Pi-hole with Nginx: Port 80 not usable?

Lele · October 21, 2021, 9:35pm

I got my Pi-Hole set up and working as intended. I'm now trying to run a second webserver (nginx) on the same pi to run some websites. I set up two ip's on eth0 with netplan:

network:
  ethernets:
    eth0:
      addresses:
        - 172.16.1.2/24
        - 172.16.1.3/24
      dhcp4: no
      gateway4: 172.16.1.1
      nameservers:
        addresses: [127.0.0.1]
      optional: true
  version: 2

This works fine, I can ping both addresses and get an answer. I edited /etc/lighttpd/external.conf to have following inside: server.bind = "172.16.1.2"
It's got only this inside. Nginx I set to listen only on the other ip (172.16.1.3) and on Port 80
Also I changed the root-directory of Nginx to /var/www/nginx instead of the standard /var/www/html to have it better separated

Expected Behaviour:

Pi-hole web-GUI is available under http://IP:80/admin

My own hosted websites (right now the default nginx "It works" page, adding mine when it works) are available at http://SecondIP:80/whatever

Actual Behaviour:

Pi-hole GUI is accessible with http://IP:80/admin

Own hosted website (nginx-page) gets ERR_CONNECTION REFUSED on http://SecondIP:80/whatever
When I set Nginx to listen on port 12345 for example but the same second ip, I get the desired website with http://SecondIP:12345/whatever

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      34666/pihole-FTL
tcp        0      0 172.16.1.3:80           0.0.0.0:*               LISTEN      45428/nginx: master
tcp        0      0 172.16.1.2:80           0.0.0.0:*               LISTEN      36738/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      34666/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      34666/pihole-FTL
tcp6       0      0 :::80                   :::*                    LISTEN      36738/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      34666/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           34666/pihole-FTL
udp        0      0 0.0.0.0:67              0.0.0.0:*                           34666/pihole-FTL
udp6       0      0 :::53                   :::*                                34666/pihole-FTL

Which shows that both nginx and pihole are listening on their own ip's respectively, but still pihole seems to be blocking port 80 on the whole interface. *
Is there a way to set it to only listen on the desired IP and not interface? If not, do I need to create some kind of a virtual interface for nginx?
Also I'm kind of confused with the external.conf of lighttpd, do I need to copy the whole lighttp.conf into it and add the desired line or is it sufficient to only type in the line I want added/changed? Didn't really find anything on the web for that.

*IPv6 is not the problem as this is disabled in nginx

I tried quite a long time and went to read multiple blogs/tutorials about this too and did the same on my setup but it still won't work, but not loosing hope just yet so I'm hoping to get some clarification on here

jfb · October 21, 2021, 9:57pm

Lele · October 21, 2021, 10:10pm

Okay so I did that part right, I did not change lighttpd.conf because of this reason and the external.conf only has one line in it which is server.bind = "172.16.1.2" so it should only listen to that ip.
But still, port 80 is somehow not responding with the second ip for nginx and returning an error somehow

jfb · October 21, 2021, 10:11pm

Did you set the server port in external.conf per the linked thread?

Lele · October 21, 2021, 10:15pm

No, I only set the ip address, since the port is already set to 80 in the lighttpd.conf itself. Does it need to be mentioned again per "server.port"?

jfb · October 21, 2021, 10:17pm

Make this entry in the external.conf file and restart lighttpd and see if the problem resolves.

Lele · October 21, 2021, 10:23pm

I have following in external.conf now:

server.bind = "172.16.1.2"
server.port := 80

It is still not loading the other website

jfb · October 21, 2021, 10:31pm

Fresh debug token please.

Lele · October 21, 2021, 10:40pm

https://tricorder.pi-hole.net/YBj68ouC/

jfb · October 21, 2021, 11:25pm

Please post a screen capture of what you see when you try to load the "other" website. In this forum, you can paste an image directly into a reply (as a file or as a clipboard item).

Lele · October 22, 2021, 12:04am

This error shows up, which means I do get an answer from that address, just not the one I want/need

jfb · October 22, 2021, 12:46am

What is the complete URL you are loading here?

Lele · October 22, 2021, 6:16am

Right now that is http://172.16.1.3
Which should display the nginx "it works" page

Bucking_Horn · October 22, 2021, 8:50pm

Lele:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      34666/pihole-FTL
tcp        0      0 172.16.1.3:80           0.0.0.0:*               LISTEN      45428/nginx: master
tcp        0      0 172.16.1.2:80           0.0.0.0:*               LISTEN      36738/lighttpd

Did you check your nginx configuration?
According to the information you shared, it is your nginx at 172.16.1.3 that is refusing the connection.

Lele · October 22, 2021, 9:24pm

Yes I did.
When I left everything on nginx as it is, except changing the port to 12345, I could access the default page from nginx with http://172.16.1.3:12345
So nginx is working as intended.

My guess is that pihole or rather lighttpd is blocking (listening on) port 80 on the whole interface eth0 but only answering on the ip address 172.16.1.2 as I set this in external.conf, and the other ip is being blocked/refused to answer.

Bucking_Horn · October 22, 2021, 9:29pm

EDIT: I'm not aware of lighttpd being able to bind to interfaces at all (see e.g. https://redmine.lighttpd.net/issues/2368).

Did you try to verify that assumption?
Which webserver is logging the refused connection attempt?

Lele · October 22, 2021, 9:42pm

I just went and checked but did not find the refused log entry. However, I found in the nginx log, that even though it was listening on 172.16.1.3 as seen in netstat - nltup, there was this in error.log

2021/10/22 01:13:02 [emerg] 1964#1964: bind() to 172.16.1.3:80 failed (99: Cannot assign requested address)

So it is listening on that port but also not as it failed to bind to that port on that ip

Bucking_Horn · October 22, 2021, 9:55pm

Could you share the listen directives from your nginx config?

Lele · October 22, 2021, 10:28pm

server {
        listen 172.16.1.3:80 default_server;
        #listen [::]:80 default_server;

        root /var/www/nginx;

        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                try_files $uri $uri/ =404;
        }

}

Interesting, so since it can't really be lighttpd it makes even less sense as I don't have anything else installed that might use port 80

Bucking_Horn · October 23, 2021, 7:38am

I'm by no means literate in nginx, but did you try to strictly bind the address:port for your server (by adding the bind keyword to your listen directives)?