Conflict with other webservices running on Pi (Ports 80 and 443)

Hi,

I´ve set up pi-hole with lighttpd on port 8080 (set in lighttpd.conf and chronometer.sh, but "pihole -c" is not that important).

I´m also running another web application (this is the main use case of the Raspberry Pi) using nginx:

  • Port 80 --> only default page, within site strictly forwarded to 443
  • Port 443 --> the web application itself

So: What is the desired behaviour of pi-hole when a client/browser acesses a blocked site?
a) It should run into a timeout giving a 404 or similar error code
b) It should show a coaching page of pi-hole which says "This site is blocked by pi-hole. Turn to the admin page to configure your white- and blacklists."
c) ???

What happens for me on this setup is:

  1. Accessing a site (Port 80) listed on blocklist:
    Shows default page of nginx webserver ("Welcome to nginx on Debian!")
  2. Accessing a site (Port 443) listed on default adlists:
    certificate warning, because the client/browser is redirected to the webserver on 443, where - of course - a certificate mismatch exists

Random example for experience #2 (443) above: Click on "zum Angebot" of dealer #2 or #3 on https://geizhals.de/818065651

One of those domains is "www.econda-monitor.de":

pi@piserver:~$ sudo cat /etc/pihole/gravity.list | grep econda
192.168.0.10 econda.web.de
192.168.0.10 monitor.econda-monitor.de
192.168.0.10 www.econda-monitor.de

(where 192.168.0.10 is the Raspberry Pi/pi-hole itself)

Depending on the browser it also happens very often when surfing on Amazon. E. g. Internet Explorer (only browser without additional ad blocking extension so perfect for testing) also shows certificate warnings because some loaded ad domains are redirected to the web application running on port 443 next to the pi-hole.

This

  1. makes surfing really painful,
  2. puts additional load on the nginx webserver (which now has to deal with all the ad requests),
  3. of course stuffs the nginx log files and
  4. also triggers the NoScript Firefox addon notifications for ABE blockings/warnings
    In other words: I need to change this, urgently.

==> What can I do to resolve this (major) issue?
==> Ran I into a "failure by design" issue because pi-hole isn´t made for running next to other web services?
==> Is it maybe possible to point the ad requests to a coaching page (see # b) above)? Or at least to a specific port? Or another IP (not 127.0.0.1/localhost) which doesn´t exist?
==> In first it would be helpful to know what the desired behaviour is (see my first bold question above).

1 Like

No one, really ?!? :frowning:

I stick with "failure by design".
You probably have two web daemons now competing for TCP port 80 and nginx won:

sudo netstat -nltp

No I don´t. lighttpd for the pi-hole web interface is running on 8080. Next idea please.

Sorry for the short answer but its such a lengthy story that i missed out on the 8080 bit.
You could setup Pi with two IP addresses on one and the same network interface.
And have lighttpd listen only on the one IP address and nginx on the other IP address.
So Pi-Hole can go back to using port 80 for the admin page and displaying empty ads as it was designed for.

So for example:

10.0.0.10:80  --> lighttpd (for Pi-Hole)
10.0.0.20:80  --> nginx (your other web apps via HTTP)
10.0.0.20:443 --> nginx (your other web apps via HTTPS)

Sounds great! I didn´t realize that the lighttpd webserver is also the "resolver" for the blocked ads. I was thinking so because it´s possible to run pi-hole without the web interface (only DNS service with dnsmasq)...

Now I´m trying to figure out how to achieve this (two ip addresses for the Pi) and where to change it.

Can you point me to the right direction?
And is the change only needed on the lighttpd config (and the bookmarks for the pi-hole admin page)?

I hope I don´t need to rerun the whole pi-hole setup... :frowning:

For example if you want to setup like below:

10.0.0.10:80  --> lighttpd (for Pi-Hole)
10.0.0.20:80  --> nginx (your other web apps via HTTP)
10.0.0.20:443 --> nginx (your other web apps via HTTPS)
  1. In the "interfaces" file, you add alias interface "eth0:0" with second IP:
    *replace IP address and netmask to suit your needs.

    {
    echo
    echo 'auto eth0:0'
    echo 'allow-hotplug eth0:0'
    echo 'iface eth0:0 inet static'
    echo ' address 10.0.0.20'
    echo ' netmask 255.255.255.0'
    } | sudo tee -a /etc/network/interfaces

  2. Bring up the new interface, including verbose logging, with:

sudo ifup -v eth0:0

  1. Configure lighttpd to listen to the eth0 interface IP address:

echo 'server.bind = "10.0.0.10"' | sudo tee -a /etc/lighttpd/lighttpd.conf

  1. Reload lighttpd settings:

sudo service lighttpd reload

  1. Have nginx listen to the eth0:0 interface IP address by adding/changing below in "nginx.conf":
  • Not sure how to configure nginx as I dont have and have never used before.

    listen 10.0.0.20:80
    listen 10.0.0.20:443

  1. Reload nginx settings:

sudo service nginx restart

  1. Check the relevant daemons with:

sudo netstat -nltup | grep 'Proto\|lighttpd\|nginx\|dnsmasq\|dhcpcd\|pihole-FTL'

Below the output for netstat as example:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      50/pihole-FTL
tcp        0      0 10.0.0.10:80            0.0.0.0:*               LISTEN      100/lighttpd
tcp        0      0 10.0.0.20:80            0.0.0.0:*               LISTEN      200/nginx -g daemo
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      300/dnsmasq
tcp        0      0 10.0.0.20:443           0.0.0.0:*               LISTEN      200/nginx -g daemo
tcp6       0      0 :::53                   :::*                    LISTEN      300/dnsmasq
udp        0      0 0.0.0.0:53              0.0.0.0:*                           300/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           400/dhcpcd
udp6       0      0 :::53                   :::*                                300/dnsmasq

And here is explained how to disable IPv6 if conflicting:

Very important note, if using Pi-Hole as DHCP server, the only way to not have dnsmasq mix up the interfaces is to hash out all static IP address assignments for the "eth0" interface in the "dhcpcd.conf" file eg:

sudo nano /etc/dhcpcd.conf

#interface eth0
#  static ip_address=10.0.0.10/24
#  static routers=10.0.0.1
#  static domain_name_servers=10.0.0.1

And move the static IP address assignment for "eth0" to the "interfaces" configuration file (hash out existing eth0 line):

sudo nano /etc/network/interfaces

#iface eth0 inet manual
auto eth0
allow-hotplug eth0
iface eth0 inet static
  address 10.0.0.10
  netmask 255.255.255.0
  gateway 10.0.0.1

And make sure a DNS nameserver is set in the "resolv.conf" file eg:

sudo nano /etc/resolv.conf

# Local Pi-Hole DNS service
nameserver 127.0.0.1
1 Like

Thank you, nginx will continue using the current IP address so there will be no changes.
I´m just thinking on two remaining topics:

  1. How will the router (FritzBox) handle this: two IP addresses on one MAC address...
  2. What about DNS... I guess I should set another name for the "new" lighttpd ip address (like "pi.hole"). I´m not sure how Raspbian/Debian Jessie handles this, currently in /etc/hostname there´s only one name. And I saw a pi-hole config file yesterday where also hostnames are configured.
  1. Dont worry, its all ARP and MAC.
  2. Doesnt matter for the web daemons as they will respond on the 80/443 ports anyway.

Okay, so I´ll give it a try and respond asap.

I adjusted instructions above a bit so you wont need restart.
Owh and use below one allot :wink:

sudo netstat -nltp

How is going ?
I realized lighttpd still binds to ipv6 and maybe nginx will do so too (netstat -nltp).
If so, the two could conflict again at ipv6 level.

If you have not setup your network with ipv6, you can disable ipv6 for lighttpd by hashing out below 1 line in "/etc/lighttpd/lighttpd.conf":

# include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port

And reload lighttpd to apply new settings:

sudo service lighttpd reload

And check again with:

sudo netstat -nltp

Not sure if you need to disable ipv6 on nginx too but if one is not listening on ipv6 anymore, the other wont conflict (I presume).

Hi,

well - it´s not that easy. I sorted out IPv6 as described before.

Now nginx is listening on 10.0.0.20:80 an 10.0.0.20:443, lighttpd is listening on 10.0.0.10:80
where 10.0.0.10 is the default port and 10.0.0.20 is the newly created eth0:0 (when I switch it then there´s no difference meaning ads are still linking to nginx webserver).

Test #1: No ABE triggered e. g. on Amazon.
Test #2: "zum Angebot" on Leifheit Dry&Clean Komplett-Set (51013) ab € 57,90 (2021) | Preisvergleich Geizhals Deutschland now simply results in a not loading page (on Firefox, EDGE trys to close the tab immediately) ==> no nginx reacting any longer.

Only (and BIG) problem remaining: nginx is running on internal and external hostnames. With the "listen 10.0.0.10:443" it´s now impossible to access the web service using another hostname not matching the IP address. In detail here´s my nginx config (adjusted for publication):

server {
  listen                                10.0.0.20:443;
  server_name                           internalname externalname.dyndns.org internalname.with.fqdn;

The port forwarding is done by the router which matches the dyndns to the 443 on the Pi´s "internalname" / 10.0.0.10.

So... how can I solve this? Now I need nginx to listen on "externalname.dyndns.org" too, which could be possibly ANY IP address... right? :frowning:

What I also tried: Change the port forward at the router from 10.0.0.10:443 to 10.0.0.20:443 --> doesn´t work (FritzBox refuses to make this change)...

Would it change if I run pi.hole by default on nginx?

I like the seperate lighttpd for pi-hole by the way...

OK I think it´s really "only" the router. If I could change the port forwarding from 10.0.0.10:443 to to 10.0.0.20:443 everything "should" work... don´t know why FritzBox is refusing this change. :frowning:

Putting nginx on eth0 and lighttpd on eth0:0 isnt going to work without making too many changes thats why i suggested other way around.
dnsmasq running on Pi-Hole will default return the eth0 interface IP address when queried via DNS.

The other issues you have are indeed issues resolving hostnames to the correct IP addresses and this needs some configuring too.
Easiest is to have Pi-Hole run default on eth0 and move nginx to the other interface.
Once you got the IP thing sorted, you can start troubleshouting DNS issues with your devices or other DNS records.

Run pihole -r to reconfigure Pi-hole to use the correct IP address.

Okay I spent another 3 hours and I´m making absolutely NO progress. The router (FritzBox) is FIXED TO DEATH to the IP 10.0.0.10:443. Absolutely NO WAY to change it.

Any ideas left? The eth0:0 stuff simply doesn´t work because the router binds names/IPs via the MAC address. And I can not change the MAC address of eth0:0 because it´s bind to eth0.

So let´s go a step back: Is there REALLY NO ONE out there running pi-hole next to other web services on the same pi???

I´m totally lost.

What is the "correct" IP address ?!?

And there´s no need to rerun the config part. The following does the same:

  1. "sudo nano /etc/pihole/setupVars.conf" (change IP in correct line)
  2. "pihole restartdns"
  3. "pihole -g"

Tried both IP addresses - really doesn´t matter what IP pihole/dnsmasq is using.

More specific:

  • Setting 10.0.0.20 (where nginx/other web service is running) gives certificate error and all that stuff already mentioned --> other web service is responding
  • Setting 10.0.0.10 (where lighttpd web service is running) gives "can´t load page". Small advantages here:
    1. at least nginx/other web service is not responding
    2. pi.hole leads to admin page
      BUT: the typical "website blocked"-page (green buttons: go back, whitelist this page, close window) is NOT SHOWN.

So, it looks like the only thing not working is the blocking page. What is the output of curl -i http://doubleclick.com/test? Run pihole -d for a debug token.