Client-Side Custom Lighttpd Blockpage Does Not Work

Hi all,

I have replicated a similar DNS-level adblocking software on my raspberry pi using stock dnsmasq for DNS-filtering. The part that I am interested in currently is the custom block page. I have tried configuring lighttpd using:


to specify my custom 404 error page. This works correctly on a browser on my raspberry pi, but does not redirect 404s correctly for any of its connected clients. Can anyone point me in the right direction for how I am supposed to get this working for the client devices?

404's only work when the client knows the IP address of the lighttpd server. So you'll have to send that IP to the clients.

Custom blockpages don't really work anymore. You can't use them for https unless you MITM the client traffic and that's not trivial to do.

Is MITM what pi-hole does to make custom blockpages work?

No. It is not. Pi-hole has no method for providing any certificates, etc.

It's kinda like this:

  • Client requests
  • pihole-FTL notes that is on it's block list, and so returns the address of the Pi-hole (e.g )
  • Client makes a http request for the content on
  • lighttpd cannot serve ad.gif and so returns the a 404 result along with the block page ( index.php / custom.php )
  • index.php has some stuff written into it which essentially will change how it displays depending on the requested content:
    • ad.jpg will return a small placeholder graphic like this
    • ad.js will return a small dummy javascript line to display in the console like this
    • Directly accessing the domain, or ad.html (for example) will return a full block page, which includes some information such as which blocklist the domain is found on, and the ability to add it to the whitelist if the user so desires. As shown in this gif

Note the "Not Secure" in the last gif, because it is a http request, as opposed to a https request. If it were a https request, then no page/placeholder will be returned. For this reason the block page is basically useless these days (Hence it is no longer the default blocking mode provided)

(Had to go hunting through my Reddit post history for this one, I wrote it 2 years ago !)


Is there plans to support a https block page in the future?

No, not really. It would require setting up your own certificate authority, generating certificates to be used in Man-In-The-Middle attacks and then trying to get those certs on to each client. Not that hard with browswers on computers or phones but near impossible on anything like a smart device.

1 Like

Okay, thank you very much for the reply!