Nginx error404 from pihole

Macley · February 27, 2019, 6:45pm

Hey that’s a good idea! Could you zip the contents of that page and put it here?
I’ll report my findings back and share my nginx file too

deHakkelaar · February 27, 2019, 6:52pm

index.php and blockingpage.css can be found on git:

Macley · February 27, 2019, 6:56pm

Gotcha, gimmie a bit, i’ll get this working in a bit

Macley · February 27, 2019, 7:15pm

Got it finnaly working here:
https://betavpn.tk/admind

Had to do some editting tho, but it's luckly not that complicated haha

I'll put my nginx config file here in abit.

thank you so much already for all the help! <3

deHakkelaar · February 27, 2019, 8:09pm

Ohw and make sure your not running an open resolver:

http://www.openresolver.com/

deHakkelaar · February 27, 2019, 8:13pm

OOps:

http://www.openresolver.com/?ip=betavpn.tk

Thats not a good idea:

https://discourse.pi-hole.net/search?q=open%20resolver

Please close down port 53 UDP with the firewall and only allow trusted IP´s or setup VPN on clients and Pi-hole:

Macley · February 27, 2019, 8:42pm

Hi @deHakkelaar!
I got everything fixed, the betavpn.tk domain is no longer needed and i use now the new improved way: https://pihole.deltabot.me/ i run this behind cloudflare so everything interms of security should be good!
http://www.openresolver.com/?ip=pihole.deltabot.me
http://www.openresolver.com/?ip=deltabot.me
The file below is the configuration i'm rocking now
default.txt (1.4 KB)

I can also share the the way i have the error404 setup, i mainly changed the HREF tags to the domain i'm using (b/c using the paths likie error404/etcetc didn't worked out for me.

Again i want to thank everyone for their help!

~~few side questions:~~
Would it be an idea to submit a request to add the favicon to the error404 page?
Is there a darkmode for the dashboard? Or is that in the making?

deHakkelaar · February 27, 2019, 8:44pm

Its still resolving:

pi@noads:~ $ dig +short test.openresolver.com TXT @betavpn.tk
"open-resolver-detected"

Macley · February 27, 2019, 8:45pm

Ah, that's b/c that domain still points to the server directly, i'll remove that domain asap

deHakkelaar · February 27, 2019, 8:46pm

Removing the domain doesnt help.
Addressing the IP address directly instead of name would still result in an open resolver.

EDIT: eg

pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"

pi@noads:~ $ dig +short version.bind TXT @64.52.86.238 CHAOS
"dnsmasq-pi-hole-2.80"

Macley · February 27, 2019, 9:22pm

um ok, what would i need to disable?

deHakkelaar · February 27, 2019, 9:29pm

This bit below:

Macley · February 27, 2019, 10:08pm

That should do it?

deHakkelaar · February 27, 2019, 10:22pm

That did the trick:

pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
;; connection timed out; no servers could be reached

Now make it persistent by putting it in for example new file:

/etc/network/if-pre-up.d/my-iptables-rules

EDIT: Ohw you might want to add the interface to that iptables rule or else all DNS traffic gets dropped.

Reboot and test with openresolver.com.

deHakkelaar · February 27, 2019, 10:42pm

Ohw I forgot one thing, DNS is closed now for UDP thats used for the amp attacks.
But TCP is still open for the public just so you know:

pi@noads:~ $ dig +short +tcp test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"

Also not really advised to do so

Macley · February 28, 2019, 8:25am

Oh i’ll edit it in a bit

Btw when visiting https://pihole.deltabot.me/ i get still an error, can’t get the error404 to appear there. Even putted the error404 index.html in /var/www/html/

Anyone has any suggestions?

Btw the openresolver thing is ok for now, it's not really a big issue for me and almost broke my pihole so xD

DanSchaper · February 28, 2019, 11:28am

Visiting a bare root URL like your link will automatically redirect to /admin/. You will not see the block page for htttps as that's considered a man in the middle attack, unless your clients have your Certificate Authority installed in their browsers.

Macley · February 28, 2019, 12:41pm

Mhm, intresting, i've never realised that would be a thing with PiHole.
So, i still would prefer to show the user the error404, that has the link to the correct page /admin/. Would that still be possible with some small code edits?
Or, to have the / redirect to /admin/? Currently showing that error isn't preferable

DanSchaper · February 28, 2019, 12:46pm

https://pihole.deltabot.me/ already redirects to https://pihole.deltabot.me/admin/

If you want it to do / show something else then you will need to modify the webserver to do as such.

Macley · February 28, 2019, 1:07pm

Hey Dan,

I don't know how this happend, but your tottaly right! I tried a clean browser (no cookies etc) and for me and my phone it didn't redirect it to /admin/.

I'm super happy with the result and can't thank each of you enough for all your help and time you've putted into answer my questions!

One final thing i might be able to submit a pull for, is to add the same favicon from /admin/ to the this page:

If that's ok i can see if i can submit a pull for that

PS.
https://www.openresolver.nl/?host=deltabot.me
https://www.openresolver.nl/?host=pihole.deltabot.me
Both are now good @deHakkelaar!