SSL and Transmission

with tags LetsEncrypt Transmission Nginx SSL -

Transmission is a bittorrent client that just works and is piss easy to setup for remote management either using the web interface or RPC. However by default it is also piss easy for anyone to sniff your credentials so this is where nginx and Lets Encrypt come in.

First we’ll need the transmission-daemon installed and running (in fedora & ubuntu the package is transmission-daemon).

In the settings.json file for transmission you’ll need to set a username, password and whitelist some IP addresses.

"rpc-password": "thisismypassword",
"rpc-username": "transmission",
"rpc-whitelist": "127.0.0.1,192.168.*.*",

If you’re feeling really brave you can turn off whitelisting

"rpc-whitelist-enabled": false,

Next we’ll want some SSL Certificates, you could always have messed about with self signed certs but this occasionally caused issues with certain transmission clients but now Lets Encrypt exists we can use fully verified ones for free

Once you’ve got the Lets Encrypt client up and running the command you need is

letsencrypt-auto certonly --webroot -w /usr/share/nginx/html -d foo.bar

Change foo.bar to what ever domain you have pointed at your server

This should spit out your certificate and privatekey to /etc/letsencrypt/live/foo.bar/

To make use of them we now need to setup nginx to listen on port 443 so throw the below block into nginx.conf

server {
  listen       443 ssl;
  listen       [::]:443 ssl;
  server_name  _;
  root         /usr/share/nginx/html;

  ssl_certificate "/etc/letsencrypt/live/foo.bar/fullchain.pem";
  ssl_certificate_key "/etc/letsencrypt/live/foo.bar/privkey.pem";
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  ssl_stapling on; # Requires nginx >= 1.3.7
  ssl_stapling_verify on; # Requires nginx => 1.3.7
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
  # Load configuration files for the default server block.
  include /etc/nginx/default.d/*.conf;

  location / {
  }

  location /transmission {
    proxy_set_header    X-Real-IP  $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    Host $http_host;
    proxy_redirect      off;
    proxy_pass  http://localhost:9091/transmission;
  }
  error_page 404 /404.html;
    location = /40x.html {
  }

  error_page 500 502 503 504 /50x.html;
    location = /50x.html {
  }
}

Again you’ll want to change foo.bar to the domain you’ve used

And once you restart nginx you should be able to hit https://foo.bar/transmission and login with the credentials set above

Written by
Later article
Scheduled Scaling