After upgrade to 6.0 I get "403 forbidden" on webinterface

Schultze · February 21, 2025, 9:45pm

Since I did upgrade to version 6.0 via "pihole -up" I get always "403 forbidden" on web interface.
In my bare metal installation I use nginx as webserver. In the error.log I found this:

directory index of "/var/www/html/admin/" is forbidden

What can I do?

Pi-hole seems to work properly, but web interface.

Thanks,
Schultze

Bucking_Horn · February 21, 2025, 9:51pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or if you run your Pi-hole as a Docker container:

docker exec -it <pihole-container-name-or-id> pihole -d

where you substitute <pihole-container-name-or-id> as required.

nero355 · February 21, 2025, 9:53pm

So you Reverse Proxy from NginX to the Pi-Hole webGUI ?!

A lot has changed so you need to adjust your NginX "Virtual Host" configuration

(I only speak Apache httpd hence the Virtual Host mentioned but I am guessing you know what I mean...)

Robert_Schifreen · February 22, 2025, 10:27pm

Are you accessing the admin URL with http: or https:? V6 seems to insist on the latter.

rdwebdesign · February 23, 2025, 3:57am

No, it doesn't.
You can use http without issues in v6.

If you can't access via http, please open a new topic with a debug log. We can help you find the issue.

Schultze · February 24, 2025, 6:25pm

Here it is:
https://tricorder.pi-hole.net/cmP8h8n7/

Schultze · February 24, 2025, 6:28pm

Not really. I use nginx as webserver. It provides more than PiHole-WebUI.

Schultze · February 24, 2025, 7:21pm

https

Ladrien · February 24, 2025, 7:47pm

Please post nginx configuration. nginx runs as root, so a 403 is likely related to a config problem.

Schultze · February 24, 2025, 7:51pm

This was working before update:

Pihole

location /*.js {
            index pihole/index.js;
    }

    location /admin {
            index index.php index.html index.htm;

            index pihole/index.js;

            location ~ \.php$ {
                    include snippets/fastcgi-php.conf;
                    fastcgi_pass unix:/run/php/php-fpm.sock;
            }
    }

}

Ladrien · February 24, 2025, 7:52pm

From similar posts here, try to add /api as a location. Pihole made some webserver changes with the update to v6.

Schultze · February 24, 2025, 8:23pm

I already tried:

Pihole

location /*.js {
            index pihole/index.js;
    }

    location /admin {
            index index.php index.html index.htm;

            index pihole/index.js;

            location ~ \.php$ {
                    include snippets/fastcgi-php.conf;
                    fastcgi_pass unix:/run/php/php-fpm.sock;
            }
    }

    location /api {
            index index.php index.html index.htm;

            index pihole/index.js;

            location ~ \.php$ {
                    include snippets/fastcgi-php.conf;
                    fastcgi_pass unix:/run/php/php-fpm.sock;
            }
    }

Nothing changed. Still 403 forbidden.

Bucking_Horn · February 24, 2025, 8:26pm

As mentioned in the Announcement for Introducing Pi-hole v6, Pi-hole v6's employment of an embedded webserver has eliminated the need for lighttpd as well as PHP, with the newly embedded webserver leveraging Lua for serving the UI.

Your debug log shows that you run nginx as webserver, with Pi-hole's embedded webserver being completely disabled:

*** [ DIAGNOSING ]: Ports in use
    tcp:192.168.42.1:443 is in use by nginx
    tcp:0.0.0.0:80 is in use by nginx
    tcp:127.0.0.1:443 is in use by nginx
    tcp:[::]:80 is in use by nginx

   [webserver]
     port = "" ### CHANGED, default = "80o,443os,[::]:80o,[::]:443os"

If you want nginx to serve Pi-hole's web UI instead of Pi-hole's embedded webserver, you'd have to add at least Lua capabilities to nginx, and even with Lua support, nginx won't be able to retrieve data from pihole-FTL.

You should enable Pi-hole's embedded webserver on its own port, and perhaps optionally configure nginx as reverse proxy, redirecting HTTP requests to Pi-holes webserver.

To start Pi-hole's webserver on a different port, you'd need to configure webserver.port under All settings » Miscellaneous, or via CLI, e.g. to have it listen on 8081 (IPv4/IPv6 HTTP) and 8443 (IPv4/IPv6 HTTPS):

sudo pihole-FTL --config webserver.port "8081o,8443os,[::]:8081o,[::]:8443os"

All settings is available in Expert mode only.

EDIT:
Unrelated to your webserver issue, there are two other observations from your debug log you may want to address, one of them urgently.

a. consider to disable Pi-hole's embedded NTP service via All settings » Network Time Sync, as your debug log indicates there is already a running NTP service on your machine:

*** [ DIAGNOSING ]: Pi-hole diagnosis messages
 count last timestamp       type    message                                                       blob1                 blob2
 ----- -------------------  ------- ------------------------------------------------------------  --------------------  -------
 1     2025-02-22 08:54:50  NTP     Cannot bind to IPv4 address 0.0.0.0:123 (Address in use), IP  Error                 server
                                     v4 NTP server not available

This isn't critical, as Pi-hole detects the other NTP service and won't enable its own.

b. Your router advertises its own IPv6 addresses as DNS server:

     Recursive DNS server 1/2: fd00::<redacted>15
     Recursive DNS server 2/2: 2a<redacted>15

This is critical: As your router is advertising its own IPv6 addresses, that would allow your clients to by-pass Pi-hole (which is completely independent of any of Pi-hole's versions).

As your debug log indicates you are using a Fritzbox router, you could consider to configure it to distribute Pi-hole's IPv4 for DNS exclusively, see Unresolved ipv6 adress in my top list - #4 by Bucking_Horn.

system · March 4, 2025, 3:28am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.