New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not able to use IIS reverse proxy since 3.3.13 #7577

Closed
Rouzax opened this Issue Oct 12, 2017 · 20 comments

Comments

Projects
None yet
3 participants
@Rouzax

Rouzax commented Oct 12, 2017

qBittorrent version and Operating System:

qBittorent: 3.3.13 till 3.3.16
Windows Server 2016 fully pathed

What is the problem:

Since 3.3.13 I'm unable to upgrade beacuse my reverse Proxy with IIS ARR does not work.

I've following the steps in https://github.com/qbittorrent/qBittorrent/wiki/IIS-ARR-Reverse-Proxy
Unfortunately that results in a weird looking logon screen
image
When I try to logon I just get an empty screen that has my usename and password in the URL bar.
image

My web.config has the following line:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
				<rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
					<match url="*" ignoreCase="true" />
					<conditions>
                        <add input="{HTTPS}" pattern="off" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
				</rule>
                <rule name="Torrent Reverse Proxy" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:{SERVER_PORT}" />
                    </serverVariables>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Also tried with the temporary 3.3.15 fix that is in the wiki.

@Chocobo1

This comment has been minimized.

Show comment
Hide comment
@Chocobo1

Chocobo1 Oct 12, 2017

Member

I'm unfamiliar with IIS, in general, you could try suppressing both Origin & Referrer headers and also ensure qbt receive correct host header.
i.e. just observe & follow what a normal browser would do.

Member

Chocobo1 commented Oct 12, 2017

I'm unfamiliar with IIS, in general, you could try suppressing both Origin & Referrer headers and also ensure qbt receive correct host header.
i.e. just observe & follow what a normal browser would do.

@JamiePhonic

This comment has been minimized.

Show comment
Hide comment
@JamiePhonic

JamiePhonic Oct 13, 2017

After managing to get my own IIS server to play ball, i can confirm that's what you need to do.
Simply add <set name="HTTP_REFERER" value="" /> to your config below <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:{SERVER_PORT}" />
(Obviously you'll need to add it as a variable in the URL rewrite module)

i.e.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
				<rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
					<match url="*" ignoreCase="true" />
					<conditions>
                        <add input="{HTTPS}" pattern="off" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
				</rule>
                <rule name="Torrent Reverse Proxy" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:{SERVER_PORT}" />
                        <set name="HTTP_REFERER" value="" />
                    </serverVariables>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

JamiePhonic commented Oct 13, 2017

After managing to get my own IIS server to play ball, i can confirm that's what you need to do.
Simply add <set name="HTTP_REFERER" value="" /> to your config below <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:{SERVER_PORT}" />
(Obviously you'll need to add it as a variable in the URL rewrite module)

i.e.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
				<rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
					<match url="*" ignoreCase="true" />
					<conditions>
                        <add input="{HTTPS}" pattern="off" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
				</rule>
                <rule name="Torrent Reverse Proxy" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:{SERVER_PORT}" />
                        <set name="HTTP_REFERER" value="" />
                    </serverVariables>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>
@Rouzax

This comment has been minimized.

Show comment
Hide comment
@Rouzax

Rouzax Oct 13, 2017

@JamiePhonic Thanks that bring me a bit further.
My logon screen now look okay but when I try to logon I get the message:
Unable to log in, qBittorrent is probably unreachable.
image

This is my IIS log, that shows the 401's on the logon.

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2017-10-13 15:30:56
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2017-10-13 15:30:56 192.168.2.12 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=ad36f450-afe0-4259-8379-dc08f600a9e2&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 182
2017-10-13 15:30:56 192.168.2.12 GET /css/style.css X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=75569718-5d1b-438a-b374-02d69d911adf&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 0
2017-10-13 15:30:56 192.168.2.12 GET /scripts/mootools-1.2-core-yc.js X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=48c0742a-737e-432c-8015-b23998345a7e&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 0
2017-10-13 15:30:56 192.168.2.12 GET /images/qbittorrent.png X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6ebb37a9-26ae-4032-840b-57f0edc680d7&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 13
2017-10-13 15:30:56 192.168.2.12 GET /favicon.ico X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=36202bab-536d-4887-8636-781d6be5689c&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 46
2017-10-13 15:30:58 192.168.2.12 POST /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=9d2cf821-0681-4f5b-b852-f09ab3f96e04&SERVER-STATUS=401 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 401 0 0 0
2017-10-13 15:31:01 192.168.2.12 POST /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=cedcbf00-bc8d-4166-aed8-54e86569d07f&SERVER-STATUS=401 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 401 0 0 15
2017-10-13 15:31:03 192.168.2.12 POST /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=7cd46af6-8a38-4b28-840b-9a85b6820a66&SERVER-STATUS=401 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 401 0 0 0
2017-10-13 15:31:05 192.168.2.12 POST /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=5d4cecb8-76b8-4d96-b0c2-d46f11ff4144&SERVER-STATUS=401 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 401 0 0 15

Rouzax commented Oct 13, 2017

@JamiePhonic Thanks that bring me a bit further.
My logon screen now look okay but when I try to logon I get the message:
Unable to log in, qBittorrent is probably unreachable.
image

This is my IIS log, that shows the 401's on the logon.

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2017-10-13 15:30:56
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2017-10-13 15:30:56 192.168.2.12 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=ad36f450-afe0-4259-8379-dc08f600a9e2&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 182
2017-10-13 15:30:56 192.168.2.12 GET /css/style.css X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=75569718-5d1b-438a-b374-02d69d911adf&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 0
2017-10-13 15:30:56 192.168.2.12 GET /scripts/mootools-1.2-core-yc.js X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=48c0742a-737e-432c-8015-b23998345a7e&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 0
2017-10-13 15:30:56 192.168.2.12 GET /images/qbittorrent.png X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6ebb37a9-26ae-4032-840b-57f0edc680d7&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 13
2017-10-13 15:30:56 192.168.2.12 GET /favicon.ico X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=36202bab-536d-4887-8636-781d6be5689c&SERVER-STATUS=200 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 200 0 0 46
2017-10-13 15:30:58 192.168.2.12 POST /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=9d2cf821-0681-4f5b-b852-f09ab3f96e04&SERVER-STATUS=401 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 401 0 0 0
2017-10-13 15:31:01 192.168.2.12 POST /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=cedcbf00-bc8d-4166-aed8-54e86569d07f&SERVER-STATUS=401 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 401 0 0 15
2017-10-13 15:31:03 192.168.2.12 POST /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=7cd46af6-8a38-4b28-840b-9a85b6820a66&SERVER-STATUS=401 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 401 0 0 0
2017-10-13 15:31:05 192.168.2.12 POST /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=5d4cecb8-76b8-4d96-b0c2-d46f11ff4144&SERVER-STATUS=401 443 - 192.168.2.254 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/61.0.3163.100+Safari/537.36 - 401 0 0 15
@JamiePhonic

This comment has been minimized.

Show comment
Hide comment
@JamiePhonic

JamiePhonic Oct 14, 2017

Here is a copy of my web.confg file that's working with QBT 3.3.16
(Pastebined for neatness)

https://pastebin.com/TSJEsLnq

JamiePhonic commented Oct 14, 2017

Here is a copy of my web.confg file that's working with QBT 3.3.16
(Pastebined for neatness)

https://pastebin.com/TSJEsLnq

@Rouzax

This comment has been minimized.

Show comment
Hide comment
@Rouzax

Rouzax Oct 15, 2017

Still won't work for me. I've literally copied and pasted your web.config and changed it to my domain names. It results in the exact same logon issue.
image

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
				<rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
					<match url="*" ignoreCase="true" />
					<conditions>
                        <add input="{HTTPS}" pattern="off" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
				</rule>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
					<serverVariables>
                        <set name="HTTP_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="EE" />
                        <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:8080" />
                        <set name="HTTP_REFERER" value="" />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Form, Img, Link, Script" pattern="^http(s)?://download:8080/(.*)" />
                    <action type="Rewrite" value="http{R:1}://torrent.xxx.yyy/{R:2}" />
                </rule>
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                  <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                  <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>		
        </rewrite>
    </system.webServer>
</configuration>

I think you have qBittorent on the same host as IIS, in my instance it is on a separate server.

Rouzax commented Oct 15, 2017

Still won't work for me. I've literally copied and pasted your web.config and changed it to my domain names. It results in the exact same logon issue.
image

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
				<rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
					<match url="*" ignoreCase="true" />
					<conditions>
                        <add input="{HTTPS}" pattern="off" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
				</rule>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
					<serverVariables>
                        <set name="HTTP_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="EE" />
                        <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:8080" />
                        <set name="HTTP_REFERER" value="" />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Form, Img, Link, Script" pattern="^http(s)?://download:8080/(.*)" />
                    <action type="Rewrite" value="http{R:1}://torrent.xxx.yyy/{R:2}" />
                </rule>
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                  <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                  <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>		
        </rewrite>
    </system.webServer>
</configuration>

I think you have qBittorent on the same host as IIS, in my instance it is on a separate server.

@JamiePhonic

This comment has been minimized.

Show comment
Hide comment
@JamiePhonic

JamiePhonic Oct 15, 2017

Yes, My setup is qBittorrent 3.3.16 running on Windows Server 2016 with IIS 10, URL Rewrite 2.5 and ARR 3.0.

Try disabling the "redirect to HTTPS" rule and get the server to listen on HTTP.
If it works that way, it may be related to SSL, though its unlikely.
I'm testing it with an internal self signed certificate, but that shouldn't make any difference.

In the mean time, i'll try installing QBT on a different machine and pointing IIS at that instead to see if i get the same issue as you.

Update
I installed qBittorrent on another host on my network and changed the proxy rules accordingly. Didn't have any issues. (Note: I used the hosts IP address instead of host names.)
Perhaps try re-installing qBittorrent to allow it to re-create any firewall rules that may be missing?
Failing that, i am clean out of ideas!

JamiePhonic commented Oct 15, 2017

Yes, My setup is qBittorrent 3.3.16 running on Windows Server 2016 with IIS 10, URL Rewrite 2.5 and ARR 3.0.

Try disabling the "redirect to HTTPS" rule and get the server to listen on HTTP.
If it works that way, it may be related to SSL, though its unlikely.
I'm testing it with an internal self signed certificate, but that shouldn't make any difference.

In the mean time, i'll try installing QBT on a different machine and pointing IIS at that instead to see if i get the same issue as you.

Update
I installed qBittorrent on another host on my network and changed the proxy rules accordingly. Didn't have any issues. (Note: I used the hosts IP address instead of host names.)
Perhaps try re-installing qBittorrent to allow it to re-create any firewall rules that may be missing?
Failing that, i am clean out of ideas!

@Rouzax

This comment has been minimized.

Show comment
Hide comment
@Rouzax

Rouzax Oct 16, 2017

@JamiePhonic You're not changing anything in qBittorrent right?
I can open the qBittorrent webpage from the IIS server without issue.

One thing I also have is hostheaders enabled in IIS as I have 9 websites running with their own subdomain under xxx.yyy

EDIT:
Started a new test were I still use qBittorrent 3.3.12 with the new web.config as posted by me above.
The result is a completely working site.
After the upgrade to 3.3.16 I get the error even if I change the internal hostname to the internal IP address
Also no change if I disable HTTPS rule and try directly over HTTP

Which server variables do you have defined? I now have 4
image

Rouzax commented Oct 16, 2017

@JamiePhonic You're not changing anything in qBittorrent right?
I can open the qBittorrent webpage from the IIS server without issue.

One thing I also have is hostheaders enabled in IIS as I have 9 websites running with their own subdomain under xxx.yyy

EDIT:
Started a new test were I still use qBittorrent 3.3.12 with the new web.config as posted by me above.
The result is a completely working site.
After the upgrade to 3.3.16 I get the error even if I change the internal hostname to the internal IP address
Also no change if I disable HTTPS rule and try directly over HTTP

Which server variables do you have defined? I now have 4
image

@JamiePhonic

This comment has been minimized.

Show comment
Hide comment
@JamiePhonic

JamiePhonic Oct 16, 2017

I have Host Headers enabled too.
image

Those are the 4 variables you should have in the server variables setion of the inbound rewrite rule
image
The first takes the content of the HTTP_ACCEPT_ENCODING variable and stores it in the HTTP_ORIGINAL_ACCEPT_ENCODING variable.
the second clears the value of the HTTP_ACCEPT_ENCODING variable (fixes issues performing rewrites on requests that have compression enabled, the outbound rewrite rule restores this value on the way back out)
the 3rd clears the value of the REFERER header and the 4th sets the X-Forwarded-Host header value.

I'm not sure why you cant get it to work with the exact same configuration i'm using.
Did you try using IP addresses instead of host names to connect to the QBT server?
You could try wiresharking the connection between the web server and QBT to see if IIS is actually manipulating the headers as instructed.
You could also try configuring "Failed Request Tracing" to see if the problem lies with IIS.
Lastly, try hitting F12 in your browser to enable debug view and checking the Console tab for any errors.

JamiePhonic commented Oct 16, 2017

I have Host Headers enabled too.
image

Those are the 4 variables you should have in the server variables setion of the inbound rewrite rule
image
The first takes the content of the HTTP_ACCEPT_ENCODING variable and stores it in the HTTP_ORIGINAL_ACCEPT_ENCODING variable.
the second clears the value of the HTTP_ACCEPT_ENCODING variable (fixes issues performing rewrites on requests that have compression enabled, the outbound rewrite rule restores this value on the way back out)
the 3rd clears the value of the REFERER header and the 4th sets the X-Forwarded-Host header value.

I'm not sure why you cant get it to work with the exact same configuration i'm using.
Did you try using IP addresses instead of host names to connect to the QBT server?
You could try wiresharking the connection between the web server and QBT to see if IIS is actually manipulating the headers as instructed.
You could also try configuring "Failed Request Tracing" to see if the problem lies with IIS.
Lastly, try hitting F12 in your browser to enable debug view and checking the Console tab for any errors.

@Rouzax

This comment has been minimized.

Show comment
Hide comment
@Rouzax

Rouzax Oct 16, 2017

Yes I did try to use the internal IP Address as well, the same result however.
I'm getting ready to just pull my hair out 😖.

Rouzax commented Oct 16, 2017

Yes I did try to use the internal IP Address as well, the same result however.
I'm getting ready to just pull my hair out 😖.

@Chocobo1

This comment has been minimized.

Show comment
Hide comment
@Chocobo1

Chocobo1 Oct 16, 2017

Member

I'm getting ready to just pull my hair out 😖.

I think I'll be adding code to record these errors/failures in log.

Member

Chocobo1 commented Oct 16, 2017

I'm getting ready to just pull my hair out 😖.

I think I'll be adding code to record these errors/failures in log.

@Rouzax

This comment has been minimized.

Show comment
Hide comment
@Rouzax

Rouzax Oct 16, 2017

@Chocobo1 You mean in qBittorrent?

Rouzax commented Oct 16, 2017

@Chocobo1 You mean in qBittorrent?

@Chocobo1

This comment has been minimized.

Show comment
Hide comment
@Chocobo1

Chocobo1 Oct 17, 2017

Member

@Chocobo1 You mean in qBittorrent?

Of course.

UPDATE: see PR #7603.

Member

Chocobo1 commented Oct 17, 2017

@Chocobo1 You mean in qBittorrent?

Of course.

UPDATE: see PR #7603.

@Chocobo1

This comment has been minimized.

Show comment
Hide comment
@Chocobo1

Chocobo1 Oct 17, 2017

Member

@Rouzax
Are you running qbt on windows? If so here's a test build for you, look into qbt log.

You can find its source in PR #7603.

Member

Chocobo1 commented Oct 17, 2017

@Rouzax
Are you running qbt on windows? If so here's a test build for you, look into qbt log.

You can find its source in PR #7603.

@Rouzax

This comment has been minimized.

Show comment
Hide comment
@Rouzax

Rouzax Oct 17, 2017

Running on Windows indeed, will give it a try and post the results.

Rouzax commented Oct 17, 2017

Running on Windows indeed, will give it a try and post the results.

@Rouzax

This comment has been minimized.

Show comment
Hide comment
@Rouzax

Rouzax Oct 20, 2017

I've tested the test build and this is the output:

(N) 2017-10-20T10:20:28 - qBittorrent v3.4.0beta2 started
(I) 2017-10-20T10:20:28 - qBittorrent is trying to listen on any interface port: 21316
(N) 2017-10-20T10:20:28 - Peer ID: -qB3400-
(N) 2017-10-20T10:20:28 - HTTP User-Agent is 'qBittorrent/3.4.0beta2'
(I) 2017-10-20T10:20:28 - DHT support [ON]
(I) 2017-10-20T10:20:28 - Local Peer Discovery support [ON]
(I) 2017-10-20T10:20:28 - PeX support [ON]
(I) 2017-10-20T10:20:28 - Anonymous mode [OFF]
(I) 2017-10-20T10:20:28 - Encryption support [ON]
(I) 2017-10-20T10:20:28 - Embedded Tracker [OFF]
(I) 2017-10-20T10:20:28 - GeoIP database loaded. Type: GeoLite2-Country. Build time: wo okt 4 23:41:30 2017.
(N) 2017-10-20T10:20:28 - Web UI: Now listening on port 8080
(N) 2017-10-20T10:20:28 - Options were saved successfully.
(I) 2017-10-20T10:20:28 - qBittorrent is successfully listening on interface :: port: TCP/21316
(I) 2017-10-20T10:20:28 - qBittorrent is successfully listening on interface 0.0.0.0 port: TCP/21316
(I) 2017-10-20T10:20:28 - qBittorrent is successfully listening on interface 0.0.0.0 port: UDP/21316
(I) 2017-10-20T10:20:28 - External IP: xxx.xxx.xxx.xxx
(N) 2017-10-20T10:20:28 - 'The.Good.Place.S02E04.720p.HDTV.x264-AVS' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Mindhunter.S01.2160p.NF.WEBRip.DD5.1.x264-NTb' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'The.Big.Bang.Theory.S11E03.720p.HDTV.X264-DIMENSION' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'A.Ghost.Story.2017.LIMITED.1080p.BluRay.x264-DRONES' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Churchill.2017.1080p.BluRay.x264-VETO' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Free.Fire.2016.REMUX.BluRay.1080p.AVC.DTS-HD.MA5.1-iFT' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'The.Wizard.of.Lies.2017.1080p.BluRay.x264-ROVERS' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Their.Finest.2016.1080p.BluRay.DTS.x264-HDS.mkv' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Youre.the.Worst.S04E04.720p.HDTV.x264-AVS' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Shot Caller 2017 1080p BluRay x264 DTS 5.1 - MRG' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'The.Good.Place.S02E05.720p.HDTV.x264-AVS' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'DuckTales.2017.S01E03.720p.WEB.x264-TBS' resumed. (fast resume)
(W) 2017-10-20T10:20:48 - WebUI: Origin header &amp; Target origin mismatch!
Source IP: '::ffff:192.168.2.12'. Origin header: 'https://torrent.xxx.yyy'. Target origin: 'torrent.xxx.yyy:8080'
(W) 2017-10-20T10:20:49 - WebUI: Origin header &amp; Target origin mismatch!
Source IP: '::ffff:192.168.2.12'. Origin header: 'https://torrent.xxx.yyy'. Target origin: 'torrent.xxx.yyy:8080'
(W) 2017-10-20T10:20:52 - WebUI: Origin header &amp; Target origin mismatch!
Source IP: '::ffff:192.168.2.12'. Origin header: 'https://torrent.xxx.yyy'. Target origin: 'torrent.xxx.yyy:8080'

It looks like it is not switching out the hostheaders to the internal host.

Just to do a sanity check.
I've created 4 Server Variables under my qBittorrent site:
image

Then afterwards I edit my web.config with the following settings:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
				<rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
					<match url="*" ignoreCase="true" />
					<conditions>
                        <add input="{HTTPS}" pattern="off" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
				</rule>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
					<serverVariables>
                        <set name="HTTP_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="EE" />
                        <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:8080" />
                        <set name="HTTP_REFERER" value="" />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Form, Img, Link, Script" pattern="^http(s)?://download:8080/(.*)" />
                    <action type="Rewrite" value="http{R:1}://torrent.xxx.yyy/{R:2}" />
                </rule>
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                  <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                  <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>		
        </rewrite>
    </system.webServer>
</configuration>

This is my IIS Faile Request Log
https://pastebin.com/Yyjs0D01

Rouzax commented Oct 20, 2017

I've tested the test build and this is the output:

(N) 2017-10-20T10:20:28 - qBittorrent v3.4.0beta2 started
(I) 2017-10-20T10:20:28 - qBittorrent is trying to listen on any interface port: 21316
(N) 2017-10-20T10:20:28 - Peer ID: -qB3400-
(N) 2017-10-20T10:20:28 - HTTP User-Agent is 'qBittorrent/3.4.0beta2'
(I) 2017-10-20T10:20:28 - DHT support [ON]
(I) 2017-10-20T10:20:28 - Local Peer Discovery support [ON]
(I) 2017-10-20T10:20:28 - PeX support [ON]
(I) 2017-10-20T10:20:28 - Anonymous mode [OFF]
(I) 2017-10-20T10:20:28 - Encryption support [ON]
(I) 2017-10-20T10:20:28 - Embedded Tracker [OFF]
(I) 2017-10-20T10:20:28 - GeoIP database loaded. Type: GeoLite2-Country. Build time: wo okt 4 23:41:30 2017.
(N) 2017-10-20T10:20:28 - Web UI: Now listening on port 8080
(N) 2017-10-20T10:20:28 - Options were saved successfully.
(I) 2017-10-20T10:20:28 - qBittorrent is successfully listening on interface :: port: TCP/21316
(I) 2017-10-20T10:20:28 - qBittorrent is successfully listening on interface 0.0.0.0 port: TCP/21316
(I) 2017-10-20T10:20:28 - qBittorrent is successfully listening on interface 0.0.0.0 port: UDP/21316
(I) 2017-10-20T10:20:28 - External IP: xxx.xxx.xxx.xxx
(N) 2017-10-20T10:20:28 - 'The.Good.Place.S02E04.720p.HDTV.x264-AVS' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Mindhunter.S01.2160p.NF.WEBRip.DD5.1.x264-NTb' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'The.Big.Bang.Theory.S11E03.720p.HDTV.X264-DIMENSION' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'A.Ghost.Story.2017.LIMITED.1080p.BluRay.x264-DRONES' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Churchill.2017.1080p.BluRay.x264-VETO' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Free.Fire.2016.REMUX.BluRay.1080p.AVC.DTS-HD.MA5.1-iFT' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'The.Wizard.of.Lies.2017.1080p.BluRay.x264-ROVERS' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Their.Finest.2016.1080p.BluRay.DTS.x264-HDS.mkv' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Youre.the.Worst.S04E04.720p.HDTV.x264-AVS' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'Shot Caller 2017 1080p BluRay x264 DTS 5.1 - MRG' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'The.Good.Place.S02E05.720p.HDTV.x264-AVS' resumed. (fast resume)
(N) 2017-10-20T10:20:28 - 'DuckTales.2017.S01E03.720p.WEB.x264-TBS' resumed. (fast resume)
(W) 2017-10-20T10:20:48 - WebUI: Origin header &amp; Target origin mismatch!
Source IP: '::ffff:192.168.2.12'. Origin header: 'https://torrent.xxx.yyy'. Target origin: 'torrent.xxx.yyy:8080'
(W) 2017-10-20T10:20:49 - WebUI: Origin header &amp; Target origin mismatch!
Source IP: '::ffff:192.168.2.12'. Origin header: 'https://torrent.xxx.yyy'. Target origin: 'torrent.xxx.yyy:8080'
(W) 2017-10-20T10:20:52 - WebUI: Origin header &amp; Target origin mismatch!
Source IP: '::ffff:192.168.2.12'. Origin header: 'https://torrent.xxx.yyy'. Target origin: 'torrent.xxx.yyy:8080'

It looks like it is not switching out the hostheaders to the internal host.

Just to do a sanity check.
I've created 4 Server Variables under my qBittorrent site:
image

Then afterwards I edit my web.config with the following settings:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
				<rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
					<match url="*" ignoreCase="true" />
					<conditions>
                        <add input="{HTTPS}" pattern="off" />
					</conditions>
					<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
				</rule>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
					<serverVariables>
                        <set name="HTTP_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="EE" />
                        <set name="HTTP_X-Forwarded-Host" value="{HTTP_HOST}:8080" />
                        <set name="HTTP_REFERER" value="" />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Form, Img, Link, Script" pattern="^http(s)?://download:8080/(.*)" />
                    <action type="Rewrite" value="http{R:1}://torrent.xxx.yyy/{R:2}" />
                </rule>
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                  <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                  <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>		
        </rewrite>
    </system.webServer>
</configuration>

This is my IIS Faile Request Log
https://pastebin.com/Yyjs0D01

@Chocobo1

This comment has been minimized.

Show comment
Hide comment
@Chocobo1

Chocobo1 Oct 20, 2017

Member

I would try changing to
<set name="HTTP_X-Forwarded-Host" value="https://{HTTP_HOST}" />
or
<set name="HTTP_X-Forwarded-Host" value="https://{HTTP_HOST}:{SERVER_PORT}" />
also not sure whether if the https:// scheme can be omitted or not.

Member

Chocobo1 commented Oct 20, 2017

I would try changing to
<set name="HTTP_X-Forwarded-Host" value="https://{HTTP_HOST}" />
or
<set name="HTTP_X-Forwarded-Host" value="https://{HTTP_HOST}:{SERVER_PORT}" />
also not sure whether if the https:// scheme can be omitted or not.

@JamiePhonic

This comment has been minimized.

Show comment
Hide comment
@JamiePhonic

JamiePhonic Oct 20, 2017

The HTTP_X-Forwarded-Host value should be fine,

The error is Origin header & Target origin mismatch! which likely means that whatever browser/application you're using is either adding both a Referer AND an Origin header,
OR, is setting the Origin header INSTEAD of the Referer header, however your current web.config rules (admittedly, the ones i gave you) only clear the value of the "Referer` header.

below <set name="HTTP_REFERER" value="" />
Try adding:
<set name="HTTP_ORIGIN" value="" />

which will clear the Origin header too

(Note: I've been using firefox in my testing which appears to only set the Referer header, which could explain why I've not been running into any issues while testing this when only clearing the Referer header. If you're using some other browser/application, it may be setting the Origin header, resulting in this headache!)

JamiePhonic commented Oct 20, 2017

The HTTP_X-Forwarded-Host value should be fine,

The error is Origin header & Target origin mismatch! which likely means that whatever browser/application you're using is either adding both a Referer AND an Origin header,
OR, is setting the Origin header INSTEAD of the Referer header, however your current web.config rules (admittedly, the ones i gave you) only clear the value of the "Referer` header.

below <set name="HTTP_REFERER" value="" />
Try adding:
<set name="HTTP_ORIGIN" value="" />

which will clear the Origin header too

(Note: I've been using firefox in my testing which appears to only set the Referer header, which could explain why I've not been running into any issues while testing this when only clearing the Referer header. If you're using some other browser/application, it may be setting the Origin header, resulting in this headache!)

@Chocobo1

This comment has been minimized.

Show comment
Hide comment
@Chocobo1

Chocobo1 Oct 20, 2017

Member

Try adding:
<set name="HTTP_ORIGIN" value="" />

ditto, #7577 (comment) , sadly none actually tried the workaround before.

Member

Chocobo1 commented Oct 20, 2017

Try adding:
<set name="HTTP_ORIGIN" value="" />

ditto, #7577 (comment) , sadly none actually tried the workaround before.

@Rouzax

This comment has been minimized.

Show comment
Hide comment
@Rouzax

Rouzax Oct 20, 2017

@Chocobo1 and @JamiePhonic: Thank you so much it no works.
I'm using Chrome on Windows for your information.
In the end I did not even need all the outgoing rewrite rules and HTTP_X-Forwarded-Host.
The config I now have that works is:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
                <rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" ignoreCase="true" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
                </rule>
                <rule name="qBittorrent Reverse Proxy" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_REFERER" value="" />
                        <set name="HTTP_ORIGIN" value="" />
                    </serverVariables>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

This works on Chrome and Internet Explorer.

Rouzax commented Oct 20, 2017

@Chocobo1 and @JamiePhonic: Thank you so much it no works.
I'm using Chrome on Windows for your information.
In the end I did not even need all the outgoing rewrite rules and HTTP_X-Forwarded-Host.
The config I now have that works is:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Lets Encrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
                <rule name="HTTP Redirect to HTTPS" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" ignoreCase="true" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Found" />
                </rule>
                <rule name="qBittorrent Reverse Proxy" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <action type="Rewrite" url="http://download:8080/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_REFERER" value="" />
                        <set name="HTTP_ORIGIN" value="" />
                    </serverVariables>
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

This works on Chrome and Internet Explorer.

@Chocobo1

This comment has been minimized.

Show comment
Hide comment
@Chocobo1

Chocobo1 Oct 20, 2017

Member

Closing as fixed.

Member

Chocobo1 commented Oct 20, 2017

Closing as fixed.

@Chocobo1 Chocobo1 closed this Oct 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment