Adding SSL to transmission’s web interface…

If you’re using transmission’s web interface to manage your torrent downloads, and you are doing this remotely (from outside your LAN), you might want to add some privacy.

As previously posted there are ways to use magnet links with transmission’s web interface. This webinterface works well when you are on your local network aka LAN and don’t have to fear prying eyes.
The moment you’re using the transdroid android app or your laptop in a coffee shop the commands and responses of your transmission daemon at home can be read by anyone.

Luckily the transdroid android app offers an SSL option. All you have to do is configure a proxy on your transmission daemon machine.

Here is how:
Install nginx (a lightweight http/https server):

apt-get install nginx

edit the file ‘/etc/nginx/sites-enabled/transmission’ to this:

server {
    listen 8080 default_server ssl;
    ssl_certificate     /etc/nginx/trans.crt;
    ssl_certificate_key /etc/nginx/trans.key;
    server_name  transmission;

    access_log  /var/log/nginx/transmission.access.log;

    location / {
        proxy_pass        http://localhost:9091;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
            root   /var/www/nginx-default;

run openssl to generate a certificate:

openssl req -x509 -nodes -new -keyout /etc/nginx/trans.key -out /etc/nginx/trans.crt

restart the nginx server:

service nginx restart

this will take all requests from port 8080 and forward them to 9091 (transmission’s default port). The nginx server will apply SSL to any connection that is made to port 8080. Change the ports to fit your setup.

To configure your transdoid app, change the port in the settings: Settings –> click on your server (‘http://user@host:port’) –> advanced settings –> port number. Enter the port number of your nginx (8080 in the configuration here). Further down check ‘Use SSL’. Finally you should provide a SHA1 thumbprint, which you get by running:

openssl x509 -sha1 -in /etc/nginx/trans.crt -noout -fingerprint | sed 's/://g' | cut -d = -f 2

or to scan and copy and paste it to your phone:

openssl x509 -sha1 -in /etc/nginx/trans.crt -noout -fingerprint | sed 's/://g' | cut -d = -f 2 | qrencode -t ANSIUTF8

Or remotely:

openssl s_client -connect HOSTNAME:8080 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin| sed 's/://g' | cut -d = -f 2

Adding a custom thumbprint will help to prevent man in the middle attacks, where you would be vulnerable to prying eyes as well. The app would stop connecting because the certificate is not the same as the one you set up.

The quick and dirty fix for the magnet link script is to change the paths from ‘http’ to ‘https’ and add the ‘-k’ flag to the cURL commands. Be aware that this will not check if the server certificate changed. So a man in the middle would be stil possible there. Anyone who can create an SSL certificate could fake to be the server your want to talk to. You can of course setup a CA certified certificate and add that to your cURL commands with ‘–cacert ./CA.pem’.

Flattr this!

2 thoughts on “Adding SSL to transmission’s web interface…”

  1. Hi, thanks for the detailed instructions. I should add that I had to add the following lines nginx.conf so it recognize the transmission site
    include sites-enabled/*;

Leave a Reply

Your email address will not be published. Required fields are marked *

verify you\'re human: * Time limit is exhausted. Please reload CAPTCHA.