Can't connect to aria2c with HTTPS

[Aqualie]

Connection works without SSL enabled, when enabled connection cannot be made and nothing is listed in the server logs. This is with OpenSSL enabled and AppleTLS, GnuTLS and WinTLS disabled. No issues/warnings when server is started with the correct certificate and private key.

[ziahamza]

I am not sure whats going wrong there ... anything that comes up on the aria2 logs?

[asmolero]

If you have a self-signed certificate you have to tell your browser to accept it. Go to https://your-server:6800 and confirm the security exception. You will only see a blank page, but that's it. Then the web UI should be able to connect to aria2.

[wsian]

I'm using startssl to setup https connection. No problem for http connection. For https, I have error below "Web sockets not working due to Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS."

Anyone with successful https setup?

[quintinluo]

i am got the same issue how to fix it

[wsian]

OK, I found the problem. The following parameters must be added during aria2c startup: aria2c --enable-rpc --rpc-certificate=/path/to/server.pem --rpc-private-key=/path/to/server.key --rpc-secure

[ziahamza]

awesome. thanks wsian! I will add this in the readme for others who want to connect it over https

On 29 December 2014 at 17:37, wsian notifications@github.com wrote:

OK, I found the problem. The following parameters must be added during aria2c startup: aria2c --enable-rpc --rpc-certificate=/path/to/server.pem --rpc-private-key=/path/to/server.key --rpc-secure

— Reply to this email directly or view it on GitHub https://github.com/ziahamza/webui-aria2/issues/108#issuecomment-68243555 .

[twwn]

Those parameters work for me only if I manually allow mixed content and only on Chromium.

On Firefox allowing mixed content (there referred to as "insecure content") still results in the generic "Could not connect to the aria2 RPC server" error.

Also, neither browser will read the configuration.js (which would set SSL/TLS encryption to true and contain the secret token), but dunno if that might be a consequence of the connection failing before said manual override.

Using the most recent Linux nightly/git of Firefox, Chromium and webui. aria2 is 1.18.10, running on openwrt with self-signed cert.

[lilarcor]

aria2c --enable-rpc --rpc-certificate=/path/to/server.pem --rpc-private-key=/path/to/server.key --rpc-secure above doesn't work for me (Debian 8 Jessie , aria2c 1.18.8), I got Web sockets not working due to The operation is insecure.sef-signed cert , tested with firefox and chrome

[csdt]

The best solution I came up with is an Apache configuration. Add the following lines at the end of your vhost section (edited):

ProxyRequests Off
ProxyPreserveHost Off

<Proxy *>
  Order allow,deny
  Allow from all
</Proxy>

<Location /jsonrpc>
  <IfVersion >= 2.4>
    ProxyPass        ws://127.0.0.1:6800/jsonrpc  retry=0
    ProxyPassReverse ws://127.0.0.1:6800/jsonrpc
  </IfVersion>
  <IfVersion < 2.4>
    ProxyPass        http://127.0.0.1:6800/jsonrpc  retry=0
    ProxyPassReverse http://127.0.0.1:6800/jsonrpc
  </IfVersion>
  SetEnv force-proxy-request-1.0 1
  SetEnv proxy-nokeepalive 1
</Location>

Then just configure webui-aria2 to connect to the same host, on secured port 443. Obviously, you need to activate proxy module for apache. You should not add certificate options when launching aria2c (--rpc-certificate=/path/to/server.pem --rpc-private-key=/path/to/server.key).

The advantage is you don't need to accept the certificate even it's self-signed because you have already accepted it when getting the webui page. Browers don't complain about insecure connection neither.

I hope this could help.

[lukasmrtvy]

@csdt How did you manage connection to wss://?

SSLEngine on
ProxyPass /aria/ http://localhost:80/aria/
ProxyPassReverse /aria/ http://localhost:80/aria/

ProxyPass /jsonrpc ws://localhost:6800/jsonrpc
ProxyPassReverse /jsonrpc ws://localhost:6800/jsonrpc

is not enough

webui-aria2 try to connect to ws://, here comes the notice from browser, that you are trying to connect to mixed content...

Thanks

EDIT Found it in sockcall.js, so why it doesnt work? :(

 sockRPC.scheme = sockRPC.conf.encrypt ? 'wss' : 'ws';
...
var authUrl = sockRPC.scheme + '://' + conf.host + ':' + conf.port + '/jsonrpc';

[csdt]

@muhahacz You need to configure webui-aria2 to connect using SSL.

Here is a screenshot of my connection configuration:

With this configuration, the browser should try to connect using wss://

Tell me if you have any trouble configure it.

[lukasmrtvy]

Do you know, where exactly is this configuration stored?

[csdt]

Normally, the configuration file is on the file configuration.js. But webui-aria2 seems to be buggy about connecting with these parameters.

To "fix" the bug, I needed to edit the file js/services/rpc/rpc.js like this:

angular
.module('webui.services.rpc', [
  'webui.services.rpc.syscall', 'webui.services.configuration', 'webui.services.alerts',
  'webui.services.utils'
])
.factory('$rpc', [
  '$syscall', '$globalTimeout', '$alerts', '$utils',
  '$rootScope', '$location', '$authconf',
function(syscall, time, alerts, utils, rootScope, uri, authconf) {

  var subscriptions = []
    , configurations = [authconf]
    , currentConf = {}
    , currentToken
    , timeout = null
    , forceNextUpdate = false;

  var cookieConf = utils.getCookie('aria2conf');

  // try at the start, so that it is presistant even when default authconf works
  if (cookieConf) configurations.push(cookieConf);

  if (['http', 'https'].indexOf(uri.protocol()) != -1 && uri.host() != 'localhost') {
    console.log(uri.host());
    configurations.push({
      host: uri.host(), // <===================== Modifications // default: "localhost"
      port: uri.port(), // <===================== are           // default: 6800
      encrypt: uri.protocol() == 'https', // <=== here          // default: false
    });
    console.log(configurations);
  }

Otherwise, it is stored in cookies and you can modify it directly from the web page:

[lukasmrtvy]

Well i can connect from non SSL site to proxied wss://, but from SSL site i can not connect to wss://, seems configuration does not work on SSL, i do not get any cookie... even on refresh = blank page Can you send me pls your whole virtualhost file? Maybe i have something with apache configuration. Thanks

[csdt]

Here is my apache virtual host file:

<VirtualHost *:80>
  ServerName webui-aria2.example.com

  DocumentRoot /var/www/webui-aria2/

  CustomLog /var/logs/apache/webui-aria2-access.log combined
  ErrorLog /var/logs/apache/webui-aria2-errors.log combined

  # Force HTTPS
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
  ServerName webui-aria2.example.com

  DocumentRoot /var/www/webui-aria2/

  CustomLog /var/logs/apache/webui-aria2-access.log combined
  ErrorLog /var/logs/apache/webui-aria2-errors.log combined

  # certificates
  SSLEngine on
  SSLCertificateFile    /etc/ssl/apache2/certs/public.crt
  SSLCertificateKeyFile /etc/ssl/apache2/private/private.key

  # Authentificate users
  <Location />
    AuthType Basic
    AuthName "webui-aria2"
    AuthUserFile  users.auth
    AuthGroupFile groups.auth

    # allow only users from the webui-aria2 group
    Require group webui-aria2
  </Location>

  # The magic happens with all the following lines

  # Not sure if these lines are important
  ProxyRequests Off
  ProxyPreserveHost Off

  # Accept Proxying user
  <Proxy *>
    Order allow,deny
    Allow from all
  </Proxy>

  # Proxying the rpc requets
  <Location /jsonrpc>
    ProxyPass        ws://127.0.0.1:6800/jsonrpc
    ProxyPassReverse ws://127.0.0.1:6800/jsonrpc
  </Location>

</VirtualHost>

I start aria2 with the following command line: /usr/bin/aria2c --enable-rpc (using systemd for curious people)

[lukasmrtvy]

Seems webui-aria2 does not load ssl cookie with connection settings properly, so it's using default configuration every time i reload browser. If i setup correct settings, after while it connects to tunneled rpc, but after reload i lost these settings again.... Also i think that nonSSL and SSL cookie are basically same, so they are every reload overridden by themselves . Your fix is working! But after CTRL+R blank page appear, dont know why... but after some time it starts working again.... weird....

[csdt]

I have the same problem, but full refresh (clearing cache) avoids this problem. On firefox, you can do it CTRL+F5. I don't know for other browsers, maybe the same.

[lukasmrtvy]

Chrome doesnt work at all, but firefox is ok (except CTRL+R)

[lukasmrtvy]

Fixed with these settings

 <Location /jsonrpc>
    ProxyPass        ws://127.0.0.1:6800/jsonrpc  retry=0
    ProxyPassReverse ws://127.0.0.1:6800/jsonrpc
    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1
 </Location>

and this commit https://github.com/buffovich/webui-aria2/commit/b5624e279c224eaf099839d7637503eec8163bae

Still, it takes some time to connect to wss from ssl (aprox 10secs) dont know why.

[csdt]

Thanks for the tip

[c3mb0]

I know this issue is a bit old but it has a good Pagerank on Google and I kept landing here. It took me a while to solve, so I'm going to share my experience and understanding of the matter.

Most probably, there's something wrong with your certificate setup. If you press F12 on the index page and keep seeing net::ERR_INSECURE_RESPONSE on the console, then there's definitely something wrong with your certificates.

First, some analogies:

• Root certificate => Signature
• Certificate signing request => Paper
• Certificate => Signed paper

When you want to prove a 3rd party that a piece of paper is valid, you need to get it signed by an authority.

In this setup, the 3rd party is the OS. When the OS gets handed a piece of signed paper, it checks if the said paper is signed by someone it deems an authority.

The list of signatures that the OS recognizes is called the root certificate storage. OSs come pre-installed with well established root certificates. Take GoDaddy, for example. Their root certificates are present on pretty much all OSs.

When you pay for an SSL certificate from GoDaddy, you're basically handing them a piece of paper for them to sign it, so that you can show it to other OSs and get recognized.

Since we don't care about the rest of the world, what we can also do is to introduce our OS our own signature, and it will gladly accept any piece of paper signed with it.

Start by creating a new directory and moving into it.

Create your own root certificate

openssl genrsa -out ca.key openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Introduce the resulting ca.crt to your OS as a trusted root certificate.

Note: openssl will ask you some information for certificate details. They are not really important, fill them as you wish them to appear in the root certificate storage. I only see Organization Name within the storage, so I just change that to my liking and leave the rest as default.

Create a certificate signing request

For this step, create a copy of the openssl config file:

cp /etc/ssl/openssl.cnf req.cnf

Within req.cnf:

• Uncomment req_extensions = v3_req
• Add subjectAltName = @alt_names to the bottom of [v3_req] section
• Create a new section called [alt_names] and specify hosts where your aria2 will be running as such:

DNS.1 = example.duckdns.org
IP.1 = 192.168.2.143

Now create a signing request with the configuration we just prepared:

openssl genrsa -out ia.key openssl req -new -key ia.key -out ia.csr -config req.cnf

Again, fill the additional information requested by openssl as you wish, but leave Common Name and Challenge Password as is.

Sign the request with your root certificate

openssl x509 -req -days 3650 -in ia.csr -CA ca.crt -CAkey ca.key -out ia.crt -CAcreateserial -extensions v3_req -extfile req.cnf

You can now use ia.crt with an external service, and your OS, and your OS only, will recognize it as legit.

Since it's more convenient and more widely supported by aria2's supported TLS libraries (see here), I like packing the certificate and its key into a PKCS12 file with the following:

openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt

Leave Export Password as is.

You can now fire up aria2 with:

aria2c --enable-rpc --rpc-listen-all --rpc-certificate=/path/to/your/ia.p12 --rpc-secure --rpc-secret=yoursecret

Whew! You should now be able to fire up index.html from your computer at any time and have a fully encrypted and secret protected connection, assuming your ports are forwarded on the network of the machine that's running aria2. Shall we put this in the README section?

[ziahamza]

You did really got job at explaining c3mb0!! We can make another file called setup_https.md and link it (maybe called setup https) from the readme.md ... Adding directly to readme.md would be fine to e for now.

Send over a pull request and I would love to merge it in :)

On Sat, Jan 30, 2016, 5:30 AM c3mb0 notifications@github.com wrote:

I know this issue is a bit old but it has a good Pagerank on Google and I kept landing here. It took me a while to solve, so I'm going to share my experience and understanding of the matter.

Most probably, there's something wrong with your certificate setup. If you press F12 on the index page and keep seeing net::ERR_INSECURE_RESPONSE on the console, then there's definitely something wrong with your certificates.

First, some analogies:

• Root certificate => Signature
• Certificate signing request => Paper
• Certificate => Signed paper

When you want to prove a 3rd party that a piece of paper is valid, you need to get it signed by an authority.

In this setup, the 3rd party is the OS. When the OS gets handed a piece of signed paper, it checks if the said paper is signed by someone it deems an authority.

The list of signatures that the OS recognizes is called the root certificate storage. OSs come pre-installed with well established root certificates. Take GoDaddy, for example. Their root certificates are present on pretty much all OSs.

When you pay for an SSL certificate from GoDaddy, you're basically handing them a piece of paper for them to sign it, so that you can show it to other OSs and get recognized.

Since we don't care about the rest of the world, what we can also do is to introduce our OS our own signature, and it will gladly accept any piece of paper signed with it.

Start by creating a new directory and moving into it.

Create your own root certificate

openssl genrsa -out ca.key openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Introduce the resulting ca.crt to your OS as a trusted root certificate.

Note: openssl will ask you some information for certificate details. They are not really important, fill them as you wish them to appear in the root certificate storage. I only see Organization Name within the storage, so I just change that to my liking and leave the rest as default.

Create a certificate signing request

For this step, create a copy of the openssl config file:

cp /etc/ssl/openssl.cnf req.cnf

Within req.cnf:

• Uncomment req_extensions = v3_req
• Add subjectAltName = @alt_names to the bottom of [v3_req] section
• Create a new section called [alt_names] and specify hosts where your aria2 will be running as such:

DNS.1 = example.duckdns.org IP.1 = 192.168.2.143

Now create a signing request with the configuration we just prepared:

openssl genrsa -out ia.key openssl req -new -key ia.key -out ia.csr -config req.cnf

Again, fill the additional information requested by openssl as you wish, but leave Common Name and Challenge Password as is.

Sign the request with your root certificate

openssl x509 -req -days 3650 -in ia.csr -CA ca.crt -CAkey ca.key -out ia.crt -CAcreateserial -extensions v3_req -extfile req.cnf

You can now use ia.crt with an external service, and your OS, and your OS only, will recognize it as legit.

Since it's more convenient and more widely supported by aria2's supported TLS libraries (see here https://aria2.github.io/manual/en/html/aria2c.html#cmdoption--rpc-certificate), I like packing the certificate and its key into a PKCS12 file with the following:

openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt

Leave Export Password as is.

You can now fire up aria2 with:

aria2c --enable-rpc --rpc-listen-all --rpc-certificate=/path/to/your/ia.p12 --rpc-secure --rpc-secret=yoursecret

Whew! You should now be able to fire up index.html from your computer at any time and have a fully encrypted and secret protected connection, assuming your ports are forwarded on the network of the machine that's running aria2. Shall we put this in the README section?

— Reply to this email directly or view it on GitHub https://github.com/ziahamza/webui-aria2/issues/108#issuecomment-176977431 .

[iG8R]

Hello, my dear friends. Could you help me? I faced with an issue concerning trusted connection. I have 2 PC in my LAN, first one is an HTPC (192.168.0.5), second one is my working machine (192.168.0.3). OS on both of them is Windows 8.1 Home. On the HTPC I installed Aria2c to which I'm trying to connect from my working PC through Aria2cWebUI. Every time when I'm trying to connect to Aria2c I'm getting following log: On the HTPC:

C:\Program Files\Aria2c>aria2c.exe --conf-path=aria2c.conf

10/23 19:43:46 [WARN] Unknown option: ;quiet=true

10/23 19:43:46 [WARN] --rpc-user option will be deprecated in the future release
. Migrate to --rpc-secret option as soon as possible.

10/23 19:43:46 [WARN] --rpc-passwd option will be deprecated in the future relea
se.

10/23 19:43:46 [NOTICE] RPC transport will be encrypted.

10/23 19:43:46 [NOTICE] IPv4 RPC: listening on TCP port 6800

10/23 19:44:55 [ERROR] WinTLS: Failed to decrypt a message! Error: The certifica
te chain was issued by an authority that is not trusted.
(80090325)

10/23 19:44:56 [ERROR] WinTLS: Failed to decrypt a message! Error: The certifica
te chain was issued by an authority that is not trusted.
(80090325)

On my working PC in Aria2cWebUI: Oh Snap! Could not connect to the aria2 RPC server. Will retry in 10 secs. You might want to check the connection settings by going to Settings > Connection Settings

Here is the config file of Aria2c (192.168.0.5):

daemon=true
;quiet=true
file-allocation=falloc
continue
summary-interval=120
allow-overwrite=false
check-certificate=false
auto-file-renaming=false
dir=D:\
dht-file-path=dht.dat
dht-file-path6=dht6.dat
enable-rpc=true
rpc-listen-port=6800
rpc-listen-all=true
rpc-secure=true
rpc-certificate=ia.p12
rpc-user=XXXXXXXX
rpc-passwd=********
file-allocation=none
enable-dht=true
disable-ipv6=true
timeout=600
retry-wait=30
max-tries=50
seed-ratio=2.0
max-download-limit=0
max-overall-download-limit=0
max-concurrent-downloads=5
max-connection-per-server=10
min-split-size=5M
no-file-allocation-limit=10M
piece-length=1M
disk-cache=25M
log=aria2.log
log-level=warn
auto-save-interval=30
save-session=aria2.sav
user-agent=Mozilla/5.0 (Windows NT 6.3; rv:47.0) Gecko/20100101 Firefox/47.0
http-accept-gzip=true

Connection settings in Aria2cWebUI (192.168.0.3):

ia.p12 certificate file I've got with the help of c3mb0's instructions (many thanks to him). openssl_cert.cnf:

[ req ]
# comment out the next line to protect the private key with a passphrase
encrypt_key                     = no
# the default key length is secure and quite fast - do not change it
default_bits                    = 2048
default_md                      = sha1
distinguished_name              = req_distinguished_name
x509_extensions                 = v3_ca
#req_extensions         = v3_req

[ v3_ca ]
# The extentions to add to a self-signed cert
subjectKeyIdentifier        = hash
nsCertType                      = server
basicConstraints                = CA:TRUE,pathlen:0
keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
extendedKeyUsage                = serverAuth
nsComment                       = "iG0R self-signed certificate"

#[ v3_req ]
# Extensions to add to a certificate request
#basicConstraints       = CA:FALSE
#keyUsage           = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
#nsCertType         = emailCA,sslCA,objCA,objsign
#subjectAltName         = @alt_names
#
#[ alt_names ]
#DNS.1 = example.duckdns.org
#IP.1 = 192.168.0.5
#IP.2 = xxx.xxx.xxx.xxx

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default             = UA
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = xxx

localityName                    = Locality Name (eg, city)
localityName_default            = xxx

organizationName                = Organization Name (eg, company)
organizationName_default        = iG0R home

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = iG0R CA

0.commonName                    = Common Name (FQDN of your server)
0.commonName_default            = xxx.xxx.xxx.xxx (my external IP)

# To create a certificate for more than one name uncomment:
# 1.commonName                  = DNS alias of your server
# 2.commonName                  = DNS alias of your server
# ...
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
# to see how Netscape understands commonName.

openssl_req.cnf:

[ req ]
# comment out the next line to protect the private key with a passphrase
encrypt_key                     = no
# the default key length is secure and quite fast - do not change it
default_bits                    = 2048
default_md                      = sha1
distinguished_name              = req_distinguished_name
#x509_extensions                 = v3_ca
req_extensions          = v3_req

#[ v3_ca ]
# The extentions to add to a self-signed cert
#subjectKeyIdentifier       = hash
#nsCertType                      = server
#basicConstraints                = CA:TRUE,pathlen:0
#keyUsage           = digitalSignature, nonRepudiation, keyEncipherment, #dataEncipherment, keyAgreement, keyCertSign
#extendedKeyUsage                = serverAuth
#nsComment                       = "iG0R self-signed certificate"

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
nsCertType          = emailCA,sslCA,objCA,objsign
subjectAltName          = @alt_names

[ alt_names ]
#DNS.1 = example.duckdns.org
IP.1 = 192.168.0.5
IP.2 = xxx.xxx.xxx.xxx

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default             = UA
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = xxx

localityName                    = Locality Name (eg, city)
localityName_default            = xxx

organizationName                = Organization Name (eg, company)
organizationName_default        = iG0R home

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = iG0R CA

0.commonName                    = Common Name (FQDN of your server)
0.commonName_default            = xxx.xxx.xxx.xxx (my external IP)

# To create a certificate for more than one name uncomment:
# 1.commonName                  = DNS alias of your server
# 2.commonName                  = DNS alias of your server
# ...
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
# to see how Netscape understands commonName.

create_certificates.bat:

rem #Create your own root certificate
rem #Introduce the resulting cert.crt to your OS as a trusted root certificate.

rem #Note: openssl will ask you some information for certificate details. They are not really important, fill them as you wish them to appear in the root certificate storage. I only see Organization Name within the storage, so I just change that to my liking and leave the rest as default.

set OPENSSL_CONF=openssl_cert.cnf
openssl.exe genrsa -out ca.key
openssl.exe req -new -x509 -days 3650 -key ca.key -out ca.crt

rem #Create a certificate signing request

rem #Again, fill the additional information requested by openssl as you wish, but leave Common Name and Challenge Password as is.

set OPENSSL_CONF=openssl_req.cnf
openssl.exe genrsa -out ia.key
openssl.exe req -new -key ia.key -out ia.csr

rem #Sign the request with your root certificate

openssl.exe x509 -req -days 3650 -in ia.csr -CA ca.crt -CAkey ca.key -out ia.crt -CAcreateserial -extensions v3_req -extfile openssl_req.cnf

rem #You can now use ia.crt with an external service, and your OS, and your OS only, will recognize it as legit.
rem #Since it's more convenient and more widely supported by aria2's supported TLS libraries (see here), I like packing the certificate and its key into a PKCS12 file with the following:

set OPENSSL_CONF=openssl_cert.cnf
openssl.exe pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt

Also I've introduced the resulting ca.crt to Windows in 192.168.0.5 (where Aria2c is installed) as a trusted root certificate.

[iG8R]

OK, I resolved the issue only with Firefox (on my working PC - 192.168.0.3) access to Aria2 (on the HTPC - 192.168.0.5). I needed to introduce my ca.crt to Firefox through Settings-> Advanced-> Certificates-> View Certificates (Certificates Manager)-> Authorities-> Import...-> Browse ca.crt But this approach is not suitable for Google Chrome. Whatever I did - added ca.rt to Windows certificates storage certmgr-> Certificates-> Current user-> Trusted Root Certification Authorities-> Certificates also added ca.crt to GoogleChrome Settings-> Show advanced settings...-> HTTPS/SSL Manage certificates...-> Trusted Root Certification Authorities-> Import... but GoogleChrome can't connect to Aria2 via SSL, Also I tried Opera at the same result as with GoogleChrome. Could somebody answer me what am I doing wrong? Also I'd like to know why any browser don't warning me about self-signed certificate and don't offer me to trust it on my own risk.

[mr-who2012]

Hi there, this seems to be the only thread on the whole internet discussing this very annoying problem! I did everyhing mentioned here to get a connection between aria2 and webeui-aria2....without success. I'm running aria2 and webui-aria2 on a LEDE-Router. I created a ca-certificate, a signed certificate and imported everything in firefox. I added security-exception for my router's address in forefox. I configured aria2 with all neccesary switches and options, mentioned before (I use secret token). I also changed the file js/services/rpc/rpc.js in the way, mentioned before. I also found out that aria2 doesn't seem to work with the p12-file. The daemon only starts wit a crt- or pem-certificate. What I get now is a secure https-connection to webui-aria2 WITHOUT mixed-content-warning. However, the webui just don't connect to aria2. The firefox-log (on the console, shown with F12-key) just reports:

"calling json rpc" syscall.js:48 "jsonrpc disconnect!!!" jsoncall.js:46 "calling json rpc" syscall.js:48 "jsonrpc disconnect!!!" jsoncall.js:46 "calling json rpc" syscall.js:48 "jsonrpc disconnect!!!" jsoncall.js:46 "calling json rpc" syscall.js:48 "jsonrpc disconnect!!!

That's it! No reasons in the aria2-logfile, no answer when I ping 192.168.0.111:8600, no connection when I type the same address in the browser. It seems like aria2 was just not answering on that address. The problem that webui-aria2 is forgetting its settings every time I reload the page seems like an additional (second) problem to me. Right now I don't want to focus on that.

Somebody please help.

[mr-who2012]

I finally got it! I could connect to aria2 with µget and downloaded files with aria2 for the first time! So the problem must have been related to webui-aria2. Finally I found out that the TLS-Option in webui-aria2 needs to be DISABLED: In aria2-webui: Settings > Connection Settings REMOVE the Checkmark at "Enable SSL/TLS encryption". Nevertheless I had to fill the field "Enter the secret token (optional)". Also, the port needs to bechanged from 443 to 6800.

Afterwards, firefox blocked the connection because of "mixed content". I disabled the blocking of mixed content in firefox and...voila...The webui finally did connect to aria2 for the first time.

This means aria2 doesn't accept TLS-connections at all. The webui is transferred over ssl but the communication between webui-aria2 and aria is unencrypted. I'm surprised the webui doesn't control aria2 with a "localhost"-address internally anyway.

Also, it's a little bit annoying I have to change the settings everytime I enter the webui. These two things might be a good idea for the developers to look into.

[mr-who2012]

I forgot to mention: I also disabled rpc-secure=true in the aria2-config-file, since this feature doesn't seem to work.

[raynoxfr]

You can also use a webpage, for the redirection. The advantage is the possible to do something, with the request from webui before to be in aria2 ! Bypass the proxy and you don't have to change the apache2 setting.

For example, i want to parse automatically the download link to an external service to "debrid" link ! (1fichier, uptobox, etc) (necessary to adapt in rpc.php )

Start aria2 : aria2c --enable-rpc --rpc-listen-all --listen-port=6800 --rpc-allow-origin-all=true

The PHP code for redirection webpage "rpc.php" to the root directory "www" (waiting POST method), Using localhost because aria2 is on the same machine.

<?php

$url = "http://localhost:6800/jsonrpc";
$content =file_get_contents('php://input');

$curl = curl_init($url);
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER,array("Content-type: application/json"));
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $content);

$json_response = curl_exec($curl);

//$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);

curl_close($curl);

$response = json_decode($json_response, true);
echo $json_response;

?>

Check the link in your browser : http://domain_addr:80/rpc.php

You're getting an error, because not request is sent (it's normal)

{"id":null,"jsonrpc":"2.0","error":{"code":-32700,"message":"Parse error."}}

Configure the webui, and change the RPC address from http://domain_addr:6800/jsonrpc to http://domain_addr:80/rpc.php

So my apache setting is light !

<Directory /home/www>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

<VirtualHost *:80>
DocumentRoot "/home/www"
ServerName ADD_DOMAIN_HERE

<Directory />
        Options FollowSymLinks
        AllowOverride All
</Directory>
<Directory /home/www>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
</Directory>

</VirtualHost>

[NAVrasZ]

Web sockets not working due to Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.

Eh... fixed this by just changing encrypt: false to true in configuration.js, no reverse proxy. I guess the problem is that I have https set up before configuring webui. Nvm, not working again after reboot... Forgot to add --rpc-listen-all when accessing through url, it seems to be necessary tho aria2 and webui are on the same server.

[imirzadeh]

I fixed the problem by changing encrypt: true in configuration.js file, also providing server ssl keys when running aria2c! --rpc-certificate, --rpc-private-key and --rpc-secure

[chamchenko]

Here is my way of doing it I'm using nginx as a web server on this to serve webui-aria2 on the config you just need to add location /jsonrpc { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:6800/jsonrpc; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; }

on the configuration.js change host: location.protocol.startsWith('http') to host: location.protocol.startsWith('https') port: 6800, to port: 443, encrypt: false, to encrypt: true, it will look like this host: location.protocol.startsWith('https') ? location.hostname : 'localhost', path: '/jsonrpc', port: 443, encrypt: true,

create a config file for aria2 on /etc/aria2.conf (for exemple) and add continue=true dir=/path/to/your/download/directory file-allocation=trunc max-connection-per-server=4 max-concurrent-downloads=2 max-overall-download-limit=0 min-split-size=25M rpc-secret=your-rpc-secret (you can generate one by running: openssl rand -base64 32 rpc-allow-origin-all=true console-log-level=warn enable-rpc=true rpc-listen-all=true daemon=true bt-enable-lpd=true save-session=/path/to/your/download/.aria2.session

then start aria2 with aria2c --conf-path=/etc/aria2.conf you can add it to /etc/rc.local so it start it self on system boot

[rsvcoder]

Here is my way of doing it I'm using nginx as a web server on this to serve webui-aria2 on the config you just need to add location /jsonrpc { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:6800/jsonrpc; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; }

on the configuration.js change host: location.protocol.startsWith('http') to host: location.protocol.startsWith('https') port: 6800, to port: 443, encrypt: false, to encrypt: true, it will look like this host: location.protocol.startsWith('https') ? location.hostname : 'localhost', path: '/jsonrpc', port: 443, encrypt: true,

create a config file for aria2 on /etc/aria2.conf (for exemple) and add continue=true dir=/path/to/your/download/directory file-allocation=trunc max-connection-per-server=4 max-concurrent-downloads=2 max-overall-download-limit=0 min-split-size=25M rpc-secret=your-rpc-secret (you can generate one by running: openssl rand -base64 32 rpc-allow-origin-all=true console-log-level=warn enable-rpc=true rpc-listen-all=true daemon=true bt-enable-lpd=true save-session=/path/to/your/download/.aria2.session

then start aria2 with aria2c --conf-path=/etc/aria2.conf you can add it to /etc/rc.local so it start it self on system boot

Hi , I am also having similar issue. I am running Aria2-ui with aria - ng User interface. I am using NGinx proxy manager, how to secure the access to http://port/jsonrpc; so that from outside it can't be accessed publically but through proxy manager only.

Thanks

[bogorad]

Here's what I did (I'm using Traefik, but that's not really relevant).

first entry - for the webapp:

https://aria2.mydomain/ => http://aria2.lan:6880/

second entry - for server:

https://aria2s.mydomain/ => http://aria2.lan:6800/

Then in aria2 web app settings => RPC I put:

https://aria2s.mydomain and port 443.