on OS X) to use the running Apache httpd for https access to the Transmission web interface? How would one configure that?
Yes, Apache can do it, its called reverse-proxy.

The general idea was shown here http://forum.transmissionbt.com/viewtop ... 133#p29731, just change the place, instead of adding the 3rd part (Apache config file) with the regular server, put it in the SSL server (I don't know how Mac OS X names the files, in Solaris its httpd.conf and extra/httpd-ssl.conf, in Gentoo Linux its in vhosts.d/00_default_vhost.conf and 00_default_ssl_vhost.conf (and it could be in any other virtual host, or in httpd.conf if a flat configuration is used).
DruZod
Posts: 1
Joined: Tue Jun 28, 2011 5:49 pm

Re: HTTPS secure WebUI Login?

Post by DruZod »

Hi everyone... I can see some pretty old posts here, but after several days of trying to access the transmission webui on my VPS over https, I was wondering if anybody might be able to point out what I might be doing wrong?..

I am running lighttpd and have ssl set up so that, when logged onto my VPN (which I do to test these settings without having to change any iptables) I can access my static file root securely over https. The problem I have is that when I try to access the transmission webui over https I get a 500 Internal Server Error. Tailing the lighttpd error log shows that this is happening:

Code: Select all

2011-06-28 19:53:38: (mod_proxy.c.403) connect failed: 9 Permission denied 13
2011-06-28 19:53:38: (mod_proxy.c.939) proxy-server disabled: 127.0.0.1 9091 9
2011-06-28 19:53:38: (mod_proxy.c.1316) no proxy-handler found for: /velocimax/web
My config for this is:

Code: Select all

url.rewrite-once += ( "^/velocimax[/]?$" => "/velocimax/web" )

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"

$HTTP["url"] =~ "^/velocimax/"  {
    proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 9091 ) ) )
}
}
I have tried to fix the error by disabling the rpc-whitelist, messing around with rpc-bind-address and changing permissions to 777 for any folders that contain the word 'transmission', but it won't budge. The same error every time. I am running out of steam trying to get this to work!

It's probably obvious, but I'm pretty new to this kind of thing, and I would enormously appreciate any kind of assistance or any ideas at all about how I can access the webui via a https lighttpd proxy. (I have a hunch the problem is on the lighttpd side rather than the transmission side, but who knows, it could be both).

Please and thankyou very much in advance!

Tod
rb07
Posts: 1400
Joined: Sun Aug 24, 2008 3:14 am

Re: HTTPS secure WebUI Login?

Post by rb07 »

One mistake is the first line of your code, rewrite to .../transmission/web not just /web.

That should explain the "Permission denied" error, since /web doesn't exist as a path. Or I could be wrong, I don't use lighttp.
simonpie
Posts: 8
Joined: Tue Feb 24, 2009 4:50 pm

Re: HTTPS secure WebUI Login?

Post by simonpie »

Why dont you just use ssh and tunnel in. This is the technique i use.

For example :
ssh -L 9999:127.0.0.1:16080 me@distant.machine.edu

would open a tunnel from the client where I sit on port 9999 to port 16080 to the machine were transmission runs, in this case the machine is called : distant.machine.edu. This assume that transmission listens to port 16080.

Then, on the client, just go in safari to
http://127.0.0.1:9999
gunzip
Posts: 272
Joined: Wed May 05, 2010 2:12 am

Re: HTTPS secure WebUI Login?

Post by gunzip »

simonpie wrote:Why dont you just use ssh and tunnel in. This is the technique i use.

For example :
ssh -L 9999:127.0.0.1:16080 me@distant.machine.edu

would open a tunnel from the client where I sit on port 9999 to port 16080 to the machine were transmission runs, in this case the machine is called : distant.machine.edu. This assume that transmission listens to port 16080.

Then, on the client, just go in safari to
http://127.0.0.1:9999
nice one .. i got around to trying this a few times and it works quite well
JC.Coynel
Posts: 1
Joined: Sun Sep 01, 2013 9:21 pm

Re: HTTPS secure WebUI Login?

Post by JC.Coynel »

You can try the following configuration for apache : http://jc.coynel.net/2013/08/securing-t ... ps-server/

Hope this helps.
frankw
Posts: 1
Joined: Fri Nov 29, 2013 5:58 pm

Re: HTTPS secure WebUI Login?

Post by frankw »

simonpie wrote:Why dont you just use ssh and tunnel in. This is the technique i use.

For example :
ssh -L 9999:127.0.0.1:16080 me@distant.machine.edu

would open a tunnel from the client where I sit on port 9999 to port 16080 to the machine were transmission runs, in this case the machine is called : distant.machine.edu. This assume that transmission listens to port 16080.

Then, on the client, just go in safari to
http://127.0.0.1:9999
Was searching for a solution to this, and this works perfectly if you don't want to set up a web server. I was able to automate this using Coccinellida, and connect the tunnel with a few clicks when necessary. Thanks for the great solution.

http://coccinellida.sourceforge.net/
http://projects.tynsoe.org/en/stm/ (alternative)
Post Reply