qBittorrent icon indicating copy to clipboard operation
qBittorrent copied to clipboard

Published 20 hours ago verified publisher icon qbittorrent

WebUI - host domain validation doesn't work for IPs

Open tomfun opened this issue 4 years ago • 3 comments
trafficstars

Please provide the following information

qBittorrent version and Operating System

qbittorrent-nox -v qBittorrent v4.2.5 Linux --- 5.4.0-59-generic #65-Ubuntu SMP Thu Dec 10 12:01:51 UTC 2020 x86_64 GNU/Linux

What is the problem

I have ipv6, wired connection, VPNs, docker subnets. I want to allow my qBittorrent web on VPN, locally for testing, and use ngingx as reverse proxy with pretty domain. I have working setup with nginx and docker. But to work well I have to give qBittorrent docker network_mode: "host"(https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode). So to deny web UI access from the local network or from ipv6 I tried to set domain validation to allow 2 addresses (qbit.example.com, 10.15.0.3 - for example).

Some links documentation for web_ui_domain_list

Comma-separated list of domains to accept when performing Host header validation

code seems to work ok

What is the expected behavior

When I go through VPN to access 10.15.0.3 it should work ok. And it actually does. When I go through nginx to access qbit.example.com it should work ok. And it actually does. When I go locally direct via IP 192.168.0.13 it shouldn't work. And it actually works, but shouldn't. When I go from the local net (mobile phone with wifi) direct via IP 192.168.0.13 it shouldn't work. And it actually works, but shouldn't. When I go from the local net via alias domain (mobile phone with wifi) mylocal-server.example.com it shouldn't work. And it actually doesn't work.

Steps to reproduce

Set in web configuration some Server domains image Go to web UI

Extra info(if any)

Also I've tried to understand syntax, and it looks undocumented. As I understand by code the field accepts string with ; as separator, but documentation says use ,. Also don't understand it is regular expressions or not: .*\.example\.com or *.example.com should be wildcard for any subdomains?

tomfun avatar Jan 07 '21 03:01 tomfun

This is old but worth mentioning for those coming from google, the separator is actually a semicolon ;

edit: It does actually seem to work fine for me with an IP too, so maybe thats all this issue was

kimboslice99 avatar Dec 31 '23 07:12 kimboslice99

seems that's it: in my reverse proxy I use name flypi and it works with configuration: image no port needed.

[Preferences]
WebUI\HostHeaderValidation=true
WebUI\ServerDomains="flypi;p1qbit.whatever.else.example.com"

Good to update docs with such details

tomfun avatar Jan 04 '24 20:01 tomfun

I'm trying to embed qbit in nextcloud as an 'external site' and it's being blocked. I have qbit.example.com working with nginx reverse proxy manager. I read that we can disable " Enable clickjacking protection" but is there a way to ONLY allow https://nextcloud.example.com to access qbit.example.com without allowing all clickjacking? or even allow https://*.example.com ?

EnduringGuerila avatar Sep 29 '24 06:09 EnduringGuerila

@EnduringGuerila clickjacking here adds

X-Frame-Options: SAMEORIGIN

and

Content-Security-Policy: ... frame-ancestors 'self';

So attempting to embed in an iframe will obviously not work.

In nginx you can add

Content-Security-Policy: ... frame-ancestors 'self' *.domain.com;

But do not add X-Frame-Options (or set it to crossorigin).

kimboslice99 avatar Feb 14 '25 19:02 kimboslice99