For this tutorial we will heavily rely on a previous tutorial: ArchLinux - Install rTorrent, Flood and SFTP.
qBittorrent has a feature-rich Web UI allowing users to control qBittorrent remotely. This is ideal for headless servers without the X window system.
Install qbittorrent#
qbittorrent-nox
(nox means no X server) is the headless version of qbittorrent.
Creating a dedicated user#
Similar to Add an user.
- Create an user:
- Give user permissions:
Create a service file (for systemd)#
- Create the file
/etc/systemd/system/qbittorrent.service
- Take the change into account
Initializing configuration#
- Run qbittorrent so that it can ask us to accept the disclaimer, and save and create the config file under
/home/sdbox/.config/qBittorrent/
. For example run it atmux
session so you will be able to detach it (send to the background) later. - The qbittorrent WebUI should be exposed at http://127.0.0.1:8080 (on the remote server).
- You can quickly try a local port forwarding from your personal machine to check if it is working.
- You just mapped the remote
127.0.0.1:8080
with127.0.0.1:8080
on your machine through a SSH tunnel, so enter http://127.0.0.1:8080 on your web browser. - The default credentials are
admin
/adminadmin
, you should see an authentication form like that. - Back at the server's command line, exit out of qbittorrent-nox instance with
Ctrl-c
. - Now, stop impersonating the qbittorrent user to return to our account with sudo access:
Note: On newer version of qbittorrent, it may defaults to listen on all interfaces, exposing your port 8080 to the internet. The option to listen on on localhost only is in the advanced options menu and will help secure your server.
Start the service#
- Start the service.
- Enable it so it will automatically start at boot-time.
- Verify the status of the service.
- We have a working qbittorrent + WebUI now.
Hardening#
A little thing we can do it to disable the shell of the sdbox user to get a true service account that won't give a shell to the attacker if the service get compromised.
WebUI access#
Either we can do a SSH local port forwarding each time we want to access the WebUI if we don't use it very often, so we won't expose any web interface on internet (good for security) or we can configure a HTTPS reverse proxy to access the WebUI from internet.
The command for SSH local port forwarding is:
Else configure a a HTTPS reverse proxy.
Setup a HTTPS reverse proxy#
See Configure Nginx but:
- Change
/etc/nginx/servers-available/flood.conf
into/etc/nginx/servers-available/qbittorrent-webui.conf
- Change
add_header X-Frame-Options DENY;
intoadd_header X-Frame-Options "SAMEORIGIN";
- Remove the
# Transdroid / Transdrone
block - Remove the
# flood
block - Add the following
# qbittorrent
block
Please don't forget to change the default credentials of the WebUi or you'll get hacked pretty quickly.
Configure SFTP#
See Configure SFTP.