From 8e9220b37a749e7aff98aa1e3ff46a8628204642 Mon Sep 17 00:00:00 2001 From: Mike Tzou Date: Fri, 24 Jan 2020 12:29:25 +0800 Subject: [PATCH] Use the proper variable `$http_host` for X-Forwarded-Host header and remove unnecessary setting for Host header --- NGINX-Reverse-Proxy-for-Web-UI.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/NGINX-Reverse-Proxy-for-Web-UI.md b/NGINX-Reverse-Proxy-for-Web-UI.md index d1bc34f..d493e23 100644 --- a/NGINX-Reverse-Proxy-for-Web-UI.md +++ b/NGINX-Reverse-Proxy-for-Web-UI.md @@ -1,15 +1,22 @@ -If you're using NGINX as a reverse proxy for Web UI, as of version 4.0.3, assuming your reverse proxy is local, your `location /qbt/` should have the following settings: +If you're using NGINX as a reverse proxy for Web UI, assuming your reverse proxy is local, your `location /qbt/` should have the following settings: ```nginx location /qbt/ { proxy_pass http://127.0.0.1:8080/; proxy_http_version 1.1; - proxy_set_header X-Forwarded-Host $server_name:$server_port; + proxy_set_header X-Forwarded-Host $http_host; + + # The following directives effectively nullify Cross-site request forgery (CSRF) + # protection mechanism in qBittorrent, only use them when you encountered connection problems. + # You should consider disable "Enable Cross-site request forgery (CSRF) protection" + # setting in qBittorrent instead of using these directives to tamper the headers. + # The setting is located under "Options -> WebUI tab" in qBittorrent since v4.1.2. proxy_hide_header Referer; proxy_hide_header Origin; proxy_set_header Referer ''; proxy_set_header Origin ''; - # proxy_set_header Host 127.0.0.1:8080; # if you use the "enable host header validation" setting with 127.0.0.1 in the "server domains" text box - # add_header X-Frame-Options "SAMEORIGIN"; # not needed since 4.1.0 + + # Not needed since qBittorrent v4.1.0 + #add_header X-Frame-Options "SAMEORIGIN"; } ```