Sign in Subscribe

Fix qBittorrent WebUI 401 login error behind SWAG

If qBittorrent returns 401 through your reverse proxy but works fine on direct IP, the fix is a single line in your SWAG nginx config.

TheLazyFox

2 min read
Reverse Proxy Docker Security
Share
Isometric scene of a SWAG reverse proxy server blocking a 401 auth error, with an orange bypass arrow routing the connection correctly to a qBittorrent box

If you can reach the qBittorrent WebUI landing page through your reverse proxy but get a 401 error the moment you try to log in, the problem is almost certainly in your SWAG nginx configuration and not your credentials.

What changed in qBittorrent 4.6.x

Starting from version 4.6, qBittorrent enforces host header validation by default. Before accepting a login request, it checks that the Host header it receives matches a known value. If it does not match, it returns 401 regardless of whether your username and password are correct.

This behavior is controlled by a setting called WebUI\HostHeaderValidation in qBittorrent.conf, which is now enabled by default.

The actual cause

The SWAG sample configuration for qBittorrent ships with this line:

proxy_set_header Host $upstream_app:$upstream_port;

This passes the internal container address to qBittorrent, for example 192.168.1.10:8080, instead of your actual public domain. qBittorrent receives a host it does not recognize, and it rejects the login with a 401.

The symptom is distinctive: the login page loads without issue, but submitting the credentials fails. If you try the same credentials by accessing the WebUI directly on the LAN via IP and port, it works immediately.

Fix 1: Correct the host header in SWAG

Open your SWAG qBittorrent proxy configuration, usually at:

/config/nginx/proxy-confs/qbittorrent.subdomain.conf

Find this line:

proxy_set_header Host $upstream_app:$upstream_port;

Replace it with:

proxy_set_header Host $host;

Then restart SWAG:

docker restart swag

This is the primary fix. $host passes your actual public domain to qBittorrent, which then matches it against the expected value and allows the login through.

Fix 2: Register your domain in qBittorrent (optional but clean)

For qBittorrent to explicitly trust your reverse proxy domain, access the WebUI directly via IP:

http://192.168.x.x:8080

Go to Tools > Options > Web UI and look for the Host Header Validation field or the trusted reverse proxies section. Add your domain there, then save and restart the container.

This step is optional if fix 1 alone resolves the issue, but it makes the intent explicit and prevents the same problem from coming back if the $host value ever changes.

Fallback: Disable the checks entirely

If you need a quick path forward or are running into this on a container you cannot easily reconfigure, you can disable the validation checks directly in qBittorrent.conf:

[Preferences]
WebUI\HostHeaderValidation=false
WebUI\CSRFProtection=false

Restart the container after saving. Note that disabling CSRF protection reduces the security of the WebUI, so treat this as a temporary measure and prefer fixing the proxy config instead.

Looking for help?
If you are looking for some help or want a quick chat, please head over to the Discord Community!
TheLazyFox's Discord