Tristan Sweeney
← Back to blog

TLS at Home (and my Plex/Deluge setup!)

Published on 2018-6-14 by Tristan Sweeney

photo by Alexander Supertramp
Last friday / weekend I installed my TLS cert I generated for my router on my desktop for services I run off of it.

Last friday / weekend I installed my TLS cert I generated for my router on my desktop for services I run off of it, FOSWiki via Apache and a Deluge (a torrenting cliente web interface. I also setup Deluge to use an HTTPS proxy and full stream encryption, to ensure anonymity and that my ISP isn’t throttling traffic (a lot of legitimate stuff, such as the Arch Linux ISO, are both quite large).

This was as easy as copying the private key and full certificate chain onto my desktop, then pointing the applications to the key files. The main thing I was concerned with was keeping the permissions as strict as possible with these files, so that only applications which absolutely need access to them can read them, and only root could write to them. One would think that I’d just have to set the directory and files as rw-r----- , but for some reason my TLS applications just weren’t jiving with that.

After a while, I had the ‘duh!’ moment. I’d forgotten that r gives you permission to list the contents of the directory, but you need the x permission to read files within it (or list their owner/permissions). That fixed up the problem and the systemd services stopped crashing on start with permission denied errors. It may have taken me doing a sudo su deluge ; ls /usr/local/etc/... to finally diagnose my mistake, but that’s a secret I’ll be taking to my grave.

To elaborate on my setup, I added a group certs that has rx permission and added deluge and apache to that group (or I intended to, deluge is a run-as program but apache is run by root). I also created a media group, and gave it rw permission, adding deluge and plex to it to alow them bot to modify that partition but no-one else (I add content through the deluge web app remotely, which is both amazingly convinent and eliminates having to add my own user account to media). Remember though, priacy hurts the companies that produce what you love and you should only torrent content that’s been intentionally distributed through that medium intentionally (I’ve got some funky indie films on there).

Written by Tristan Sweeney

← Back to blog

Recent blogposts

to blog

  • Favicon Fun

    9/17/2024
    Favicon Fun
    photo by Astro

    I love the Astro homepage favicon effect, and replicated it on my site.

    Read post →

  • Ransom Note

    5/3/2020
    Ransom Note
    photo by Jamie Eckle

    Given the text for a ransom note, determine if enough letters exist in a magazine to create it.

    Read post →

  • Breaking down Subsum Equals K

    4/29/2020
    Breaking down Subsum Equals K
    photo by Meghan Vestal

    given an array of integers, find the number of continuous subarrays equal to `k`.

    Read post →

  • Revivifying the Blog

    4/11/2020
    Revivifying the Blog
    photo by Milê Murtanovski

    I recently had a friend come across my blog, and was promptly shamed for having a certificate more out of date than the VCR. Such an embarrassment couldn't rest, and so I cleaned up my act a bit.

    Read post →

  • Apt install on a Disconnected Wireless System

    6/8/2018
    Apt install on a Disconnected Wireless System
    photo by Google

    I just was installing ubuntu on a platform that only has wireless capabilities, and decided to install the server edition to minimize overhead / avoid having an X server + desktop environment to disable. Woe, the server edition of Ubuntu ships with no wireless utilities, because nobody in their right mind would run a wireless server.

    Read post →

  • Let's Encrypt HTTPS on DD-WRT

    6/5/2018
    Let's Encrypt HTTPS on DD-WRT
    photo by DD-WRT

    I run a DD-WRT router on a Netgear WNDR4500 router. It's been in my life since I can remember, and came along with me to college. A while back I loaded the DD-WRT firmware onto it, and it's been serving like a champ ever since.

    Read post →