[BUG] Cannot access WebUI with completely new docker image and default settings

[joshoram80]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Attempt to access via IP:Port. Get unauthorized

Expected Behavior

WebUI should load

Steps To Reproduce

docker compose up -d

Environment

Ubuntu 20.04
Docker install via apt

CPU architecture

x86-64

Docker creation

# qBittorrent - Torrent downloader
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    restart: unless-stopped
    #network_mode: "service:gluetun"
    ports:
      - 8888:8080 # Explosed via gluetun
    volumes:
      - $DOCKERDIR/appdata/qbittorrent:/config
      - $HTPCDIR/data:/data # Ensure that the downloads folder is set to /data/downloads in qBittorrent
    environment:
      PUID: $PUID
      PGID: $PGID
      UMASK_SET: 002
      WEBUI_PORT: 8080

Container logs

The WebUI administrator username is: admin
27/04/2024
15:19:04
The WebUI administrator password was not set. A temporary password is provided for this session: xxxxxx
27/04/2024
15:19:04
You should set your own password in program preferences.
27/04/2024
15:19:04
Connection to localhost (127.0.0.1) 8080 port [tcp/http-alt] succeeded!
27/04/2024
15:19:04
[ls.io-init] done.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[Arelius-D]

Mine did also stopp working.. well it's up and running but WebUI can not be accessed.

Docker version 26.1.2, build 211e74b
Docker Compose version v2.27.0

services:
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Stockholm
      - WEBUI_PORT=8085
      - TORRENTING_PORT=6881
    volumes:
      - ./:/config
      - /mnt/nas/media:/downloads
    network_mode: "container:gluetun"
    restart: unless-stopped

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 9075:9075/tcp #HTTP Control Server 
      - 8085:8085 # qBittorrent WebUI
      - 6881:6881/tcp # qBittorrent torrenting port
      - 6881:6881/udp # qBittorrent torrenting port
    volumes:
      - ./:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=***************************
      - WIREGUARD_ADDRESSES=***************************/**
      - SERVER_CITIES=***************************
      - TZ=Europe/Stockholm
      - UPDATER_PERIOD=24h
      - HTTP_CONTROL_SERVER_ADDRESS=:9075
      - HTTP_CONTROL_SERVER_LOG=ON
    restart: unless-stopped

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────

[custom-init] No custom files found, skipping...
WebUI will be started shortly after internal preparations. Please wait...

******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8085

Connection to localhost (::1) 8085 port [tcp/*] succeeded!
[ls.io-init] done.
Catching signal: SIGTERM
Exiting cleanly
[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────

[custom-init] No custom files found, skipping...
WebUI will be started shortly after internal preparations. Please wait...

******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8085

Connection to localhost (::1) 8085 port [tcp/*] succeeded!
[ls.io-init] done.

{
    "Id": "sha256:1b6809438ffedd2993f5c742bb4570910d8be64efe23a4c1191b35823c642ca4",
    "RepoTags": [
        "lscr.io/linuxserver/qbittorrent:latest"
    ],
    "RepoDigests": [
        "lscr.io/linuxserver/qbittorrent@sha256:bc39549ede4f4d092e1030b89a0e9ea294c26a7aa5ed7e7e5be6d615f5ea293b"
    ],
    "Parent": "",
    "Comment": "buildkit.dockerfile.v0",
    "Created": "2024-05-12T06:57:17.446144088Z",
    "DockerVersion": "",
    "Author": "",
    "Config": {
        "Hostname": "",
        "Domainname": "",
        "User": "",
        "AttachStdin": false,
        "AttachStdout": false,
        "AttachStderr": false,
        "ExposedPorts": {
            "6881/tcp": {},
            "6881/udp": {},
            "8080/tcp": {}
        },
        "Tty": false,
        "OpenStdin": false,
        "StdinOnce": false,
        "Env": [
            "PATH=/lsiopy/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
            "PS1=$(whoami)@$(hostname):$(pwd)\\$ ",
            "HOME=/config",
            "TERM=xterm",
            "S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0",
            "S6_VERBOSITY=1",
            "S6_STAGE2_HOOK=/docker-mods",
            "VIRTUAL_ENV=/lsiopy",
            "LSIO_FIRST_PARTY=true",
            "XDG_CONFIG_HOME=/config",
            "XDG_DATA_HOME=/config"
        ],
        "Cmd": null,
        "Image": "",
        "Volumes": {
            "/config": {}
        },
        "WorkingDir": "/",
        "Entrypoint": [
            "/init"
        ],
        "OnBuild": null,
        "Labels": {
            "build_version": "Linuxserver.io version:- 4.6.4-r1-ls329 Build-date:- 2024-05-12T06:55:51+00:00",
            "maintainer": "thespad",
            "org.opencontainers.image.authors": "linuxserver.io",
            "org.opencontainers.image.created": "2024-05-12T06:55:51+00:00",
            "org.opencontainers.image.description": "The [Qbittorrent](https://www.qbittorrent.org/) project aims to provide an open-source software alternative to µTorrent. qBittorrent is based on the Qt toolkit and libtorrent-rasterbar library.",
            "org.opencontainers.image.documentation": "https://docs.linuxserver.io/images/docker-qbittorrent",
            "org.opencontainers.image.licenses": "GPL-3.0-only",
            "org.opencontainers.image.ref.name": "15a3e2fef2740b93de6204463999a6b002002abd",
            "org.opencontainers.image.revision": "15a3e2fef2740b93de6204463999a6b002002abd",
            "org.opencontainers.image.source": "https://github.com/linuxserver/docker-qbittorrent",
            "org.opencontainers.image.title": "Qbittorrent",
            "org.opencontainers.image.url": "https://github.com/linuxserver/docker-qbittorrent/packages",
            "org.opencontainers.image.vendor": "linuxserver.io",
            "org.opencontainers.image.version": "4.6.4-r1-ls329"
        }
    },
    "Architecture": "arm64",
    "Os": "linux",
    "Size": 235888394,
    "GraphDriver": {
        "Data": {
            "LowerDir": "/var/lib/docker/overlay2/a8d07c142c5283f71fac4cd6f6f62c8be54c1b2ab6d0fef6a3cd30ef461eecae/diff:/var/lib/docker/overlay2/e9eb7d98959f4ce0176e4612b62dd46cbda3f57ca12833b79fe8c3a84d0bc980/diff:/var/lib/docker/overlay2/fa551102800c274b02d760c33b9280a797c4bbf0ec9c4c2297377b1eca1c1864/diff:/var/lib/docker/overlay2/ecc7d499bc256c26de9008d3a43035c25576f9c7e7cadaa60392d811831a8dbc/diff:/var/lib/docker/overlay2/86da807a5bbef03ac04505490271cc70847e93683f459e85031f3f50f4bbcb28/diff:/var/lib/docker/overlay2/21e59c6bb3def6a2aff202b44b5261bf8dc6de2a1687deef952116ade8f203b2/diff:/var/lib/docker/overlay2/bf0bceb77d01123cec8d38e2adf186d636a1e31353f1c10e226c15131ba6d266/diff",
            "MergedDir": "/var/lib/docker/overlay2/1aac10e08e1427381688233654e65cf9c02b129b2a5d4d033f18d416fe985873/merged",
            "UpperDir": "/var/lib/docker/overlay2/1aac10e08e1427381688233654e65cf9c02b129b2a5d4d033f18d416fe985873/diff",
            "WorkDir": "/var/lib/docker/overlay2/1aac10e08e1427381688233654e65cf9c02b129b2a5d4d033f18d416fe985873/work"
        },
        "Name": "overlay2"
    },
    "RootFS": {
        "Type": "layers",
        "Layers": [
            "sha256:812c0f118a9b707026a51d6a37f8a13d32b31f466e5e5b2ccbb8eb38fbaa9221",
            "sha256:c2b4ff0f7a07f4699d17ad14ac97fa1521e15e064680592920a231afd880dbe6",
            "sha256:1012b8dcbccbd46c39bd9fd5eab4902b0831a8d085569e39af64cecc3e252153",
            "sha256:0a811998dccd1bab2b3171012d6e7bf0dfcb8bb0a1d56194dd91415e3311c57d",
            "sha256:da68de8387717b5992b8100aefaca3f571e3aae6a365ab4a311b0d42b97fe05e",
            "sha256:5f373b94498042c150d5586065c99065b714d225e4122a12cbcecb6c13ad8300",
            "sha256:df7f6948955e29a2e6232c9756cc1440cdba1f360fc4bd7ebdcf1c3e06e61064",
            "sha256:b4ad4721cbe983386d95cb1855c77bae260dc1a8105bd2874f04f8f63a3fd3df"
        ]
    },
    "Metadata": {
        "LastTagTime": "0001-01-01T00:00:00Z"
    }
}

[aptalca]

OP did not do the port mapping correctly. The limitation is explained in the readme.

Second poster's issue is likely gluetun related, which we don't provide support for.

[Arelius-D]

OP did not do the port mapping correctly. The limitation is explained in the readme.

Second poster's issue is likely gluetun related, which we don't provide support for.

You are assuming and you are wrong, cause it has been working without any issues, both services, as I said IT just from everything working fine went to not working.

..so I went ahead and got a older image of qBittorrent and guess what, everything is working.

Assuming shouldn’t be part of troubleshooting.

[Roxedus]

No assumptions are made? Aptalca is just setting expectations that we will not support gluetun.

There are two symptoms here, OPs unauthorized (which is to be expected when the information in the readme about the portmapping is not followed), and your WebUI can not be accessed.

There is not provided enough information to troubleshoot, as the image works fine in our tests, which are not using gluetun.

older image of qBittorrent [...unnecessary hostility..], everything is working

Does not help, what version? some ancient one from years ago? or just 2-3 builds ago?

[Arelius-D]

No assumptions are made? Aptalca is just setting expectations that we will not support gluetun.

There are two symptoms here, OPs unauthorized (which is to be expected when the information in the readme about the portmapping is not followed), and your WebUI can not be accessed.

There is not provided enough information to troubleshoot, as the image works fine in our tests, which are not using gluetun.

older image of qBittorrent [...unnecessary hostility..], everything is working

Does not help, what version? some ancient one from years ago? or just 2-3 builds ago?

I got triggered by that exact fact, there is no need to point out that this team dose not support some other tools, no one is actively or indirectly seeking any support for such situation or issue either..

OP did (and so did) try to run qBittorrent without the dependency of Gluetun. I actually even removed Qluetune and qBittorrent (including Networks) images entirely and restarted the Docker Daemon even. Pulled the latest image of qBittorrent with all new auto generated config files and the problem was exactly the same.

I for one fail to see logical reasons for this issue being related to any other service I'm running so I have not mentioned any of those.

There is no hostility from my part but sure if that is your take of things then that is on you.

We are here reporting the issue encountered, if the logs and so on are not enough then please do point out what else is required.

[Roxedus]

Would probably need a bit more than the issue template asks for. This should cover enough to troubleshoot further.
https://docs.linuxserver.io/general/how-to-get-support/

[jzeller2011]

I realize linuxserver.io does not support gluetun integrations, but I've been having this issue (with gluetun included) and I thought i'd share a workaround that worked for me:

• initiate qbittorrent as usual on the default port along with gluetun
• log into the qbit gui and change the webui port to an open port (this will disable your access to the gui temporarily)
• add the new port mapping to gluetun as described in the documentation (matching internal:external ports eg 8080:8080)
• redeploy the qbit container with no port declared, the updated WEBGUI_PORT env variable, and set the network_mode to 'service/container:gluetun'.
• you can now start a new qbit container on the default port as usual
• repeat as necessary for the number of instances needed

this change persists between restarts/updates. others have had success with compose files with all qbit instances included that list gluetun services last, but I haven't tried that workaround.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[Copyrighter]

@Arelius-D
did You able to resolve problem?
I have the same issue. :-(
tried to recreate on QNAP with newer image and from working environment went to ERR_CONNECTION_REFUSED.
locally on docker bash I'm able to use curl http://:8080 and ping to docker from machine on the same network is working.
only port 8080 is rejected from machine on the same network.

[Arelius-D]

@Arelius-D

did You able to resolve problem?

I have the same issue. :-(

tried to recreate on QNAP with newer image and from working environment went to ERR_CONNECTION_REFUSED.

locally on docker bash I'm able to use curl http://:8080 and ping to docker from machine on the same network is working.

only port 8080 is rejected from machine on the same network.

Hey man, yes, couple of updates later it all works again without any changes to my compose files. So this is (was) an issue with this container (qBittorrent) and not at all related to Gluetun.

[Copyrighter]

@Arelius-D
thank man!!! :-)

I found the problem ... it's with docker problem of MAC Address propagation.

[Copyrighter]

@Roxedus
I found a bug in a Docker running on QNAP Docker Station.

WebUI is not accessible after Docker deployment in Bridge mode with Static IP and Default Ports.
Error message: ERR_CONNECTION_REFUSED.
Locally from Docker the port :8080 is accessible both in 127.0.0.1 and Static IP.
the ICMP is working from Machine in the same network.
but, no telnet to Static IP:8080.

from Docker, no ICMP to DG ... but is working to Local Machine ... as mentioned ...

the resolution which works everytime:
ICMP from Docker to Local Machine ( not from Machine to a Docker ).
then ICMP to DG is starting to work.
and now :8080 is accessible from local network.

hope it will help to someone.

[Lukas-Heiligenbrunner]

Qbittorrent doesn't like a port mappings, it expects the same port it has been configured via the env variable.
-> 8080:8080 works fine for me
8087:8080 i get unauthorized

[j0nnymoe]

Our documentation does explain how to handle this.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[V33m]

CSRF protection ensures that requests to the Web UI come from trusted sources. If the WEBUI_PORT environment variable and the actual port you're using to access the Web UI don't match, CSRF protection will reject the request, resulting in the "Unauthorized" error.

I’m using Glueton and have been using Transmission from Linuxserver for years without issues. I honestly think we should improve the README description about this a little. If we start with the current description:

Due to issues with CSRF and port mapping, should you require to alter the port for the web UI you need to change both sides of the -p 8080 switch AND set the WEBUI_PORT variable to the new port.

For example, to set the port to 8090 you need to set -p 8090:8090 and -e WEBUI_PORT=8090

This alone might not be clear enough for most people. Even after changing both the WEBUI_PORT and the published port for Glueton (or the Qbittorrent container), one might encounter the same "Unauthorized" message due to having a reverse proxy mapping to a different port later on. Despite matching the WEBUI_PORT and the container's published port, the issue will persist.

Here is a suggestion which I highly welcome to be changed:

⚠️ Note on CSRF and Port Mapping ⚠️

To avoid "Unauthorized" errors caused by CSRF protection, it's essential to ensure that the WEBUI_PORT variable and the actual port used to access the Web UI match. If you need to change the port for the web UI, you must update both the published port and the WEBUI_PORT environment variable.

For example, to set the port to 8090, configure both the published port and WEBUI_PORT as follows:

-p 8090:8090 -e WEBUI_PORT=8090

Important: If you're using a reverse proxy (e.g., Caddy) that maps the port to a final port which is different, ensure that the proxy's port configuration aligns with the WEBUI_PORT to avoid "Unauthorized" errors. Even if WEBUI_PORT and the container's published port match, a mismatch with the reverse proxy can still cause issues.

One might add an example related to the reverse proxy subsection, yet the only aspect which needs to match is the WEBUI_PORT and the port of the reverse proxy. Meaning that one can have an entirely different published port from the container. So, If I have a reverse proxy using port 29897, I need to set WEBUI_PORT to 29897. The container's published port and the source port for my reverse proxy can be a totally different port as long as the former match. I think it's easier to state in the documentation that all three ports need to match👍

One question left to answer is if we want to tell the user that there is a toggle in the UI which can be unitcked if the user want to disable CSRF under Options -> Web UI -> Security

• Enable Cross-Site Request Forgery (CSRF) protection

[hundredfire]

I read that simply adding WebUI\HostHeaderValidation=false to qbitorrent.conf bypassed this issue. What does turning off this setting entails? Wouldn't it fix issues with reverse proxies?

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.