Alternative lighttpd web page shows 403 Forbidden

Help
1

Expected Behaviour:

I want FreshRss running alongside Pihole both using lighttpd. I want to navigate to <PI_IP>:2000 to load FreshRSS and <PI_IP>/admin to load pihole.

uname -a
Linux raspberrypi 6.1.21+ #1642 Mon Apr 3 17:19:14 BST 2023 armv6l GNU/Linux

Actual Behaviour:

<PI_IP>/admin is working correctly to resolve to PiHole, however accessing <PI_IP>:2000 shows 403 Forbidden.

Since Pihole is replacing some lighttpd config files I was struggling to make it work.

Here is my configuration

ls -la /etc/lighttpd/conf-enabled/

total 12
drwxr-xr-x 2 root root 4096 Oct 21 14:50 .
drwxr-xr-x 4 root root 4096 Oct 21 14:48 ..
lrwxrwxrwx 1 root root   32 Aug 16 13:28 05-setenv.conf -> ../conf-available/05-setenv.conf
lrwxrwxrwx 1 root root   35 Aug 16 13:28 10-accesslog.conf -> ../conf-available/10-accesslog.conf
lrwxrwxrwx 1 root root   33 Aug 16 13:28 10-fastcgi.conf -> ../conf-available/10-fastcgi.conf
lrwxrwxrwx 1 root root   38 Aug 16 13:28 15-pihole-admin.conf -> ../conf-available/15-pihole-admin.conf
lrwxrwxrwx 1 root root   38 Aug 16 13:24 99-unconfigured.conf -> ../conf-available/99-unconfigured.conf
-rw-r--r-- 1 root root  109 Oct 21 14:50 external.conf

cat /etc/lighttpd/conf-enabled/external.conf

# FreshRSS config

$SERVER["socket"] == ":2000" {
    server.document-root     = "/var/www/html/freshrss"
}

cat /etc/lighttpd/lighttpd.conf

server.modules = (
        "mod_indexfile",
        "mod_access",
        "mod_alias",
        "mod_redirect",
)

server.document-root        = "/var/www/html"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
        "mod_dirlisting",
        "mod_staticfile",
)

ls -la /var/www/html

drwxrwxr-x 3 www-data www-data 4096 Oct 21 13:01 .
drwxr-xr-x 3 root     root     4096 Aug 16 13:23 ..
drwxr-xr-x 7 root     root     4096 Aug 16 13:23 admin
lrwxrwxrwx 1 root     root       19 Oct 21 13:01 freshrss -> /home/pi/FreshRSS/p
-rw-r--r-- 1 root     root     3388 Aug 16 13:24 index.lighttpd.html

ls -la /home/pi/FreshRSS/p

total 72
drwxrwxrwx  6 www-data www-data  4096 Oct 21 12:44 .
drwxrwxrwx 14 www-data www-data  4096 Oct 21 14:02 ..
drwxrwxrwx  2 www-data www-data  4096 Oct 21 12:44 api
-rwxrwxrwx  1 www-data www-data  3507 Oct 21 12:44 ext.php
-rwxrwxrwx  1 www-data www-data 18102 Oct 21 12:44 favicon.ico
-rwxrwxrwx  1 www-data www-data  1703 Oct 21 12:44 f.php
-rwxrwxrwx  1 www-data www-data  1349 Oct 21 12:44 .htaccess
drwxrwxrwx  2 www-data www-data  4096 Oct 21 12:44 i
-rwxrwxrwx  1 www-data www-data   789 Oct 21 12:44 index.html
-rwxrwxrwx  1 www-data www-data   206 Oct 21 12:44 index.php
-rwxrwxrwx  1 www-data www-data    26 Oct 21 12:44 robots.txt
drwxrwxrwx  3 www-data www-data  4096 Oct 21 12:44 scripts
drwxrwxrwx 16 www-data www-data  4096 Oct 21 12:44 themes
-rwxrwxrwx  1 www-data www-data  1725 Oct 21 12:44 Web.config

All of the files appear to have max permissions for www-data user, still it doesn't work? Could someone help please

2

I'm not a lighttpd expert, but maybe it is missing something.

Are you able to access http://<IP>:2000/index.html?

3

Not sure about accessing an alternate port, but depending on what lighttpd modules being used, I would thing your lighttpd configuration.

Using the latest version of Pi-hole (5.17.2), I have a couple of sub-sites configured on my server. I can access them just fine based on port 80. All it required was properly configuring lighttpd for my sites. I have a configuration file in /etc/lighttpd/conf-available that is linked to under /etc/lighttpd/conf-enabled. The configuration specifies the lighttpd modules (php and the like that are needed for my purposes). Any time I adjusted my configurations, I just needed to restart lighttpd, and everything worked.

My assumption based on how Pi-hole’s web interface is configured under lighttpd, is that your issue lies in how you have things configured, but not surel as my setup does not rely on port 2000.

4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.