Conflict with other webservices running on Pi (Ports 80 and 443)

Help
73

This seems to not work anymore:

I'm currently in the progress of migrating a Pi-Hole v5 instance to another host and keep the v5 version and all settings, history etc.

Meanwhile on the new host, as /etc/network/interfaces is not being used anymore (Pi OS 12) I used

  • /etc/systemd/network/eth0.network to set the static primary IP for the host (which should be used by the other service) --> 192.168.0.55 / eth0
  • /etc/network/if-up.d/eth0-alias to set the static secondary (virtual) IP which should be used by Pi-Hole --> 192.168.0.99 / eth0:0

Now after installing v5 Pi-Hole on the new host and using

  • /etc/lighttpd/external.conf with server.bind = "192.168.0.99" and

  • /etc/pihole/pihole-FTL.conf with REPLY_ADDR4=192.168.0.99 and

  • /etc/pihole/setupVars.conf with IPV4_ADDRESS=192.168.0.99/24
    as well as restarting lighttpd and pihole-FTL services, the problem is:

  • a) Pi-Hole Admin Interface is reachable via http://192.168.0.99/admin (good) as well as via http://192.168.0.55 (bad, as this IP + port combination is designated for another web service to be migrated and set up later, using nginx)

  • b) sudo netstat -nltp | grep 80 gives

    • :cross_mark: tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 254240/lighttpd on the new host while on the old host it gives
    • :white_check_mark: tcp 0 0 192.168.0.9:80 0.0.0.0:* LISTEN 1656/lighttpd tcp6 0 0 :::80 :::* LISTEN 1656/lighttpd

  • c) http://192.168.0.55/admin/messages.php shows

    grafik
    grafik2087×242 24.4 KB

    which according to dnsmasq warnings - Pi-hole documentation translates as
    grafik
    grafik1472×192 17.1 KB
    and I'm not sure I ever saw this on the old host with the other method of setting up the virtual eth0:0 interface (not sure if related)
    --> fixed (not shown anymore) after changing DNSMASQ_LISTENING from locale to single in /etc/pihole/setupVars.conf and doing a pihole -r

So in the end it seems lighttpd is still not serving Pi-Hole exclusively via the configured 192.168.0.99.

The only things different to the old host is

  1. Another OS release (12 instead of 11)
  2. Another way of setting the virtual eth0:0 interface
  3. The web service grabbing the physical eth0 interface / primary IP and port (192.168.0.55:80) is not running yet.
  4. ifconfig on the new host has an additional line device interrupt 112 for both eth0 and eth0:0 while the old host does not.
  5. /etc/dnsmasq.d/01-pihole.conf on the new host does not contain a few lines from the old host, e. g. it has local-service (new host) but not interface=eth0 (old host). Trying to edit this file makes pihole-FTL service to not start again (and those files shouldn't be changed at all as stated in their header sections). --> fixed after changing DNSMASQ_LISTENING from locale to single in /etc/pihole/setupVars.conf and doing a pihole -r

I meanwhile also already ran pihole -r (with custom changes to remain at the latest v5 release), unfortunately both by choosing the "repair" as well as the "reconfigure" path, it (still) defaults to the physical eth0 interface IP address:

grafik
grafik1416×739 21.4 KB

I ran completely out of ideas for what reason and on how to convince Pi-Hole to not use the primary/physical eth0 IP (192.168.0.55) but only the virtual eth0:0 IP (192.168.0.99).

  • Using PIHOLE_INTERFACE=eth0:0 in /etc/pihole/setupVars.conf instead of PIHOLE_INTERFACE=eth0 like on the old host did not change anything.

Any help is highly appreciated.

EDIT: :white_check_mark: Seems to be fixed by using a well-working /etc/lighttpd/lighttpd.conf (copied from the old host):

default /etc/lighttpd/lighttpd.conf after pi-hole (v5) installation 
server.modules = (
        "mod_indexfile",
        "mod_access",
        "mod_alias",
        "mod_redirect",
)

server.document-root        = "/var/www/html"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
        "mod_dirlisting",
        "mod_staticfile",
)
old /etc/lighttpd/lighttpd.conf copied from old host with well-working pi-hole installation 
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Lighttpd config for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###################################################################################################
#   IF THIS HEADER EXISTS, THE FILE WILL BE OVERWRITTEN BY PI-HOLE'S UPDATE PROCEDURE.            #
#   ANY CHANGES MADE TO THIS FILE WILL BE LOST ON THE NEXT UPDATE UNLESS YOU REMOVE THIS HEADER   #
#                                                                                                 #
#   ENSURE THAT YOU DO NOT REMOVE THE REQUIRED LINE:                                              #
#                                                                                                 #
#   include "/etc/lighttpd/conf-enabled/*.conf"                                                   #
#                                                                                                 #
###################################################################################################

server.modules = (
    "mod_access",
    "mod_auth",
    "mod_expire",
    "mod_redirect",
    "mod_setenv",
    "mod_rewrite"
)

server.document-root        = "/var/www/html"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error-pihole.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
# For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator
# e.g. server.port := 8000
server.port                 = 80

# Allow streaming response
# reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails
server.stream-response-body = 1
#ssl.read-ahead              = "disable"

index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc", ".md", ".yml", ".ini" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

mimetype.assign = (
    ".ico"   => "image/x-icon",
    ".jpeg"  => "image/jpeg",
    ".jpg"   => "image/jpeg",
    ".png"   => "image/png",
    ".svg"   => "image/svg+xml",
    ".css"   => "text/css; charset=utf-8",
    ".html"  => "text/html; charset=utf-8",
    ".js"    => "text/javascript; charset=utf-8",
    ".json"  => "application/json; charset=utf-8",
    ".map"   => "application/json; charset=utf-8",
    ".txt"   => "text/plain; charset=utf-8",
    ".eot"   => "application/vnd.ms-fontobject",
    ".otf"   => "font/otf",
    ".ttc"   => "font/collection",
    ".ttf"   => "font/ttf",
    ".woff"  => "font/woff",
    ".woff2" => "font/woff2"
)

# Add user chosen options held in (optional) external file
include "external*.conf"

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include "/etc/lighttpd/conf-enabled/*.conf"

Immediately after using that lighttpd.conf and restarting lighttpd service, the web interface on the physical eth0 IP (192.168.0.55) did not load anymore, while the virtual eth0:0 IP (192.168.0.99) still does - exactly the same behaviour as on the old host ==> :white_check_mark:

Really strange. That default lighttpd.conf looks very different, also misses the header section. At the same time the timestamp of the lighttpd.conf from the old host is exactly the date/time when Pi-Hole got updated to latest v5 release last year. What specific change in that file made lighttpd finally respect the /etc/lighttpd/external.conf content is kind of a miracle to me.