qbittorrent-nox + Nginx (config from wiki) + 5 failed logins = ban of 127.0.0.1 #11908
Comments
|
Hmm, seems like qbittorrent could look at the @glassez @Piccirello thoughts? Is there any security consideration I am missing? |
|
Good suggestion, I tried adding the X-Forwarded-For header (again I'm by no means an Nginx expert) : Not working : Then tried this: Same result. |
|
Your nginx config is correct, the problem is that qbittorrent itself doesn't know about |
|
Thanks for checking ! The fact that nobody is getting those headers on the qbittorrent side explains my headache :) Is that feature already on the dev's list of things to do, or should a suggestion/ticket be made somewhere to get it into their pipeline ? |
Nope, this is it. I already tagged the main WebAPI contributors so we just have to wait. I have other things on my plate right now so unfortunately I cannot get this started now. If you want and have the ability to do so, you can get the PR started yourself. |
|
Is #9176 related? |
Yes, I would say the problem has the same roots. As a test (from a remote IP) I enabled the " |
|
I think we've rejected this idea in the past, under the belief that we shouldn't build reverse proxy-specific features. I no longer agree with this reasoning. We should support the header. |
|
I think the real problem is the unwanted banning of the reverse proxy IP and thus we should expose the ban counter and make it configurable from 1 to infinity instead of mingling with proxy-specific headers. If users want to ban clients connecting to their proxy, they should hook the ban functionality on the proxy (such as fail2ban reading the proxy log) and not on qbt. |
|
I'd agree with you if banning ips was a feature request. But IP banning is a long-standing feature, so supporting this additional use case seems reasonable. And it seems that enough users are impacted by this. |
It is, looking from the first post, or you mean something else?
I assume you already included proxy's client IPs in that statement. Well I suppose qbt needn't (and shouldn't) differentiated its clients whether it is a WebUI user, WebAPI client or a reverse proxy, unless it is something very necessary.
As said before, having a configurable ban counter in qbt would solve half of the problem. |
|
Anyway I will try to add that tuning knob (configurable ban counter) when I have some free time. At least it will solve half of OP problem. |
Banning the client's IP is an existing feature. (There's a properly standardized
The tuning knob is a good feature. It only solves this PR's problem by accident though. I'm happy to implement the solution that I proposed.
@FranciscoPombal there is one: we should only trust the header when the user indicates they're using a reverse proxy. Otherwise the |
Faulty or not, really depends on whether we differentiate the clients and currently qbt does not, which means it isn't deemed to be a problem.
I would say the hardcoded ban count is actually the limitation of OP is facing directly so adding the tuning knob would be the proper solution.
There is more than that, even if the user explicitly indicates they're using a reverse proxy, it is real easy for an attacker to trigger ban for any IP he wants by filling out any value to the |
If the user is using a reverse proxy, it'll set the |
What if the attacker can connect to WebUI directly? You can't assume users who setup reverse proxy to properly limit connectivity to WebUI, also users might want both reverse proxy and usual client to be able to connect to WebUI. |
If you also assume the fact that the mostly widely adopted way to install and run qbittorrent is via docker containers, I don't think attacker would be able to access the WebUI directly because Traefik/Nginx are primarily setup as reverse proxy. |
Honestly, that is out-of-scope. The program should provide sane options, sane defaults for those options, and a sane mode of operation. We could even put a warning beside the option. The rest is the user's responsibility. It's also not qBittorrent's fault if the user misconfigures their wifi connection and then complains about downloads not working...
Seems unlikely. Once you have a reverse proxy correctly set up (which I assume most of the times is done for easier HTTPS setup), what is the purpose/advantage of connecting any other way?
Is this done by default, at least in nginx for example? If not, we must warn the user in both the options and the wiki to set this header in their config. Slightly off-topic: For my use case, and a lot of other users, qBittorrent's native HTTPS functionality is a bit lacking, thus the need for an SSL-terminated reverse proxy config. The problem is that most users nowadays are using Let's Encrypt certs, and qBittorrent does not have the capability of automatically reloading the certs every x hours/days. This is relevant because LE certs expire in 90 days. With an nginx reverse proxy config, there is no need to worry, since certbot and nginx auto-reload the certs on their own and there is no need to configure anything on qBittorrent's side. |
Unfortunately it's not; we'll need to warn users about this. Maybe we even make reverse proxy support an Advanced option? Wiki documentation w/ options for Apache and nginx won't be difficult- @Kahana82's already included a great nginx example. I'm happy to write the doc for it too.
It's worth noting that I have this exact same use case. In my time using qBittorrent I've almost exclusively used qbittorrent-nox, and I've never used it without a reverse proxy. If I were completely unable to use a reverse proxy with qBittorrent, I'd use a different client. |
Apache 2.4+
$ sudo a2enmod remoteip headers
$ sudo service apache2 restart
RemoteIPHeader X-Forwarded-For |
FranciscoPombal
added
Confirmed bug
|
Curious, is this pull bb80b37 a solution for this? |
|
I think it's time to revisit #9176, as most of the features have been implemented in that patch. |
|
Hey! I am also doing a reverse proxy from This luckily didn't open up the possibility of logging in as everyone since logins are cookie based instead of IP based. But this does make it possible to perform a DOS to the qbittorrent web-ui when reverse proxies are used, even transparent ones that provide X-Forwarded-For etc headers. qix67's patch looks good, i hope you guys can implement this change as it makes things a lot safer. My reasons for wanting the change:
|
|
Hi This feature is working on #15047 . |
|
Fixed by #15047 |
ghost
mentioned this issue
Please provide the following information
qBittorrent version and Operating System
qBittorrent v4.1.7 Web UI (qbittorrent-nox/now 4.1.7-1 arm64)
OMV5 (openmediavault/usul,usul,now 5.2.3-2)
Debian Buster (ARM64)
If on linux, libtorrent-rasterbar and Qt version
libtorrent-rasterbar9/now 1.1.13-1+b1 arm64 [installed,local]
Qt N/A
What is the problem
I'm using the Nginx /qbt/ location configuration from the official wiki page inserted in OpenmediaVault's generated server config for nginx. (I'm aware this is probably not the best practice)
It seems that qbittorrent only sees 127.0.0.1 as ip address connecting to it when using /qbt/
When connecting using https://server:port then qbittorrent sees the correct ip address.
This came to my attention when making 5 wrong login attempts through the WebUI (was planning on setting a jail up for Fail2Ban) and got banned on localhost (127.0.0.1)
What is the expected behavior
qbittorrent should log/see the correct ip address (not localhost) when using the /qbt/ nginx location, so that a ban of localhost would not occur.
Steps to reproduce
Make 5 wrong login attempts through the WebUI to get banned.
Check qbittorrent.log (/home/qbittorrent/.local/share/data/qBittorrent/logs/qbittorrent.log) to verify which ip was banned.
Extra info(if any)
Log output:
--- with nginx /qbt/
--- with server:port
The text was updated successfully, but these errors were encountered: