From 9b7c1748004c4bf6a9cee3ebd35c7c46319de39c Mon Sep 17 00:00:00 2001 From: Francisco Pombal <17580742+FranciscoPombal@users.noreply.github.com> Date: Tue, 27 Apr 2021 18:57:14 +0100 Subject: [PATCH] clean up and simplify reference configuration --- NGINX-Reverse-Proxy-for-Web-UI.md | 53 +++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/NGINX-Reverse-Proxy-for-Web-UI.md b/NGINX-Reverse-Proxy-for-Web-UI.md index dfe4baa..03b3f49 100644 --- a/NGINX-Reverse-Proxy-for-Web-UI.md +++ b/NGINX-Reverse-Proxy-for-Web-UI.md @@ -1,25 +1,52 @@ -If you're using NGINX as a reverse proxy for Web UI, assuming your reverse proxy is local, your `location /qbt/` should have the following settings: +This configuration allows you to use NGINX as a reverse proxy for the WebUI listening on a local address to expose it outside of your LAN, on the Web. It is assumed that your WebUI is configured to be accessible at `http://127.0.0.1:30000/`, and you wish to be able to access it outside of your LAN at `mywebsite.com/qbt`. Then, in the NGINX configuration used to serve `mywebsite.com`, your `location /qbt/` stanza should have the following settings: ```nginx location /qbt/ { - proxy_pass http://127.0.0.1:8080/; - proxy_http_version 1.1; - proxy_set_header X-Forwarded-Host $http_host; + proxy_pass http://127.0.0.1:30000/; + proxy_http_version 1.1; http2_push_preload on; # Enable http2 push + proxy_set_header Host 127.0.0.1:30000; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + # optionally, you can adjust the POST request size limit, to allow adding a lot of torrents at once: + #client_max_body_size 100M; + + # since v4.2.2, is possible to configure qBittorrent + # to set the "Secure" flag for the session cookie automatically. + # However, that option does nothing unless using qBittorrent's built-in HTTPS functionality. + # For this use case, where qBittorrent itself is using plain HTTP + # (and regardless of whether or not the external website uses HTTPS), + # the flag must be set here, in the proxy configuration itself: + proxy_cookie_path / "/; Secure"; +} +``` + +Note: qBittorrent currently doesn't read the `X-Forwarded-For` header, so if you find yourself seeing `WebAPI login failure. Reason: IP has been banned, IP: 127.0.0.1` and needing to restart qBittorrent, you may want to set the ban after failure count to `0`. + +--- + +Obsolete directives, no longer needed when using recent qBittorrent versions + +- No longer required/discouraged since v4.1.2: + + ```nginx # The following directives effectively nullify Cross-site request forgery (CSRF) # protection mechanism in qBittorrent, only use them when you encountered connection problems. # You should consider disable "Enable Cross-site request forgery (CSRF) protection" # setting in qBittorrent instead of using these directives to tamper the headers. # The setting is located under "Options -> WebUI tab" in qBittorrent since v4.1.2. - #proxy_hide_header Referer; - #proxy_hide_header Origin; - #proxy_set_header Referer ''; - #proxy_set_header Origin ''; + proxy_hide_header Referer; + proxy_hide_header Origin; + proxy_set_header Referer ''; + proxy_set_header Origin ''; + ``` - # Not needed since qBittorrent v4.1.0 - add_header X-Frame-Options "SAMEORIGIN"; -} -``` +- No longer required since v4.1.0: -Note: qBittorrent currently doesn't read the `X-Forwarded-For` header, so if you find yourself seeing `WebAPI login failure. Reason: IP has been banned, IP: 127.0.0.1` and needing to restart qBittorrent, you may want to set the ban after failure count to `0`. \ No newline at end of file + ```nginx + add_header X-Frame-Options "SAMEORIGIN"; + ``` \ No newline at end of file