Skip to content

Instantly share code, notes, and snippets.

@GAS85
Created February 12, 2020 11:45
Show Gist options
  • Save GAS85/d5ff9443a3b2fdb39b7b67fac2f7eff4 to your computer and use it in GitHub Desktop.
Save GAS85/d5ff9443a3b2fdb39b7b67fac2f7eff4 to your computer and use it in GitHub Desktop.
Aria2 + Ubuntu 18.04 + Apache2 + Reverse Proxy + Web UI
OS: Ubuntu 18.04 Apache/2.4.18+
Aim: to ensure Aria2 access via reverse proxy
IP Addr of your Aria2 server is 192.168.0.111
Your local IP network is 192.168.0.0/24
Your domain is YourDomain.com
Aria2 installed as descibed https://gist.github.com/GAS85/79849bfd09613067a2ac0c1a711120a6

1. Ensure Reverse Proxy

a. Using Apache as a reverse proxy

If you want Apache to serve your Aria2 instance, you can add the following to your Apache configuration (usually located at /etc/apache2/sites-available/100-yourdomain.conf in Ubuntu):

<VirtualHost *:443>
    ...
    ProxyPreserveHost On
    ProxyRequests off
    AllowEncodedSlashes NoDecode
    ProxyPass /jsonrpc http://localhost:6800/jsonrpc nocanon
    ProxyPassReverse /jsonrpc http://localhost:3000/jsonrpc
</VirtualHost>

Note: The following Apache mods must be enabled: proxy, proxy_http

If you wish to use Let’s Encrypt with webroot validation, add the line ProxyPass /.well-known ! before ProxyPass to disable proxying these requests to aria2.

b. Using Apache with a sub-path as a reverse proxy

In case you already have a site, and you want aria2 to share the domain name, you can setup Apache to serve aria2 under a sub-path by adding the following to you Apache configuration (usually located at /etc/apache2/sites-available/100-yourdomain.conf in Ubuntu):

<VirtualHost *:443>
    ...
    <Proxy *>
         Order allow,deny
         Allow from all
    </Proxy>
    ProxyRequests Off
    AllowEncodedSlashes NoDecode
    # Note: no trailing slash after either /jsonrpc or port
	ProxyPass /jsonrpc http://localhost:6800/jsonrpc nocanon
	ProxyPassReverse /jsonrpc http://localhost:6800/jsonrpc
</VirtualHost>

Note: The following Apache mods must be enabled: proxy, proxy_http

2. Enable needed modules

Now we will enable modules proxy, proxy_http: sudo a2enmod proxy proxy_http Please test Apache2 configuration before to restart the server

sudo apachectl configtest
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

Now we can reload our server by command: sudo service apache2 reload

3. Setup Aria2

Then disable encrypthion in your configuration aria2 configuration (e.g. under /etc/aria2.conf as per https://gist.github.com/GAS85/79849bfd09613067a2ac0c1a711120a6):

rpc-secure=false
#rpc-certificate=/usr/local/etc/aria2/aria2.pfx
#rpc-certificate=/usr/local/etc/aria2/fullchain.pem
#rpc-private-key=/usr/local/etc/aria2/privkey.pem

Test that aria2 works: http(s)://yourDomain.com/jsonrpc you should see message "File not found".

4. Setup Aria2-webui

If you did everything per https://gist.github.com/GAS85/79849bfd09613067a2ac0c1a711120a6 then, please open webui configuration file: sudo nano /var/www/webui-aria2-master/configuration.js and do following changes, I comment changed lines by // to show difference:

  //host: location.protocol.startsWith('https') ? location.hostname : '192.168.0.111',
  host: location.protocol.startsWith('https') ? location.hostname : 'yourDomain.com',
  path: '/jsonrpc',
  //port: 6800,
  port: 443,
  encrypt: true,
  auth: {                          // either add the token field or the user and pass field, not both.
  // token: '$YOUR TOKEN FROM ABOVE$'

5. Harden Aria2 - limit access to local network only

To disable access from the internet added following config to your apache2 site before ProxyPass /jsonrpc http://localhost:6800/jsonrpc nocanon:

	#Aria2 Part
	<Location "/jsonrpc">
		Require ip 192.168.0.0/24 127.0.0.1
	</Location>

Please test Apache2 configuration before to restart the server

sudo apachectl configtest
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

Now we can reload our server by command: sudo service apache2 reload or sudo service apache2 restart

Now you should be able to call your Aria2-webui via http(s)://192.168.0.111/webui-aria2 or http(s)://yourDomain.com/webui-aria2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment