Admin interface loading slow when password is set

Help
1

Expected Behaviour:

Normal initial loading speed of admin interface

Virtual Machine:

  • Promox VE 8.4.1
  • Debian 12
  • 1 CPU, 1 GB RAM and 4 GB diskspace
  • Pihole Core v6.0.6, FTL v6.1, Web Interface v6.1

Browser:

  • Firefox 138.0 (64-bit)

Actual Behaviour:

Takes about 5-10 secounds for the first initial load of the path /admin when the admin password is set, however diabling the password will return the speed to "normal".
This also creates issues with the homepage Glance (GitHub - glanceapp/glance: A self-hosted dashboard that puts all your feeds in one place), since it will return "Timed out"

billede
billede942×307 27.8 KB

Debug Token:

https://tricorder.pi-hole.net/0Tq7MLWt/

2

How have you configured glances for Pi-hole version 6?

Looking at the logs I see a lot of restarts and a lot of incorrect URL attempts:

-rw-r----- 1 pihole pihole 6.4K Apr 30 14:55 /var/log/pihole/webserver.log
   -----head of webserver.log------
   [2025-04-30 10:38:09.766 CEST 1525] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 10:39:02.936 CEST 1525] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 10:57:05.611 CEST 2292] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 11:02:44.040 CEST 480] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 11:19:57.036 CEST 1353] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 11:20:12.177 CEST 1353] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 11:27:54.439 CEST 1353] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 11:40:56.921 CEST 2093] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 11:42:20.069 CEST 2093] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 11:44:12.491 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:13.584 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:14.030 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:14.155 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:15.612 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:18.722 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:21.848 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:22.468 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:24.961 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:27.469 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:28.079 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:31.212 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:31.505 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:31.573 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:34.286 CEST 2093] Authentication required, redirecting to /admin/login
   [2025-04-30 11:44:42.855 CEST 2093] Authentication required, redirecting to /admin/login

   -----tail of webserver.log------
   [2025-04-30 14:00:46.131 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:20:35.543 CEST 503] Initializing HTTP server on ports "80o,443os,[::]:80o,[::]:443os"
   [2025-04-30 14:44:24.240 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:44:32.484 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:44:42.190 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:44:50.664 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:45:50.702 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:46:06.307 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:46:21.336 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:46:37.506 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:46:50.742 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:47:50.379 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:47:50.781 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:47:56.750 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:48:50.819 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:51:50.345 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:51:50.922 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:51:53.404 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:51:58.405 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:52:50.960 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:53:00.866 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:53:04.792 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:53:51.000 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:54:51.040 CEST 503] Authentication required, redirecting to /admin/login
   [2025-04-30 14:55:51.079 CEST 503] Authentication required, redirecting to /admin/login

FTL is also logging a number of reloads because of modification of the pihole.toml file:

   2025-04-30 14:20:35.543 CEST [503M] INFO: FTL is running as user pihole (UID 999)
   2025-04-30 14:20:35.543 CEST [503M] INFO: Reading certificate from /etc/pihole/tls.pem ...
   2025-04-30 14:20:35.543 CEST [503M] INFO: Using SSL/TLS certificate file /etc/pihole/tls.pem
   2025-04-30 14:20:35.544 CEST [503M] INFO: Web server ports:
   2025-04-30 14:20:35.544 CEST [503M] INFO:   - 0.0.0.0:80 (HTTP, IPv4, optional, OK)
   2025-04-30 14:20:35.544 CEST [503M] INFO:   - 0.0.0.0:443 (HTTPS, IPv4, optional, OK)
   2025-04-30 14:20:35.544 CEST [503M] INFO:   - [::]:80 (HTTP, IPv6, optional, OK)
   2025-04-30 14:20:35.544 CEST [503M] INFO:   - [::]:443 (HTTPS, IPv6, optional, OK)
   2025-04-30 14:20:35.544 CEST [503M] INFO: Web server ports:
   2025-04-30 14:20:35.544 CEST [503M] INFO:   - 0.0.0.0:80 (HTTP, IPv4, optional, OK)
   2025-04-30 14:20:35.544 CEST [503M] INFO:   - 0.0.0.0:443 (HTTPS, IPv4, optional, OK)
   2025-04-30 14:20:35.544 CEST [503M] INFO:   - [::]:80 (HTTP, IPv6, optional, OK)
   2025-04-30 14:20:35.544 CEST [503M] INFO:   - [::]:443 (HTTPS, IPv6, optional, OK)
   2025-04-30 14:20:35.544 CEST [503M] INFO: Restored 0 API sessions from the database
   2025-04-30 14:20:35.546 CEST [503M] INFO: Blocking status is enabled
   2025-04-30 14:20:35.648 CEST [503/T504] INFO: Compiled 0 allow and 0 deny regex for 16 clients in 0.2 msec
   2025-04-30 14:44:13.028 CEST [503/T505] INFO: Reloading config due to pihole.toml change
   2025-04-30 14:44:13.031 CEST [503/T505] INFO: Wrote config file:
   2025-04-30 14:44:13.031 CEST [503/T505] INFO:  - 156 total entries
   2025-04-30 14:44:13.031 CEST [503/T505] INFO:  - 142 entries are default
   2025-04-30 14:44:13.031 CEST [503/T505] INFO:  - 14 entries are modified
   2025-04-30 14:44:13.031 CEST [503/T505] INFO:  - 0 entries are forced through environment
   2025-04-30 14:49:03.117 CEST [503/T505] INFO: Reloading config due to pihole.toml change
   2025-04-30 14:49:03.120 CEST [503/T505] INFO: Wrote config file:
   2025-04-30 14:49:03.120 CEST [503/T505] INFO:  - 156 total entries
   2025-04-30 14:49:03.120 CEST [503/T505] INFO:  - 143 entries are default
   2025-04-30 14:49:03.120 CEST [503/T505] INFO:  - 13 entries are modified
   2025-04-30 14:49:03.120 CEST [503/T505] INFO:  - 0 entries are forced through environment
   2025-04-30 14:51:46.182 CEST [503/T505] INFO: Reloading config due to pihole.toml change
   2025-04-30 14:51:46.185 CEST [503/T505] INFO: Wrote config file:
   2025-04-30 14:51:46.185 CEST [503/T505] INFO:  - 156 total entries
   2025-04-30 14:51:46.185 CEST [503/T505] INFO:  - 142 entries are default
   2025-04-30 14:51:46.185 CEST [503/T505] INFO:  - 14 entries are modified
   2025-04-30 14:51:46.185 CEST [503/T505] INFO:  - 0 entries are forced through environment
3

Support for pi-hole v6 in dns-stats · Issue #596 · glanceapp/glance

4

Sorry, the high number of reloads might be caused by my troubleshooting, by setting the password and removing afterwards.

Here is my glance.yml config for reference. This config have worked before, so I doubt that the issue lies within Glance. Also this is not the DNS stat widget in Glance that are timing out, it is the monitor widget that are timing out on pi-hole.

theme:
  background-color: 225 14 15
  primary-color: 157 47 65
  contrast-multiplier: 1.1

pages:
  - name: Startpage
    #width: slim
    hide-desktop-navigation: false
    #center-vertically: true
    columns:
      - size: small
        widgets:
          - type: dns-stats
            service: pihole-v6
            allow-insecure: no
            url: https://dns.redacted.com
            password: [REDACTED]

      - size: full
        widgets:
          - type: search
            search-engine: google
            autofocus: true

          - type: monitor
            cache: 1m
            #show-failing-only: true
            title: Services
            sites:
              - title: Pi-hole
                url: https://dns.redacted.com/admin
                icon: si:pihole

      - size: small
        widgets:
          - type: clock
            hour-format: 24h

          - type: calendar
            first-day-of-week: monday

billede
billede1606×548 54.7 KB

5

What is the monitor looking for?

Let's look at a curl for the URL:

curl -LI http://pi.hole/admin

HTTP/1.1 308 Permanent Redirect
Location: /admin/
Cache-Control: max-age=3600
X-DNS-Prefetch-Control: off
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Content-Length: 0
Date: Wed, 30 Apr 2025 14:06:15 GMT
Connection: keep-alive

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, private, max-age=0
Expires: 0
Pragma: no-cache
X-DNS-Prefetch-Control: off
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: text/html; charset=utf-8
Date: Wed, 30 Apr 2025 14:06:15 GMT
Connection: clos

Substitute in the domain you are using for the URL.

6

The monitor widget sends a GET request and check if it is a 200 code or not.

I tried the curl command from the server hosting Glance.

root@server:~# curl -LI http://dns.redacted.com/admin
HTTP/1.1 308 Permanent Redirect
Location: /admin/
Cache-Control: max-age=3600
X-DNS-Prefetch-Control: off
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Content-Length: 0
Date: Wed, 30 Apr 2025 14:14:17 GMT
Connection: keep-alive

HTTP/1.1 302 Found
Location: /admin/login

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, private, max-age=0
Expires: 0
Pragma: no-cache
X-DNS-Prefetch-Control: off
Content-Security-Policy: default-src 'self' 'unsafe-inline';
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: text/html; charset=utf-8
Date: Wed, 30 Apr 2025 14:14:17 GMT
Connection: close

I tried to time the load time of the website with and without the password.
Here is my results.

Without password:

billede
billede993×353 32.5 KB

With password:

billede
billede1000×349 31.7 KB

Sorry for the crappy pictures, but basically the request on /admin/ takes around 5 secounds when the password is enabled compared to when not.

7

One thing I noticed is that I can reproduce this behaviour across different devices, but only with the firefox browser. If I use anything else like Chrome, Edge or Safari it will load in miliseconds instead of seconds.

8

The monitor is pointing to a URL that will always redirect to a login endpoint when passwords are set.

The curl responses are near instantaneous, the Date field doesn't even increment by one second. I'm not sure how glances actually polls that monitor endpoint, does anything change if you set the URL to use the plain non-https URL?

I'm wondering if there is a better way for a healthcheck for Pi-hole, something like a ping API endpoint. Let me talk with the team and see what we can think of. Otherwise you're going to get a ton of [2025-04-30 11:44:34.286 CEST 2093] Authentication required, redirecting to /admin/login spamming your logs because /admin/ will always redirect to /admin/login when passwords are set and you have an unauthenticated poll to /admin/ .

10

Can you try:

curl http://pi.hole/api/auth

This is an unauthenticated endpoint that could be pollable:

http://pi.hole/api/docs/#get-/auth/sessions

image
image2936×1564 171 KB

11

Okay of cause I should have looked at the endpoint in Glance. Changing the endpoint from https://dns.redacted.com/admin to https://dns.redacted.com/admin/login fixes the timeout issue. I guess because it doesn't have to redirect from the path /admin to /admin/login.

But that still leaves the issue of the loading speed in (my) firefox browser, when loading https://dns.redacted.com/admin instead of https://dns.redacted.com/admin/login

CURL from the server:

curl http://dns.redacted.com/api/auth
{"session":{"valid":false,"totp":false,"sid":null,"validity":-1,"message":"no SID provided"},"took":5.1021575927734375e-05}

CURL from my device:

curl http://dns.redacted.com/api/auth
{"session":{"valid":false,"totp":false,"sid":null,"validity":-1,"message":"no SID provided"},"took":5.1975250244140625e-05}
12

How does the timing change for those last curl commands when you have no password set?

14

Without password.

CURL from server:

curl http://dns.redacted.com/api/auth
{"session":{"valid":true,"totp":false,"sid":null,"validity":-1,"message":"no password set"},"took":4.6253204345703125e-05}

CURL from laptop:

curl http://dns.redacted.com/api/auth
{"session":{"valid":true,"totp":false,"sid":null,"validity":-1,"message":"no password set"},"took":0.00054264068603515625}
16

I have not seen this before and it also doesn't make too much sense to me right now.

We should have solved this slowness with the last release, or is it still in development only? @rdwebdesign @yubiuser maybe

17

I think this is still in development.

18

I remember we have seen the 5 seconds timeout before and had a fix for this. But I don't remember exactly which one it was.
The last web release is >1 month, I think we accumulated quite a few fixed in-between.