HOWTO: qBittorrent WebUI + Apache (with notes on utorrent)

[onemyndseye]

I spent days beating my head against the desk trying to make this work so I thought i would share These steps are relative to Ubuntu Lucid but should point users of other distro's in the right direction

My need was to block everything but localhost access to qbitt's WebUI and make it available as /torrent/ on my local apache web server. I used mod_proxy to make this work.

First off we will need both mod_proxy and mod_xml2enc...


For mod_proxy:

Code: Select all

sudo apt-get install libapache2-mod-proxy-html

For mod_xml2enc

Code: Select all

sudo apt-get install apache2-prefork-dev
mkdir ~/modbuild/ && cd ~/modbuild/
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.c
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.h
apxs2 -aic -I/usr/include/libxml2 ./mod_xml2enc.c
cd ~
rm -rfd ~/modbuild/
sudo service apache2 restart

Now for the apache configs. There are many many ways to do this and keep in mind this is deployed on a small intranet with only small needs for security. I would enjoy hearing tips from others about access control to the /torrent/ location. The following must be added to an existing vhost (my use case) or to a newly created one as it will not work outside of VirtualHost directives...

The basic config for qbitt's WebUI commented for clarity.

Code: Select all

  ProxyRequests off
  <Proxy *>
      allow from all
  </Proxy>

  ## We need to transpose requests to WebUI's command scripts 
  ## to the new location /torrent/command and feed it through 
  ## the proxy denoted by [P]
  RewriteEngine On
  RewriteRule ^/command/?(.*)$ /torrent/command/$1 [P]

  ## The new location for WebUI. 127.0.0.1:9000 is where my 
  ## WebUI resides.  Change these details to match your own needs
  <Location /torrent/>
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
  </Location>

The same will work for Utorrent with some slight mods:

Code: Select all

  ProxyRequests off
  <Proxy *>
      allow from all
  </Proxy>

  RewriteEngine On
  RewriteRule ^/gui/?(.*)$ /torrent/gui/$1 [P]
  <Location /torrent/>
        ProxyPass http://127.0.0.1:9000/gui/
        ProxyPassReverse http://127.0.0.1:9000/gui/
  </Location>

Restart apache and you should be able to access WebUI through http://yourlocalwebserver/torrent/


** Additional notes:

I use a small self written portal to control access to my intranets webserver and I have been experimenting with some access control methods.


This is what I have so far... Requests to /torrent/ are only allowed if referred from the portal home page and if the Request is successful I add the correct Authorization header so that entering user/pass is not needed.

Again commented for clarity

Code: Select all

 
ProxyRequests off
<Proxy *>
    allow from all
</Proxy>

###  Rewrite all requests not being referred from /portal/home.php
### back to the portal login page. I admit this is all abit hackish
RewriteEngine On
RewriteCond %{THE_REQUEST} "GET /torrent/ HTTP/1.1"  [NC]
RewriteCond %{HTTP_REFERER} !^(.*)/portal/home.php [NC]
RewriteRule ^.*$ /index.php [R=301,L]

RewriteRule ^/command/?(.*)$ /torrent/command/$1 [P]
<Location /torrent/>
  ##  Add the Auth header.  My details have been scrambled.  To get a
  ## header thats correct for your setup use the following:
  ## curl -v --digest -u youruser http://127.0.0.1:9000/ |grep Auth
  ##
  ## uri=%{REQUEST_URI}e to supply the header with the correct Request URL
  ## every time a document is requested.
  RequestHeader add Authorization "Digest username="user", realm="Web UI Access", nonce="XXXX", uri=%{REQUEST_URI}e cnonce="XXX", nc=XXX, qop="auth", response="XXX", opaque="XXX", algorithm="MD5""
  ProxyPass http://127.0.0.1:9000/
  ProxyPassReverse http://127.0.0.1:9000/
</Location>

That should get you pointed in a working direction Hope this helps
-onemyndseye

[Peter]

Stickied. I'll create a HOWTO section if we'll have some more later.

Thank you.

[onemyndseye]

very welcome


Further investigation of adding the Auth record to the header automatically is NOT reliable. Either I am not doing something right (quite possible) or this method will not work. Either way the rest of the method works nicely.

[onemyndseye]

Just an update on this:


I ended up recompiling qBT and removed web auth from it completely. That way my users, who are auth'ed under SSL already, can go straight in.

[qwertymanna]

thanks for this post
I've set up my apache in this way, everything works exept upload .torrent files.
apache error.log tell me:

Code: Select all

[error] (103)Software caused connection abort: proxy: pass request body failed to 127.0.0.1:9000 (127.0.0.1)
[error] proxy: pass request body failed to 127.0.0.1:9000 (127.0.0.1) from 127.0.0.1 ()

It happens only when I use "Download Local Torrent"

[travisjayclark]

Sorry If this sounds uninformed- But,

What is the benefit of running the webUI through an Apache webserver rather than just using the built in webUI functionality?  Is it some sort or security thing?  Can't see why you'd want to actually serve your torrent webUI to the external internet for large amounts of people to use.  I just sounds really cool and I want to know the reasoning behind it- what this solves for, because I probably have the same issue and just don't know it.

[KitKat]

[quote="travisjayclark"]
Sorry If this sounds uninformed- But,

What is the benefit of running the webUI through an Apache webserver rather than just using the built in webUI functionality?  Is it some sort or security thing?  Can't see why you'd want to actually serve your torrent webUI to the external internet for large amounts of people to use.  I just sounds really cool and I want to know the reasoning behind it- what this solves for, because I probably have the same issue and just don't know it.
[/quote]

As i understand it
Hes removed standard webui authentication and is using SSL authentication.
People authenticate with his webserver gain access to the /torrent/ directory and can use the webui.
Without the SSL authentication his webserver will serve people a forbidden error.

This is a far more secure implementation than the password/cookie system qbittorent uses because of how its implemented.
Btw standard webui also serves your UI to the internet if you port forward it, that is its purpose in life after all..

He's probably providing a seedbox service or something similar.

/e: It also allows him to host it on an actual website as a service in addition to other things.
Eg he could very well be hosting a linux/free movies/something not illegal related forums site and VIP members get access to the /torrents/ page.

[egandt]

I've spent the last 2 days fighting with qbittorrent 3.3.4 and Apache 2 on Ubuntu 16.04, I have qbitttorent running great on port 4545 so I can access it using:
http://localhost:4545/

Now I need to access it through Apache, as this is localhost only and I need remote access only accessible via SSL and Apache.

I've followed the instruction, and enable mod_rewrite and mod_xml2enc as well as mod_proxy and created a rule for qbittorrent:

                RewriteEngine On
                LogLevel alert rewrite:trace3
                RewriteRule ^/command/?(.*)$ /torrent/command/$1 [P]
                <Location /torrent>
                        Require all granted
                        ProxyPass http://127.0.01:4545/
                        ProxyPassReverse http://127.0.01:4545/
                </Location>

Now if I access it as using https://10.120.25.62/torrent/ I get a blank screen.  Now I've spent two days off and on playing with getting it to work, and simply put I can not get it to work at all.  Can someone post a functional apache2 configuration that works with qbittorrent 3.3.X as, I've exhausted all options I have to getting it to work.

Thanks,
ERIC