Pi-hole dashboard accessible without login

Dear all,

due to the changes having been applied with the current updates, it is no longer possible accessing the dashboard without being logged in while having a password set up.

This features request came up as a few of the comments from the link above asked for the "old" behaviour, being able to check the dashboard without being logged in.

As the announcement thread was and is the wrong place to discuss, I have searched this place before creating this post. So far I have not found any duplicates. Hence this post.

Thanks upfront

Just to echo an opinion on the matter that I shared elsewhere

Short version of reasoning for the change is there are a lot of people out there that expose their Pi-hole web interface to the internet - behind a reverse proxy or otherwise (Just search Shodan!) The less information that is on those dashboards the more secure things are.

Yes it may be handy to glance and see what version you are on, or the number of clients on your network, or the number of domains you've blocked in the past 24 hours, it may be paranoid but I always assume that there are people much cleverer than me that could use information against me (even if, and especially if, I cannot think of how they might)

Take the 24hr graph.. potentially reveals when I am at home and when I am not. This is an extreme hypothetical, of course. Another example could be that there is (hypothetically!) a known exploit with a particular version of Pi-hole - advertising that for the world to see is practically inviting people to attack it.

Security should always trump convenience.

We always publish a blog post to announce new releases. Those blog posts are always cross posted to Reddit, Twitter, and our Discourse forums - there are plenty of ways to see when a new release is available!

As for other points - if your internet is working, so is Pi-hole. If you can get to http://pi.hole, then Pi-hole is working (if you're not seeing more ads than usual, Pi-hole is still working)

The feedback is appreciated, but we also have to accept that not everyone will always agree with design changes. As is always the way with these things, the people that have nothing negative to say about the change just wont say anything at all - so it can seem like a decision is less popular than it is

3 Likes

Yes safety should be always key, but everyone has a different setup and might be not exposed to the internet just want to prevent everyone within the network mess with the settings and have a quick overview over the key information as it used to be.

Maybe it can be achieved with and optional setting that is by default not active. A first attempt was already seen in the screenshot from user XelNika.

2 Likes

There's a saying in Germany: "Das Kind mit dem Bade ausgeschüttet." ("The baby poured out with the bath.").
The last time I have set up a pihole I have not been forced to set up a password, nor have I been forced to encrypt access to the web ui: I had to configure this by myself, which is fine by me.
So I believe it should also be up to the user what is shown to anybody who is able to enter (and reach) their piholes' URLs.

If "a lot of people" think they need to publish their piholes thus making them publically available it should be up to them to secure access to it.

Therefore I too appreciate (an) option(s) to choose what is shown on the dashboard by default, but at least I believe one should be given exactly this: the option.

2 Likes

Absolutely true and nothing to argue with. You will never satisfy everyone. In addition, the feature request should not be interpreted as "I am unhappy with this, change it or else..." - not my intention. I was just interested in two things: how many other users share the idea and what is the developers' opinion on the matter.

So far it shed light as you have made the motivation and decision clear to everyone and some users supported the feature request.

Being honest, it is up to you guys. I will start living with it and accepting the fact I have to login to check the state and graphs (I like graphs :smiley:). As the englishman says: old habits die hard. I would like to add "but they die", meaning I will get used to it.

In the end I agree with you on:

though I also agree with mag:

Thanks for your reply and thanks to all other users supporting this feature request.

Take care guys!

1 Like

Fully agreed on the points made.

Could there be a middle road, where by default, the dash is not visible when not logged in , but users can enable it? (via web interface, or maybe even via conf file editing) (edit: just saw that @MiCado already suggested exactly that)

The point @PromoFaux made on people exposing their Pi-Hole to the internet is valid, and worrying. Could, as a second point, further action be made to avoid the potential nasty effects of that? I appreciate that somewhat recently, rate limiting was added which should already help.
Don't get me wrong, this last point should imho be independent from the point on the dashboard visibility, and is very important on its own...

Please restore this as optional functionality. Everyone wins in this case.

As pointed out in a previous topic; everyone who exposes pi-hole on the internet is responsible for it's security. Developers are not responsible for this.

So slowly but surely users reach out, asking for the feature being implemented - one way or the other.

@PromoFaux is this anything you and the team (re)consider or is the decision cast in stone? I am just asking, to be brutally honest, if it makes sense getting more people's opinion on this topic or if it is not worth the time.

Thanks upfront

TL;DR - I wouldn't put any money on the changes being reverted

We're OK with some people being unhappy with change. It happens. The product is provided as-is, and for free. If we have made a decision to go in a certain direction, it's because that's the direction we want to go in, if a few feathers are ruffled in the process, then that is just the cost of change.

A handful of people needing to adjust their workflow (like... just login, the information is all there. Use a password manager and you don't even have to type your password), in my own honest opinion, does not constitute a pressing need to reverse a decision we have made. As I've said elsewhere, the vast majority of users either don't care or are happy with it - I know this because otherwise the amount of negative feedback would be overwhelming, and because people generally don't complain when they are happy.

Feature requests are one thing, but we are under no obligation to implement them - even if they are seemingly popular.

There are alternative ways to view the information you wish to via the API- and certainly alternative apps (there are both android and iPhone 3rd party Pi-hole management apps)

The next major version Pi-hole (known as v6.0) will feature a much richer API

Nevertheless feedback is always appreciated, it helps us gauge things, and perhaps we ourselves need to learn to be more upfront with our explanations in the first place.

1 Like

Again, I agree with you. As expressed earlier, I am getting used to it. Using keepassxc and their firefox integration, I am not struggling with passwords since years. The only struggle is I can no longer log into stuff not being at my machine, as I am not sharing the password database anywhere.

I also like your - and I assume the team's - approach. Keep this spirit up!

I am now looking forward to v6.0 :wink:

Thanks and take care

3 Likes

Who changed this behaviour to such a stupid design? Even without an option to bing the "old" Splash-Page back?

there are a lot of people out there that expose their Pi-hole web interface to the internet

I can understand some kind of security concerns, if some stupid guys - without at least a bit of network-knowledge - expose everything to the world... But why in the hell should this affect me? I dont DNAT one of my internal DNS-Resolver to the whole world. People doing such shit have to learn their lessions the hard way.

I think all this change did is, people expose now an unencrypted HTTP log-in page! Great work DEVs. Now the bad guy can sniff their password in plain text. And people doing such stuff use only one password for everything. I think this change does exactly the opposite - it decreases security.

Implement an option to display the old Splash-Page. Thats all I can say. And stop overthinking about other people stupidity and what action they may take. A small DNS-resolver status page wont stop them doing other weird stuff.

https://discourse.pi-hole.net/faq


Bitching around does not increase the chances of bringing back the old login page.


Feel free to open a pull request or create your own fork.

1 Like

Okay, I'll overlook your post.

3 Likes

Pi-hole is a free open source project run by volunteers.
We take time out of our busy lives to develop software and answer questions.

You can request as many features as you like (we generally encourage this), but you have no right to demand anything.

Please, never assume that you have this right.

1 Like

@Developers I am at the verge of asking you closing this thread as the tone and language change to a direction I would not like to see this post drift. I am up for constructive criticism and a constructive discussion, anytime and anywhere. It is important to discuss and feed back. As far as I am aware we start leaving the road. Hence, guys/gals, try being as much of a gentleman/gentlewoman as possible. I do understand every aspect and trace of anger which has been expressed in here, but stay calm and relaxed. As the developers put it: they are spending their free time developing this for us, speaking for myself: not able to achieve anything they did.

4 Likes

Just to let you know. I’m actually glad this info isn’t revealed anymore to people who aren’t logged in. This takes away some risks.

If and I don’t say there should be a change. It might be useful to be able to create users with less privileges so they can only see this info. And maybe some other settings.

Not for me btw. I’m happy as it is. But if there would be a concern this might be a solutions.

4 Likes

I've posted a method of seeing some of these stats without being logged in, using Pi-hole's Chronometer feature.

I too am pleased that the main stats window is now behind a login. It was a solid decision that would seem to cover the broadest use-cases most securely.

1 Like