Bypass authentication for clients in whitelisted DDNS addresses

[enoch85]

Suggestion

As the title suggests; allow adding DNS records to the whitelist.

Use case

This would be helpful for people using DDNS that needs access. If the IP changes the whitelist would still be valid.

Extra info/examples/attachments

[HanabishiRecca]

How that's supposed to work? This field accepts subnets, i.e. ranges like 192.168.1.0/24.

And DDNS domain is a public facing address. Do you really want to expose unauthorized access for everyone in the internet?

[enoch85]

You could:

1. Resolve ddns.example.com (in code).
2. Add the resolved IP with a /32 at the end to the whitelist.
3. Problem (re)solved. 🎊

I could do this myself in CLI and change the config with a crontab, but it seems like changed values aren't saved in web ui. Are there some certain CLI command to "save"?

And regarding letting the whole world in... That's not the case if you forbid everything else except that whitelisted IP. So for everyone else which is not whitelisted it would be "403 forbidden". Since you allow a /32, it would only be that adress, and nothing else.

I hope it makes sense, if not please ask me to elaborate further. 🙂

[HanabishiRecca]

That's not the case if you forbid everything else except that whitelisted IP. So for everyone else which is not whitelisted it would be "403 forbidden".

I don't get what you are trying to achieve here.
What entity does ddns.example.com represent? Is it the address where qBittorrent running? Or you mean this is the address you want to connect to the client from?

[enoch85]

I have qbit on: whatever.example.com.

I block all the traffic to whatever.example.com so that no one can access the webUI.

I want to allow ddns.example.com in the whitelist so that I can access the webUI when I'm at my friends location, since my friend has ddns.example.com configured in his router which auto updates the external IP. Btw, are you familiar with DDNS?

Does that make it more clear? In other words, I want to make it possible to add both 192.168.1.0/24 and ddns.example.com so that both me and my friend can use qbit togehter.

Makes sense?

[HanabishiRecca]

Yeah, I get it now. I thought by ddns.example.com you signified the machine qB runs on.

Well, that way it can work. Although, practical implementation would rise some questions.

[enoch85]

practical implementation would rise some questions.

How?

Maybe I could investigate on myself to move this forward? In which file do I need to make changes to allow this change?

Also, meanwhile: would it be possible to make the changes directly in CLI? As I wrote earlier I could just make a script which changes the config directly with sed. Problem I had was the saving part - it never seemed to work

[HanabishiRecca]

How?

E.g.

• When to resolve the address? On client start (settings applied) or when new incoming connection happens?
• If it's the latter, do we want to resolve all domains in the list by a direct DNS lookup, or perform a reverse DNS lookup of the incoming IP?

I wrote earlier I could just make a script which changes the config directly with sed. Problem I had was the saving part - it never seemed to work

No, it won't work. If you want to change settings using a script, you need to make requests to the Web API via curl or something.

[enoch85]

How?

E.g.

* When to resolve the address? On client start (settings applied) or when new incoming connection happens?

I'm thinking once a day (like a maintenance task)? If not possible, then when incoming connection happens.

* If it's the latter, do we want to resolve all domains in the list by a direct DNS lookup, or perform a reverse DNS lookup of the incoming IP?

I'm a fan of this service: https://www.ipify.org/. Direct DNS lookup if you ask me, not thought it through though as I don't know how your code works or what capabilities it offers.

I wrote earlier I could just make a script which changes the config directly with sed. Problem I had was the saving part - it never seemed to work

No, it won't work. If you want to change settings using a script, you need to make requests to the Web API via curl or something.

Aah, ok, that would be doable, if supported? Do you have an example of such a curl command?

[HanabishiRecca]

Aah, ok, that would be doable, if supported? Do you have an example of such a curl command?

Look at the API docs: https://github.com/qbittorrent/qBittorrent/wiki/WebUI-API-(qBittorrent-4.1)#set-application-preferences
The preference key you want is bypass_auth_subnet_whitelist.

Or consider some existing client: https://github.com/qbittorrent/qBittorrent/wiki/List-of-unofficial-WebAPI-clients

[enoch85]

Ended up using qbittorrent-cli and made this script:

#!/bin/bash

DDNSIP="$(nslookup example.ddns.net | grep Address: | awk '{print $2}' | tail -n1)"

if [ -n "$DDNSIP" ]
then
    if ! qbt server settings authentication whitelist list | grep "$DDNSIP"
    then
        qbt server settings authentication whitelist clear
        qbt server settings authentication whitelist whitelist "$DDNSIP"/32
    fi
fi

Thanks for the pointers!