403 on Pi Hole IP but admin pages work nicely

Expected Behaviour:

I enter the IP address of my Pi Hole in my web browser.

Expected result: I get the "Did you mean to go to the admin panel?" page with a corresponding link.

Hardware is a Raspi 3 running Bullseye

Actual Behaviour:

403 Forbidden

However, if I go to [IP address of Pi Hole]/admin/index.php?login then the admin page appears and works nicely. So lighttpd is fully operational and allows configuring the Pi Hole. But if I don't remember what the exact URL was, just using the IP address to get a helpful link no longer works.

This is different from all the other 403 reports that I could find because in their case, there is a 403 on the admin pages, too.

I already tried sudo apt purge lighttpd
followed by pihole -r
but it changed nothing.

Debug Token:

https://tricorder.pi-hole.net/QoTavW1j/

Did you happen to read the release notes for the latest version? (Pi-hole FTL v5.20.1, Web v5.18.1 and Core v5.15 released) There is a section about the need to add a redirect for '/admin/' in the Lighttpd Config section.

1 Like

Thank you. It seems that this was indeed the cause.

However, your link only explains how to set up redirects for individual URLs. I was successfully able to set up one for the IP address of my Pi Hole, but if that IP ever changes, it will stop working. (Also, the "Did you mean to go to the admin panel" web page is no longer there, but I suppose that is not much of a loss.)

Is it not possible to re-enable the default redirect to the "Did you mean to go to the admin panel" web page (or to the actual admin page for that matter)? So that it works no matter with which IP address I access the Pi Hole as it used to?

If that IP ever changes... the DNS lookups on your network will stop working, too. The IP address of this device should be static

I just wonder... it worked all those years, why it should suddenly be impossible now. Besides, DNS servers are annouced via DHCP. THat can be changed quickly, effective on the whole network.

it worked all those years, why it should suddenly be impossible now.

It is not impossible. The splash page was shown as part of the now-defunct blocking page, which was removed to decrease maintenance.

The splash page serves no purpose other than to provide a link to /admin after typing in the IP. If you instead type in http://ipaddress/admin, you will get to the same place.

It has never been the case that if you browse to the IP, then it would automatically redirect to /admin.

If you browse to http://pi.hole, then it will automatically redirect to /admin, as it always has done.

How often are you changing the IP address of your DNS server? Surely your network configuration is pretty static?

It is. But if I ever change it in a few years, I will be guaranteed to forget to replace it in the lighttpd file.

Seems like a perfect case for the above :slight_smile:

A matter of philosophies. I understand that you are not willing to restore the functionality in Pi Hole. What I wonder is why it should not be possible to set the Pi Hole admin page as the default page in lighttpd (no matter the entered URL), flexible as the latter is. Does Pi Hole configure lighttpd in a manner that removes this flexibility? Or is there a way to achieve it?

It's possible to set up an index page that could instruct a browser to redirect to the admin pages. I have such a page set up to list the links for all things my lighttpd serves up. I use it for more than just the admin pages. I suspect you could also configure your error-handler-404 to serve up the admin pages instead of an error page. I have not tried this. There are various methods to achieve what you want. Check out the lighttpd docs: WikiStart - Lighttpd - lighty labs.

Basically I have no doubt that lighttpd can do it. However, my understanding is that on a Pi Hole, lighttpd first processes the lighttpd.conf, which is automatically set by the Pi Hole package. Making changes here is futile, as they may eventually be overwritten. What you can do is put something in the conf-enabled/ subfolder, but if I am not mistaken, any configuration files put there will be processed after lighttpd.conf. In other words, you can only configure there what has not already been configured in lighttpd.conf.

What I wonder is whether at this point, there is enough of lighttpd's flexibility left to set the default page. I am no lighttpd pro, so it may well be possible, but my first impression was that there is a lot already configured by Pi Hole in lighttpd.conf, stuff that you would configure differently if you wanted to set up a lighttpd that serves any incoming URL.

Not anymore.

@DaP Have you tried the suggestion for adding a 404 handler in the linked post above?

Something along the lines of

echo 'server.error-handler-404 := "/path/to/your/404page.php"' > /etc/lighttpd/conf-available/08-pihole-block-ip.conf
lighty-enable-mod pihole-block-ip
service lighttpd restart

This wont get overwritten on upgrades

But my problem is a 403, not a 404. Would that work the same way?

At this stage I can only suggest the approach of "suck it and see" - I'm unable to test it for myself at the moment

Wow, finally got back into pi-hole. For some reason the web interface started giving me forbidden when it used to be a splash page. I reinstalled raspberry and pi hole and it still didn't work. Well, based on this thread, I added /admin to the ip address and its working. I did not know about the pi.hole symbolic address, but since its a dns server, a trivial thing to implement...

In retrospect, I ran an updade command and it did not occur to me that was the breaking change, I felt like it was just point releases. Some undisciplined thinking on my part...

No, I did not read the release notes, but its all explained now. I think its weird behavior, but it is what it is and the program does a great job of suppressing unwanted advertising.

Same here, 403. I really dont like how the Devs make things more complicated instead more easy. Mention here the stats-page which they removed and force people now to enter their password via an unecrypted http connection... good job Devs! Now the redirect, good job too in breaking things and selling them as "improvements".

Since your sole reason to post here is to bitch about how shitty we are as devs I suggest you use something else.

Take that as a whole hearted "Go Fuck Yourself".

2 Likes