ArchLinux - Install qbittorrent-nox and setup the WebUI

For this tutorial we will heavily rely on a previous tutorial: ArchLinux - Install rTorrent, Flood and SFTP.

qBittorrent has a feature-rich Web UI allowing users to control qBittorrent remotely. This is ideal for headless servers without the X window system.

Install qbittorrent#

# pacman -Syu qbittorrent-nox

qbittorrent-nox (nox means no X server) is the headless version of qbittorrent.

Creating a dedicated user#

Similar to Add an user.

  • Create an user:
    # useradd --shell /bin/zsh --create-home sdbox
    # passwd sdbox
  • Give user permissions:
    # chown --recursive sdbox:sdbox /home/sdbox
    # chown root:root /home/sdbox
    # chmod 755 /home/sdbox

Create a service file (for systemd)#

  • Create the file /etc/systemd/system/qbittorrent.service
    [Unit]
    Description=qBittorrent Daemon Service
    After=network.target
    
    [Service]
    User=sdbox
    Group=sdbox
    ExecStart=/usr/bin/qbittorrent-nox
    ExecStop=/usr/bin/killall -w qbittorrent-nox
    
    [Install]
    WantedBy=multi-user.target
  • Take the change into account
    $ sudo systemctl daemon-reload

Initializing configuration#

  • Run qbittorrent so that it can ask us to accept the disclaimer, and save and create the config file under /home/sdbox/.config/qBittorrent/. For example run it a tmux session so you will be able to detach it (send to the background) later.
    $ sudo su sdbox
    $ qbittorrent-nox
  • The qbittorrent WebUI should be exposed at http://127.0.0.1:8080 (on the remote server).
  • You can quickly try a local port forwarding from your personal machine to check if it is working.
    $ ssh sshuser@X.X.X.X -L 127.0.0.1:8080:127.0.0.1:8080 -N
  • You just mapped the remote 127.0.0.1:8080 with 127.0.0.1:8080 on your machine through a SSH tunnel, so enter http://127.0.0.1:8080 on your web browser.
  • The default credentials are admin / adminadmin, you should see an authentication form like that.
  • Back at the server's command line, exit out of qbittorrent-nox instance with Ctrl-c.
  • Now, stop impersonating the qbittorrent user to return to our account with sudo access:
    $ exit

Note: On newer version of qbittorrent, it may defaults to listen on all interfaces, exposing your port 8080 to the internet. The option to listen on on localhost only is in the advanced options menu and will help secure your server.

Start the service#

  • Start the service.
    $ sudo systemctl start qbittorrent
  • Enable it so it will automatically start at boot-time.
    $ sudo systemctl enable qbittorrent
  • Verify the status of the service.
    $ sudo systemctl status qbittorrent
  • We have a working qbittorrent + WebUI now.

Hardening#

A little thing we can do it to disable the shell of the sdbox user to get a true service account that won't give a shell to the attacker if the service get compromised.

$ sudo usermod -s /usr/sbin/nologin sdbox

WebUI access#

Either we can do a SSH local port forwarding each time we want to access the WebUI if we don't use it very often, so we won't expose any web interface on internet (good for security) or we can configure a HTTPS reverse proxy to access the WebUI from internet.

The command for SSH local port forwarding is:

$ ssh sshuser@X.X.X.X -L 127.0.0.1:8080:127.0.0.1:8080 -N

Else configure a a HTTPS reverse proxy.

Setup a HTTPS reverse proxy#

See Configure Nginx but:

  • Change /etc/nginx/servers-available/flood.conf into /etc/nginx/servers-available/qbittorrent-webui.conf
  • Change add_header X-Frame-Options DENY; into add_header X-Frame-Options "SAMEORIGIN";
  • Remove the # Transdroid / Transdrone block
  • Remove the # flood block
  • Add the following # qbittorrent block
location / {
    proxy_pass              http://127.0.0.1:8080/;
    proxy_set_header        X-Forwarded-Host            $server_name:$server_port;
    proxy_hide_header       Referer;
    proxy_hide_header       Origin;
    proxy_set_header        Referer                     '';
    proxy_set_header        Origin                      '';
    add_header              X-Frame-Options             "SAMEORIGIN";
}

Please don't forget to change the default credentials of the WebUi or you'll get hacked pretty quickly.

Configure SFTP#

See Configure SFTP.

References#

Share