Securing Transmission-Daemon

So you have some large files you'd like to distribute. Maybe you're the author (or compiler) of a custom distribution of Linux. Or maybe you make videos, and you'd like to allow people to download MP4 files to watch off line. What better way than using BitTorrent for this? It's distributed, it's fast, it's easy to manage.

And what better system to use than Transmission, the default BitTorrent client that comes with most versions of Linux?

Transmission even comes with transmission-daemon - a handy daemon system with a useful built-in web front-end that is ideal for running on your own server.

What could be more perfect?

Except - transmission-daemon comes with a major flaw: it's very insecure.

  • It doesn't have HTTPS encryption
  • It uses "Basic" authentication.

This all means that it is very easy to intercept the password to any transmission-daemon website.

Thankfully though it's not too hard to mitigate all that, if you know what you are doing.

For this you will need:

  1. A Linux server (virtual, or real, it matters not: as long as it's on the internet)
  2. A configured web server with HTTPS encryption
  3. Transmission-Daemon installed

First off you want to configure transmission-daemon in the right way. Begin by making sure that transmission-daemon isn't running:

$ sudo systemctl stop transmission-daemon

Now you want to edit /etc/transmission/settings.json using your favourite text editor (I use vi, of course - but nano is a common alternative):

$ sudo nano /etc/transmission/settings.json

There's a few entries in there you need to change or confirm. First off change the default username and password to something sensible. Those settings are:

"rpc-password": "{f023465h7dy5j28rt79h530498h508afheyrt578dyj94t43",
"rpc-username": "transmission",

For the password you just need to enter your plain text password (make it something secure!) between the quotes. Make sure it doesn't start with { and transmission will automatically encrypt it for you and replace the plain text password with the encrypted version.

Next make sure that RPC whitelisting is turned on and that only the local computer can communicate with it:

"rpc-whitelist": "127.0.0.1",
"rpc-whitelist-enabled": true,

Everything else you can probably leave at the defaults. Now save those changes and start Transmission-Daemon again:

$ sudo systemctl start transmission-daemon

Now if you try and get to the web front-end you should get a "permission denied" message, unless you're browsing from the same computer that transmission-daemon is running on. Great. You're secure. Too secure, though, really, since you can't get to the web front-end to use it.

Now comes the magic: setting up an Apache Reverse Proxy.

At this point I will assume that you already have a website running on the same server that has HTTPS encryption enabled. If not, I can recommend LetsEncrypt as a good source of free certificates that is incredibly easy to set up. It has a handy script that does it all for you.

There are a few extra modules you will need to enable in your default Apache configuration:

proxy.conf
proxy_html.conf
proxy_html.load
proxy_http.load
proxy.load
xml2enc.load

To enable one, go to your /etc/apache2/mods-enabled directory and make symbolic links as above. For instance:

$ cd /etc/apache2/mods-enabled    
$ sudo ln -s ../mods-available/proxy.conf .

Now there's two special lines you need to add to your website's HTTPS virtual host configuration file:

ProxyPass "/transmission" "http://localhost:9091/transmission"
ProxyPassReverse "/transmission" "http://localhost:9091/transmission"

That's saying "Any URL requests you get that start with /transmission, pass them through to this other server. And rewrite anything coming back so that the right URLs are in it."

Reload your Apache configuration:

$ sudo apachectl graceful

And you should now be good to go! Browse to https://your.website.url/transmission and you should now be presented with the Transmission login! And it's all encrypted and secure!

If you like you can add some extra access controls within the Apache configuration to limit who can get to /transmission on your website, but in these days of dynamic IP addresses everywhere it gets a little tricky to craft something that won't lock you out randomly. And as long as your password is secure enough (I don't know what mine is. I generate my passwords with PasswordsGenerator.net and use a password manager to store them) no one will be able to get in anyway.

Now you can sleep easy knowing that no one will be able to p0wn your transmission server!