nxmehta

Accessing WebUI through Apache reverse proxy

Recommended Posts

Has anyone managed to setup Apache so that you can access the web UI through a reverse proxy? Everything I've tried just redirects me to /gui and I can't get it to work.

This would be very useful to have because I would like to access the web UI through SSL via my own webserver. Thanks for any help.

Share this post


Link to post
Share on other sites

Well, tried a little harder and it sorta works. This was the magic incantation that worked for me:


RewriteRule ^/btsync$ /gui/ [R]
RewriteRule ^/btsync/ /gui/ [R]
RewriteRule ^/gui$ /gui/ [R]
ProxyPass /gui/ http://localhost:8888/gui/
<Location /gui/>
ProxyPassReverse http://localhost:8888/gui/
Order Allow,Deny
Allow from All
</Location>

It redirects /btsync to /gui but at least it works. Hope that helps someone out there.

Share this post


Link to post
Share on other sites

The webUI supports SSL. Am I the only one who tried it without hacking around first? :)

Although to change the certificate to your own you have to edit the settings.dat file manually,

and it doesn't log failed login attempts so it can't be hooked up with fail2ban.

Share this post


Link to post
Share on other sites

The webUI supports SSL. Am I the only one who tried it without hacking around first? :)

Although to change the certificate to your own you have to edit the settings.dat file manually,

and it doesn't log failed login attempts so it can't be hooked up with fail2ban.

And you don't consider that a hack ?

Might just be me, but I've nothing but failed to create a new settings.dat that actually works.

Share this post


Link to post
Share on other sites

I don't. It's just inconvenient configuration.

Things to look out for:

- Using (BEGIN|END) RSA PRIVATE KEY instead of just (BEGIN|END) PRIVATE KEY

- Windows EOL conversion and so the length of the block

You could also use a bencode editor.

Share this post


Link to post
Share on other sites

Things to look out for:

- Using (BEGIN|END) RSA PRIVATE KEY instead of just (BEGIN|END) PRIVATE KEY

- Windows EOL conversion and so the length of the block

Meaning ?

I've been trying for like 10 times now, using BEncode Editor

Every time with no luck

Share this post


Link to post
Share on other sites

I used Notepad++.

* Insert the certificate text after selfcertLEN: - after removing the original of course.

* Apply unix EOL conversion.

* Then select the inserted text (including the last new line) and write the length after 'selfcert' and before the ':'.

(The status bar will show how many characters you selected.)

Like this - first the public, then the private key:


selfcert1880:-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

As for the RSA part: It didn't work for me if I only wrote BEGIN and END PRIVATE KEY as it is in the original file.

Edit: You did try to access it via https://host:8888/ right?

If you want to ommit the port you'd need to change the webUI's listening port to 443,

assuming it wouldn't collide with your webserver.

Share this post


Link to post
Share on other sites

There are many other reasons to want to access the Web UI through a reverse proxy other than just enabling SSL. You could enable many other types of authentication, for example.

Editing a binary file to embed a cert is... not a great configuration methodology.

Share this post


Link to post
Share on other sites

Indeed. Thanks for bringing it up.

I just switched to it so I can use my global base auth configuration with fail2ban.

If anyone is interested in this, here's how:

* Configure base auth like you'd normally do in a location or directory block.

* Send btsync a static auth header: STRING=BASE64(user:pass)


AuthUserFile /etc/apache2/htpasswd
AuthGroupFile /etc/apache2/htgroup
AuthName "asdfs"
AuthType Basic
Require group admin
RequestHeader set Authorization "Basic STRING"

This also sort of eliminates the problem of btsync stroring passwords in clear text. Listening on localhost only..

You can set it to any dumb thing and just authenticate over the proxy.

Share this post


Link to post
Share on other sites

I also tried to rewrite /btsync to /gui without luck.

All I could come up with is simplifying your code:


Redirect /btsync /gui
<Location /gui>
ProxyPass http://127.0.0.1:8888/gui
ProxyPassReverse http://127.0.0.1:8888/gui
...

Share this post


Link to post
Share on other sites

I think I've come up with the best solution for this. The WebUI automatically configures itself for the url you are using provided it is still at someurl/gui/

So here is my solution:


ProxyPass /btsync/gui/ http://127.0.0.1:8888/gui/
ProxyPassReverse /btsync/gui/ http://127.0.0.1:8888/gui/
Redirect permanent /btsync /btsync/gui/

And for those interested here is the code in the WebUI where I discovered this:


var urlBase = window.location.pathname.split("/gui", 1)[0].replace(/\/+$/, "");
var guiBase = urlBase + "/gui/";
var proxyBase = urlBase + "/proxy";

Tested with v1.1.48

Share this post


Link to post
Share on other sites

But that only forwards /gui/ to BTSync's webserver. There probably will be other pages like /proxy, /api, etc.

The problem when you try to pass-through everything is that Apache loads the proxy directive before the redirect directive.

I tried ProxyPassMatch, RewriteRule [P], and who knows what else. The final solution was this:


<Location /btsync>
ProxyPass http://127.0.0.1:5030
ProxyPassReverse http://127.0.0.1:5030
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/btsync(/|/gui)?$
RewriteRule ^ /btsync/gui/ [L,R=301]
# Auth, etc, ....
</Location>

This way /btsync, /btsync/, /btsync/gui, /btsync/gui/ all work while forwarding everything.

Can you make it nicer? :)

Share this post


Link to post
Share on other sites

Months go by and still no luck. Still stuck with this dumb "/gui/" (talk of a non-informative url...)

 

At least, please consider providing a configuration option for that base directory (e.g. in the .conf file, under the webui section), something along these lines:

"webui" :        {                "listen" : "127.0.0.1:8888",                "login" : "username",                "password" : "userpassword",                "basedir" : "btsyncGUI"        }

so that the webui becomes accessible (and reverse-proxyable) at "http://127.0.0.1:8888/btsyncGUI/"

 

Shouldn't be rocket science...

Share this post


Link to post
Share on other sites

Months go by and still no luck. Still stuck with this dumb "/gui/" (talk of a non-informative url...)

 

At least, please consider providing a configuration option for that base directory (e.g. in the .conf file, under the webui section), something along these lines:

"webui" :        {                "listen" : "127.0.0.1:8888",                "login" : "username",                "password" : "userpassword",                "basedir" : "btsyncGUI"        }

so that the webui becomes accessible (and reverse-proxyable) at "http://127.0.0.1:8888/btsyncGUI/"

 

Shouldn't be rocket science...

 

I posted instructions for making this work using nginx here: http://forum.bittorrent.com/topic/20710-nginx-as-reverse-proxy-for-the-config-page/#entry66870

 

It's been working great for me.

Share this post


Link to post
Share on other sites

Just change the RewriteRule line tRewriteRule ^ /btsync/gui/en/index.html [L,R=301] in my last example.

It does an ugly JS redirection which is hard to handle without overriding and redirecting /gui as well.

Other than that, everything should work fine.

P.S: The new rewrite rule does not apply to all versions. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.