How to Configure aria2 RPC with WSS?

This article provides a step-by-step guide on how to secure the aria2 Remote Procedure Call (RPC) interface using a secure WebSocket (WSS) connection. By enabling WSS, you ensure that the communication between your web frontend (such as AriaNg) and your aria2 backend daemon is encrypted, protecting your RPC secret and download data from eavesdropping. We will cover modifying the configuration file, implementing SSL/TLS certificates, and validating the secure connection.

Step 1: Obtain SSL/TLS Certificates

To establish a secure WSS connection, aria2 requires a valid SSL/TLS certificate. You can use a free certificate from Let’s Encrypt or generate a self-signed certificate for local network use.

If you are using a self-signed certificate, you can generate it using OpenSSL with the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout aria2.key -out aria2.crt

Note: If you use a self-signed certificate, you must manually visit the RPC URL (e.g., https://localhost:6800) in your browser once and accept the security warning, otherwise the WSS connection will be blocked.

Step 2: Edit the aria2 Configuration File

Locate your aria2 configuration file (typically named aria2.conf). You need to enable the RPC interface and point aria2 to your certificate and private key files. Add or modify the following lines:

# Enable the RPC server
enable-rpc=true

# Open the RPC port to all interfaces (or set to 127.0.0.1 for local only)
rpc-listen-all=true

# Set the RPC port (default is 6800)
rpc-listen-port=6800

# Require an RPC secret token for authorization
rpc-secret=YOUR_SECURE_TOKEN_HERE

# Enable SSL/TLS for RPC (This turns WS into WSS)
rpc-secure=true

# Path to your certificate file
rpc-certificate=/path/to/aria2.crt

# Path to your private key file
rpc-private-key=/path/to/aria2.key

Step 3: Restart the aria2 Daemon

For the changes to take effect, restart your aria2 process. If you run aria2 from the command line, stop the current instance and restart it using your configuration file:

aria2c --conf-path=/path/to/aria2.conf

Step 4: Configure Your Frontend Client

Once the backend is running with WSS enabled, you must update the connection settings in your chosen aria2 web frontend (such as AriaNg).

• Open your web frontend settings.
• Locate the Aria2 RPC Host or RPC Configuration section.
• Change the protocol from WS to WSS (or check the box for “Secure Connection / SSL”).
• Input the matching port (e.g., 6800) and the rpc-secret token you defined in Step 2.
• Save the settings and refresh the page to establish the secure connection.