Some webpages slow to load (redux) - Centos 7

thewraith · December 27, 2017, 1:27am

Expected Behaviour:

All webpages to load in reasonable time

Actual Behaviour:

Some https webpages stall then load or not at all.
Problem is (I'm guessing) when visiting a https site that has https blocked domains.

Debug Token:

N/A

OS = Centos 7 (will latest updates)
Pi-hole version= 3.2.1
IPv6= OFF
DHCP= ON
Router DHCP= OFF)

Sorry for rehashing this topic but my solution to this problem is not the same as what is posted around the forums. This is more of a FYI then a need for help.

One of the posted solutions which didn't work for me:
From FAQ: Why do some sites take forever to load when using Pi-hole?

Most of what I see says to block 443 [https] with firewall or is an issue with using IPv6 [which I'm not].

To show rules in Centos 7, using:

firewall-cmd --list all

Shows that 443 port or https service it not listed, they by blocked by default.

If I use:

firewall-cmd --zone=public --add-service=https

NOTE: add '--permanent' if want to persist a restart/reboot

Then test with 2nd link on following page:
Test HTTP vs HTTPs Blocking Performance

The response is immediate. eg. Blocked and "Unable to connect". Which in this case is the desired response.

Delays where also seen on 'Digital Ocean' webpages among others pages.
Doing the above, fixes this issue for me with these pages.

Hope this helps someone.

DL6ER · December 27, 2017, 11:28am

Okay, so your interpretation may be wrong here. You say

However, adding

makes it working correctly:

My guess is that the firewall is set up to DROP every packet before it has a chance to hit the closed port, so the "blocked by default" has no effect at all. Your solution looks like:

Port ist closed, i.e. requests would be rejected
You explicitly open the firewall to let HTTPS packets in and they immediately repel on the closed port

The effect of this seems to be 100% identical to the solution that is commonly used:

Set up the firewall to explicitly REJECT any HTTPS requests so they repel immediately on the firewall

thewraith · December 27, 2017, 2:13pm

Thanks for the reply.

Highly probable.

I'm currently using the "Public" zone in 'firewalld' and is the only active zone.
It is configured as:
Centos_zone

NOTE: https is currently in services list but not shown in image.

Do you think adding the service 'https' is the right way to go? Should I be looking into 'rich rules'?
Thanks for your time.

DL6ER · December 27, 2017, 9:36pm

To be honest I don't know what's the bast approach to do it with Centos and I currently have no testing environment. However, what you do (open the firewall for HTTPS that is internally bouncing back on the port) is a fine solution - may not be the first choice but definitely a legit one!