From 0c7b6f1b58ab59ce7a9ba21fb2ddc956bfac38d4 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Fri, 24 Apr 2026 14:57:55 +0100 Subject: [PATCH] nginx: strip cookies on qBit proxy so localhost-bypass always wins MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit qBittorrent's auth logic is "no SID cookie → bypass for localhost; SID cookie present → validate it." If the browser has a stale SID from an earlier session, qBit fails validation and returns 401 even though the connection is from 127.0.0.1 and bypass is enabled. Strip both directions: drop the client's Cookie header on the way in so qBit never sees an SID, and hide Set-Cookie on the way back so the browser never accumulates one in the first place. Co-Authored-By: Claude Opus 4.7 --- services/nginx.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/services/nginx.nix b/services/nginx.nix index cad0322..2c7c559 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -96,7 +96,14 @@ in "sonarr.nordhammer.it" = protectedProxy 8989; "radarr.nordhammer.it" = protectedProxy 7878; "prowlarr.nordhammer.it" = protectedProxy 9696; - "torrent.nordhammer.it" = protectedProxy 8080; + # qBit trips its own session auth on any SID cookie the browser + # has cached; strip cookies so localhost-bypass always wins. + "torrent.nordhammer.it" = lib.recursiveUpdate (protectedProxy 8080) { + locations."/".extraConfig = autheliaAuthConfig + '' + proxy_set_header Cookie ""; + proxy_hide_header Set-Cookie; + ''; + }; "camera.nordhammer.it" = protectedProxy 1984; "homepage.nordhammer.it" = protectedProxy 8082; "7dtd.nordhammer.it" = protectedProxy 8090;