Setup the Transmission Web Interface Behind an Apache Reverse Proxy and SSL

Sunday, September 29, 2013

By default, the transmission-daemon service uses its own web server and runs on port 9091. Assuming the service is running and the proper firewall holes have been made, the Transmission web interface can be accessed by going to http://transmission.example.com:9091. While remembering to append port 9091 is not difficult, it would be much cleaner to just go to http://transmission.example.com.

To accomplish this, one option would be to change the rpc-port parameter in /var/lib/transmission/.config/transmission/settings.json to port 80 instead of port 9091. By default, making this change will not work. Port 80 is a restricted port and as such requires the service to be running as root or to have the appropriate CAP_NET_BIND_SERVICE capability.

A second option is to put the transmission-daemon service behind an Apache Reverse Proxy. Why would you want to put the transmission-daemon service behind an Apache Reverse Proxy?

First, it will allow you to navigate to a simpler URL such as http://torrents.example.com instead of http://transmission.example.com:9091. Why did I use torrents.example.com instead of transmission.example.com? If the transmission-daemon service and the Apache service are running on different servers you will have to use different hostnames. However, if the transmission-daemon service and the Apache service are running on the same server you can continue to use transmission.example.com.

Second, with transmission-daemon service behind Apache you can easily setup SSL to encrypt all of the traffic between you and the Transmission web interface (this is not encrypting actual bittorrent traffic). This is even more useful if you have the transmission-daemon service setup for authentication; usernames and passwords should never be sent in plain text.

So how can you set this up?

The following steps are specific to Fedora and Enterprise Linux based distributions but they can be easily adapted to work on other Linux distributions.

First and foremost, if you are using SELinux, and you should be, be sure to turn on the following SELinux boolean, otherwise nothing will work:

setsebool httpd_can_network_connect on

Install the Apache web server:

yum install -y httpd

Remember to change torrents.example.com and transmission.example.com in the examples below to match whatever domain names you are using.

If you don’t care about encrypting the traffic between you and the Transmission web interface, create /etc/httpd/conf.d/torrents.conf with the following contents:

NameVirtualHost *:80

<VirtualHost *:80>
    ServerAdmin admin@example.com
    ServerName torrents.example.com
    ErrorLog logs/torrents.example.com-error_log
    CustomLog logs/torrents.example.com-access_log common

    ProxyPass / http://transmission.example.com:9091/
    ProxyPassReverse / http://transmission.example.com:9091/
</VirtualHost>

If you do care about encrypting the traffic between you and the Transmission web interface, install the mod_ssl package:

yum install -y mod_ssl

Then, create /etc/httpd/conf.d/torrents.conf with the following contents:

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
    ServerAdmin admin@example.com
    ServerName torrents.example.com
    ErrorLog logs/torrents.example.com-error_log
    CustomLog logs/torrents.example.com-access_log common

    RewriteEngine On

    RewriteCond %{SERVER_PORT} =80
    RewriteRule ^/(.*)$ https://%{SERVER_NAME}:443/$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin admin@example.com
    ServerName torrents.example.com
    ErrorLog logs/torrents.example.com-ssl_error_log
    CustomLog logs/torrents.example.com-ssl_access_log common

    SSLEngine On
    SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"
    SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"

    ProxyPass / http://transmission.example.com:9091/
    ProxyPassReverse / http://transmission.example.com:9091/
</VirtualHost>

In either case, restart the httpd service:

service httpd restart

If you are running iptables, firewalld, or ufw be sure to open port 80 and port 443 if you are using SSL on the server where Apache is running.

You should now be able to navigate to http://torrents.example.com (this will always redirect to HTTPS if you are using the SSL config above) or https://torrents.example.com to access the Transmission web interface.



comments powered by Disqus