qBittorent UI returns 401 (blank page) when accessed through Kubernetes proxy

[zeppelinux]

qBittorrent version and Operating System
4.0.3 (latest), Docker 17.03.2-ce, Kubernetes 1.8

What is the problem
qBittorrent responds with 401 on any http GET request

What is the expected behavior
login page is returned for /

Steps to reproduce
deploy qBittorrent in a Pod and expose it as a Service using nodePort type.

Extra info(if any)
When accessed using clusterIP it works as expected, the problem is with the kube-proxy only.

The last version that works with kube-proxy seems to be 3.3.1

[sledgehammer999]

I don't have any knowledge of what Kubernetes is and how kube-proxy, pod and nodePort work.
Can you explain more? Especially how the connection is supposed to happen between server(qbittorrent) and client(browser).
And maybe @Chocobo1 wants to help here.

[zeppelinux]

@sledgehammer999 Kubernetes (K8's) creates abstraction on top of Docker (or other container runtime).
When qBittirrent contsiner image is deployed by K8's it receives the internal (cluster) IP, this is the Pod IP (and qBittorrent is running in the Pod). This IP is accessible only from hosts/other pods connected by the same network overlay (flannel for example). It works, i.e. I can access the qBittirrent pod by curl executed on the host that knows what to do with the provided IP. Pod IP's are mortal i.e. each time it restarts it gets new IP.
In order to expose the Pod (with running qBittorent inside) there are in general two ways - create Service or Ingres objects. There are some heavy limitations with Services because it's Level 4 proxy. For example, Service supports session affinity based on client IP only, i.e. if requests are coming through load balancer or gateway - they all will have the same IP.

Service is implemented as a set of IP table rules that know how to take traffic from the host:nodePort and route it to the Pod. Kube proxy is a daemon that maintains the IP tables rules on each node (host).
Here is the connection between client (curl or browser) and qBittirent process:

curl node:nodePort -> Node IP tables -> Pod:8080

[zeppelinux]

Correction:

curl node:nodePort -> Node (IP tables) -> podIP:podPort ->qBittorrent:8080

Hope it makes sense.

[zeppelinux]

I deployed Nginx ingress controller (which is basically Nginx server) and still fails with 401.

Looks like it's related to this #6962

I applied all the headers as described here https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI - still no luck.

Can anybody share working Nginx configuration (when Nginx and qBittorrent are deployed on different hosts)?

[zeppelinux]

Found another related issue (and it still open) #7028

[zeppelinux]

Used this #5693 to figure it out, for anybody else having the same issue the kubernetes ingress yaml should look like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  name: qbittorrent-ingress
spec:
  rules:
  - host: <your-domain-name>
    http:
      paths:
      - backend:
          serviceName: qbittorent-service #or whatever service name you created
          servicePort: 8080

[Fastjur]

@zeppelinux I am the original reporter of the issue/feature request #5693

Just to confirm, did you get it to work with a work around or has the base URL been implemented?

[kurosh]

Another +1 for this, not working for me behind Nginx. Login screen appears (without any images strangely) then when I submit the password appears in the URL and goes to blank screen :|

[4ft35t]

I had the same issue with run qBittorrent v4.1.5 Web UI on docker. And #9333 not works for me.
Finally solved by change qBittorrent.conf
from
WebUI\HostHeaderValidation=true
to
WebUI\HostHeaderValidation=false

[dm9tr0]

I use docker image
linuxserver/qbittorrent:latest
And solution
WebUI\HostHeaderValidation=false
Works for me, but with this setting Web UI will be accessible to anyone in the Internet without credentials.