Accessing WebUI through Apache reverse proxy

[nxmehta]

Has anyone managed to setup Apache so that you can access the web UI through a reverse proxy? Everything I've tried just redirects me to /gui and I can't get it to work.

This would be very useful to have because I would like to access the web UI through SSL via my own webserver. Thanks for any help.

[nxmehta]

Well, tried a little harder and it sorta works. This was the magic incantation that worked for me:

	 RewriteRule ^/btsync$ /gui/ [R]
	 RewriteRule ^/btsync/ /gui/ [R]
	 RewriteRule ^/gui$ /gui/ [R]
	 ProxyPass /gui/ http://localhost:8888/gui/
	 <Location /gui/>
		 ProxyPassReverse http://localhost:8888/gui/
		 Order Allow,Deny
		 Allow from All
	 </Location>

It redirects /btsync to /gui but at least it works. Hope that helps someone out there.

[Disappointed Cat]

The webUI supports SSL. Am I the only one who tried it without hacking around first?

Although to change the certificate to your own you have to edit the settings.dat file manually,

and it doesn't log failed login attempts so it can't be hooked up with fail2ban.

[stallemanden]

The webUI supports SSL. Am I the only one who tried it without hacking around first?

Although to change the certificate to your own you have to edit the settings.dat file manually,

and it doesn't log failed login attempts so it can't be hooked up with fail2ban.

And you don't consider that a hack ?

Might just be me, but I've nothing but failed to create a new settings.dat that actually works.

[Disappointed Cat]

I don't. It's just inconvenient configuration.

Things to look out for:

- Using (BEGIN|END) RSA PRIVATE KEY instead of just (BEGIN|END) PRIVATE KEY

- Windows EOL conversion and so the length of the block

You could also use a bencode editor.

[stallemanden]

Things to look out for:

- Using (BEGIN|END) RSA PRIVATE KEY instead of just (BEGIN|END) PRIVATE KEY

- Windows EOL conversion and so the length of the block

Meaning ?

I've been trying for like 10 times now, using BEncode Editor

Every time with no luck

[Disappointed Cat]

I used Notepad++.

* Insert the certificate text after selfcertLEN: - after removing the original of course.

* Apply unix EOL conversion.

* Then select the inserted text (including the last new line) and write the length after 'selfcert' and before the ':'.

(The status bar will show how many characters you selected.)

Like this - first the public, then the private key:

selfcert1880:-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

As for the RSA part: It didn't work for me if I only wrote BEGIN and END PRIVATE KEY as it is in the original file.

Edit: You did try to access it via https://host:8888/ right?

If you want to ommit the port you'd need to change the webUI's listening port to 443,

assuming it wouldn't collide with your webserver.

[nxmehta]

There are many other reasons to want to access the Web UI through a reverse proxy other than just enabling SSL. You could enable many other types of authentication, for example.

Editing a binary file to embed a cert is... not a great configuration methodology.

[Disappointed Cat]

Indeed. Thanks for bringing it up.

I just switched to it so I can use my global base auth configuration with fail2ban.

If anyone is interested in this, here's how:

* Configure base auth like you'd normally do in a location or directory block.

* Send btsync a static auth header: STRING=BASE64(user:pass)

AuthUserFile /etc/apache2/htpasswd
AuthGroupFile /etc/apache2/htgroup
AuthName "asdfs"
AuthType Basic
Require group admin
RequestHeader set Authorization "Basic STRING"

This also sort of eliminates the problem of btsync stroring passwords in clear text. Listening on localhost only..

You can set it to any dumb thing and just authenticate over the proxy.

[Disappointed Cat]

I also tried to rewrite /btsync to /gui without luck.

All I could come up with is simplifying your code:

Redirect /btsync /gui
<Location /gui>
    ProxyPass http://127.0.0.1:8888/gui
    ProxyPassReverse http://127.0.0.1:8888/gui
    ...

[Shot2]

No luck either with Cherokee's HTTP reverse proxy, all I ever get is HTTP 400 Bad Request...

[dale2507]

I think I've come up with the best solution for this. The WebUI automatically configures itself for the url you are using provided it is still at someurl/gui/

So here is my solution:

ProxyPass /btsync/gui/ http://127.0.0.1:8888/gui/
ProxyPassReverse /btsync/gui/ http://127.0.0.1:8888/gui/
Redirect permanent /btsync /btsync/gui/

And for those interested here is the code in the WebUI where I discovered this:

var urlBase = window.location.pathname.split("/gui", 1)[0].replace(/\/+$/, "");
var guiBase = urlBase + "/gui/";
var proxyBase = urlBase + "/proxy";

Tested with v1.1.48

[Disappointed Cat]

But that only forwards /gui/ to BTSync's webserver. There probably will be other pages like /proxy, /api, etc.

The problem when you try to pass-through everything is that Apache loads the proxy directive before the redirect directive.

I tried ProxyPassMatch, RewriteRule [P], and who knows what else. The final solution was this:

<Location /btsync>
ProxyPass http://127.0.0.1:5030
ProxyPassReverse http://127.0.0.1:5030
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/btsync(/|/gui)?$
RewriteRule ^ /btsync/gui/ [L,R=301]
# Auth, etc, ....
</Location>

This way /btsync, /btsync/, /btsync/gui, /btsync/gui/ all work while forwarding everything.

Can you make it nicer?

[Shot2]

Months go by and still no luck. Still stuck with this dumb "/gui/" (talk of a non-informative url...)

 

At least, please consider providing a configuration option for that base directory (e.g. in the .conf file, under the webui section), something along these lines:

"webui" :        {                "listen" : "127.0.0.1:8888",                "login" : "username",                "password" : "userpassword",                "basedir" : "btsyncGUI"        }

so that the webui becomes accessible (and reverse-proxyable) at "http://127.0.0.1:8888/btsyncGUI/"

 

Shouldn't be rocket science...

[nxmehta]

Months go by and still no luck. Still stuck with this dumb "/gui/" (talk of a non-informative url...)

 

At least, please consider providing a configuration option for that base directory (e.g. in the .conf file, under the webui section), something along these lines:

"webui" :        {                "listen" : "127.0.0.1:8888",                "login" : "username",                "password" : "userpassword",                "basedir" : "btsyncGUI"        }

so that the webui becomes accessible (and reverse-proxyable) at "http://127.0.0.1:8888/btsyncGUI/"

 

Shouldn't be rocket science...

 

I posted instructions for making this work using nginx here: http://forum.bittorrent.com/topic/20710-nginx-as-reverse-proxy-for-the-config-page/#entry66870

 

It's been working great for me.

[Shot2]

Good for you... Still, can't make it work with Cherokee (cf. my previous posts).

[Disappointed Cat]

Just change the RewriteRule line to RewriteRule ^ /btsync/gui/en/index.html [L,R=301] in my last example.

It does an ugly JS redirection which is hard to handle without overriding and redirecting /gui as well.

Other than that, everything should work fine.

P.S: The new rewrite rule does not apply to all versions.