qBittorrent thinks all requests come from Caddy instead of the actual original host, any way to configure Caddy to pass along the original host?

theolaa · August 1, 2025, 6:23pm

1. The problem I’m having:

I have Caddy set up as a reverse proxy for a couple of services I run on my home network so I only have to open port 443 on my router. Sometimes, my qBittorrent instance gets these drive-by login attempts (they just try the default login a bunch of times) and because of the repeat failed login attempts, the source IP for those attempts gets banned for an hour. This is great, except that qBittorrent thinks that the IP address for all attempted connections is my Caddy host’s IP, which means that I get locked out for an hour too! Is there any way to configure Caddy so that my qBittorrent instance sees the requests as coming from their actual original IP?

2. Error messages and/or full log output:

This isn’t really an error, I think I just need some guidance on my configuration. I can provide this info if you think it’ll be relevant though.

3. Caddy version:

v2.10.0

4. How I installed and ran Caddy:

Installed from apt, run as a systemd service

a. System environment:

Ubuntu 24.04.2 LTS

b. Command:

This is the ExecStart line in my systemd service

ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

See above

d. My complete Caddy config:

{
        email [REDACTED]
        debug
}

jellyfin.[MY_DOMAIN].ca {
        reverse_proxy 192.168.0.100:8096
        handle_errors {
                respond "Jellyfin: {client_ip}: {err.status_code} {err.status_text}"
        }
}

qbt.[MY_DOMAIN].ca {
        reverse_proxy 192.168.0.100:8113
        handle_errors {
                respond "qBittorrent: {err.status_code} {err.status_text}"
        }
}

5. Links to relevant resources:

timelordx · August 1, 2025, 6:31pm

Caddy, by default, sends an HTTP header called X-Forwarded-For, which contains the real IP of the client. You need to configure qBittorent to read that HTTP header. Or configure Caddy to send a specific header, if that’s what qBittorent would need.

Your other option is to configure Caddy to do PROXY PROTOCOL but that requires qBittorent to support it too.

theolaa · August 1, 2025, 7:05pm

I think I may have solved it myself. In the WebUI settings for qBittorrent there is an option to enable reverse proxy support, which I did. Now my login attempts show up as my public IP instead of my Caddy instance’s IP. Hopefully that’s all I needed to do.

timelordx · August 1, 2025, 7:08pm

Yeah, by doing so you told qBittorent to look out for that header