ArchLinux - Install qbittorrent-nox and setup the WebUI

Table of contents
  1. 🔗Install qbittorrent
  2. 🔗Creating a dedicated user
  3. 🔗Create a service file (for systemd)
  4. 🔗Initializing configuration
  5. 🔗Start the service
  6. 🔗Hardening
  7. 🔗WebUI access
    1. 🔗Setup a HTTPS reverse proxy
  8. 🔗Configure SFTP
  9. 🔗References

For this tutorial we will heavily rely on a previous tutorial: ArchLinux - Install rTorrent, Flood and SFTP.

qBittorrent has a feature-rich Web UI allowing users to control qBittorrent remotely. This is ideal for headless servers without the X window system.

🔗Install qbittorrent

1
# pacman -Syu qbittorrent-nox

qbittorrent-nox (nox means no X server) is the headless version of qbittorrent.

🔗Creating a dedicated user

Similar to Add an user.

  • Create an user:
    1
    2
    # useradd --shell /bin/zsh --create-home sdbox
    # passwd sdbox
  • Give user permissions:
    1
    2
    3
    # chown --recursive sdbox:sdbox /home/sdbox
    # chown root:root /home/sdbox
    # chmod 755 /home/sdbox

🔗Create a service file (for systemd)

  • Create the file /etc/systemd/system/qbittorrent.service
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    [Unit]
    Description=qBittorrent Daemon Service
    After=network.target

    [Service]
    User=sdbox
    Group=sdbox
    ExecStart=/usr/bin/qbittorrent-nox
    ExecStop=/usr/bin/killall -w qbittorrent-nox

    [Install]
    WantedBy=multi-user.target
  • Take the change into account
    1
    $ sudo systemctl daemon-reload

🔗Initializing configuration

  • Run qbittorrent so that it can ask us to accept the disclaimer, and save and create the config file under /home/sdbox/.config/qBittorrent/. For example run it a tmux session so you will be able to detach it (send to the background) later.
    1
    2
    $ sudo su sdbox
    $ qbittorrent-nox
  • The qbittorrent WebUI should be exposed at http://127.0.0.1:8080 (on the remote server).
  • You can quickly try a local port forwarding from your personal machine to check if it is working.
    1
    $ ssh sshuser@X.X.X.X -L 127.0.0.1:8080:127.0.0.1:8080 -N
  • You just mapped the remote 127.0.0.1:8080 with 127.0.0.1:8080 on your machine through a SSH tunnel, so enter http://127.0.0.1:8080 on your web browser.
  • The default credentials are admin / adminadmin, you should see an authentication form like that.
  • Back at the server's command line, exit out of qbittorrent-nox instance with Ctrl-c.
  • Now, stop impersonating the qbittorrent user to return to our account with sudo access:
    1
    $ exit

🔗Start the service

  • Start the service.
    1
    $ sudo systemctl start qbittorrent
  • Enable it so it will automatically start at boot-time.
    1
    $ sudo systemctl enable qbittorrent
  • Verify the status of the service.
    1
    $ sudo systemctl status qbittorrent
  • We have a working qbittorrent + WebUI now.

🔗Hardening

A little thing we can do it to disable the shell of the sdbox user to get a true service account that won't give a shell to the attacker if the service get compromised.

1
$ sudo usermod -s /usr/sbin/nologin sdbox

🔗WebUI access

Either we can do a SSH local port forwarding each time we want to access the WebUI if we don't use it very often, so we won't expose any web interface on internet (good for security) or we can configure a HTTPS reverse proxy to access the WebUI from internet.

The command for SSH local port forwarding is:

1
$ ssh sshuser@X.X.X.X -L 127.0.0.1:8080:127.0.0.1:8080 -N

Else configure a a HTTPS reverse proxy.

🔗Setup a HTTPS reverse proxy

See Configure Nginx but:

  • Change /etc/nginx/servers-available/flood.conf into /etc/nginx/servers-available/qbittorrent-webui.conf
  • Change add_header X-Frame-Options DENY; into add_header X-Frame-Options "SAMEORIGIN";
  • Remove the # Transdroid / Transdrone block
  • Remove the # flood block
  • Add the following # qbittorrent block
1
2
3
4
5
6
7
8
9
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header X-Forwarded-Host $server_name:$server_port;
proxy_hide_header Referer;
proxy_hide_header Origin;
proxy_set_header Referer '';
proxy_set_header Origin '';
add_header X-Frame-Options "SAMEORIGIN";
}

Please don't forget to change the default credentials of the WebUi or you'll get hacked pretty quickly.

🔗Configure SFTP

See Configure SFTP.

🔗References

Share