pihole admin screen times out

Please follow the below template, it will help us to help you!

Expected Behaviour:

The pihole admin screen in Chrome

Actual Behaviour:

establishing secure connection ... ERR_TIMED_OUT

Debug Token:

https://tricorder.pi-hole.net/5nbo0ross3

nginx is not a supported webserver.

You can search Discourse for community supported solutions that may assist you.

*** [ DIAGNOSING ]: Dashboard and block page
[✗] Block page X-Header: X-Header does not match or could not be retrieved.
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 24 Apr 2020 00:25:31 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: <redacted>
Referrer-Policy: no-referrer, strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="EUHOVJ+d40agKdy64LJNDF9y8cr0mTkwW+eKWSZATa0="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="; pin-sha256="Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o="; pin-sha256="CfyancXuwYEHYRX3mmLJI3NFW6E8cydaCGS1D9wGhT4="; max-age=86400; includeSubDomains; report-uri="https://reyskywalker.report-uri.com/r/d/csp/reportOnly"
Feature-Policy: fullscreen 'none'; microphone 'none'; geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; camera 'none'; speaker 'none';
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com; font-src 'self'; object-src 'none'; connect-src 'self'; form-action 'self'; style-src-elem 'self'; upgrade-insecure-requests; report-uri https://reyskywalker.report-uri.com/r/d/csp/reportOnly;
X-Permitted-Cross-Domain-Policies: master-only
Expect-CT: max-age=0
Pragma: no-cache
Cache-Control: no-cache
Allow: GET, POST, HEAD
Set-Cookie: __Host-sess=123; path=/; Secure; HttpOnly; SameSite=Strict;


[✗] Web interface X-Header: X-Header does not match or could not be retrieved.
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 24 Apr 2020 00:25:31 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: <redacted>
Referrer-Policy: no-referrer, strict-origin-when-cross-origin
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="EUHOVJ+d40agKdy64LJNDF9y8cr0mTkwW+eKWSZATa0="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="; pin-sha256="Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o="; pin-sha256="CfyancXuwYEHYRX3mmLJI3NFW6E8cydaCGS1D9wGhT4="; max-age=86400; includeSubDomains; report-uri="https://reyskywalker.report-uri.com/r/d/csp/reportOnly"
Feature-Policy: fullscreen 'none'; microphone 'none'; geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; camera 'none'; speaker 'none';
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com; font-src 'self'; object-src 'none'; connect-src 'self'; form-action 'self'; style-src-elem 'self'; upgrade-insecure-requests; report-uri https://reyskywalker.report-uri.com/r/d/csp/reportOnly;
X-Permitted-Cross-Domain-Policies: master-only
Expect-CT: max-age=0
Pragma: no-cache
Cache-Control: no-cache
Allow: GET, POST, HEAD
Set-Cookie: __Host-sess=123; path=/; Secure; HttpOnly; SameSite=Strict;

Side Note: Conditional Forwarding to a domain that exists on the internet will cause you problems unless you know exactly why and how you are doing it.

any more progress on this?
I've stopped the nginx service and the timeout still occurs. It works with http, just not https.

thanks

Send a new debug token after you've reenabled lighttpd.

What blocking mode are you using? Have you adjusted your firewall for port 443 if you are not using the default mode? See the HTTPS section on the link below.

The only way to have nginx and Pi-hole on the same server is to have lighttpd installed but configured to a different port (other than 80) and an nginx rule for the IP/name of the server forward the request to the lighttpd port.

That way, you can keep all the other nginx rules/forwards and have Pi-hole web interface on the same server.

One thing to keep in mind. An update of Pi-hole, will overwrite the edited lighttpd.conf file.
It will restore port 80 and then, it will fail to start (lighttpd or maybe after a reboot, nginx, as they will fight for 80).

Dan,

  • nginx off
  • Conditional Forwarding off

-- works over http
-- https://tricorder.pi-hole.net/8lx2njr96o

Expected Behaviour:

The pihole admin screen in Chrome

Actual Behaviour:

establishing secure connection … ERR_TIMED_OUT

hope you can provide some thoughts

thanks

Check the guide you used for TLS configuration:

-rwxr-x--- 1 www-data www-data 535 Apr 26 08:29 /var/log/lighttpd/error.log
   2020-04-26 08:26:24: (log.c.217) server started 
   2020-04-26 08:26:24: (server.c.1295) WARNING: unknown config-key: alias.url (ignored) 
   2020-04-26 08:27:58: (server.c.1828) server stopped by UID = 0 PID = 1 
   2020-04-26 08:29:06: (log.c.217) server started 
   2020-04-26 08:29:06: (server.c.1295) WARNING: unknown config-key: alias.url (ignored) 
   2020-04-26 08:29:06: (server.c.1295) WARNING: unknown config-key: ssl.openssl.ssl-conf-cmd (ignored) 
   2020-04-26 08:29:06: (server.c.1295) WARNING: unknown config-key: ssl.privkey (ignored) 

Best guess is that something in the files you've included is not correct. (Note: Any changes to the lighttpd.conf file will be overwritten on update, making changes like you have is not supported.)

   include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include \"%p\"
' 2>/dev/null"

curl -Iv https://raspberrypi.lallybroch.com.au:8080

  • Rebuilt URL to: https://raspberrypi.lallybroch.com.au:8080/
  • Trying 192.168.0.55...
  • TCP_NODELAY set
  • Connected to raspberrypi.lallybroch.com.au (192.168.0.55) port 8080 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):

your code produces
include "/etc/lighttpd/conf-enabled/15-fastcgi-php.conf"
include "/etc/lighttpd/conf-enabled/10-fastcgi.conf"
include "/etc/lighttpd/conf-enabled/90-javascript-alias.conf"

do i add the find into lighttpd.conf?

thank you

The code I copied was from your lighttpd.conf file already. I don't know what guide you are following but it's not one that we've done.


*** [ DIAGNOSING ]: contents of /etc/lighttpd

-rw-r--r-- 1 root root 3501 Apr 26 04:51 /etc/lighttpd/lighttpd.conf
   server.modules = (
   	"mod_access",
   	"mod_accesslog",
   	"mod_auth",
   	"mod_expire",
   	"mod_compress",
   	"mod_redirect",
   	"mod_setenv",
   	"mod_rewrite"
   )
   server.document-root        = "/var/www/html"
   server.error-handler-404    = "/pihole/index.php"
   server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
   server.errorlog             = "/var/log/lighttpd/error.log"
   server.pid-file             = "/var/run/lighttpd.pid"
   server.username             = "www-data"
   server.groupname            = "www-data"
   server.port                 = 8080
   accesslog.filename          = "/var/log/lighttpd/access.log"
   accesslog.format            = "%{%s}t|%V|%r|%s|%b"
   index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
   url.access-deny             = ( "~", ".inc", ".md", ".yml", ".ini" )
   static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
   compress.cache-dir          = "/var/cache/lighttpd/compress/"
   compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
   mimetype.assign   = ( ".png"  => "image/png",
                         ".jpg"  => "image/jpeg",
                         ".jpeg" => "image/jpeg",
                         ".html" => "text/html",
                         ".css" => "text/css; charset=utf-8",
                         ".js" => "application/javascript",
                         ".json" => "application/json",
                         ".txt"  => "text/plain",
                         ".svg"  => "image/svg+xml" )
   include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
   include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include \"%p\"
' 2>/dev/null"
   $HTTP["url"] =~ "^/admin/" {
       
       setenv.add-response-header = (
           "X-Pi-hole" => "The Pi-hole Web interface is working!",
           "X-Frame-Options" => "DENY"
       )
       $HTTP["url"] =~ ".ttf$" {
           
           setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
       }
   }
   $HTTP["url"] =~ "^/admin/\.(.*)" {
        url.access-deny = ("")
   }
   include_shell "cat external.conf 2>/dev/null"

Hi Dan,

All non standard code removed from lighttpd.conf.

I've narrowed it down too pihole and SSL.

On entering ...
curl -Iv https://raspberrypi.lallybroch.com.au:8080

  • Rebuilt URL to: https://raspberrypi.lallybroch.com.au:8080/
  • Trying 192.168.0.55...
  • TCP_NODELAY set
  • Connected to raspberrypi.lallybroch.com.au (192.168.0.55) port 8080 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):

TLS errorring and note sure where CAfile: /etc/ssl/certs directory come into it.

Thoughts please?

Thank you once again.

This is beyond what we support. Please see Enabling HTTPS for your Pi-hole Web Interface for community support with SSL/TLS.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.