Webservice attempts to bind to all interfaces /IPs

This may be related to my earlier question about dnsmasq, or to topic: HTTPS in v6

Fresh and clean install of Beta-6 on Raspberry Pi 4b 8Gb.

Using knot-resolver and unbound as local DNS upstreams on all three DNS channels (dns, dot and doh), so they have listeners on port 443:

$ sudo netstat -tunlp | grep 443
tcp        0      0 127.0.1.1:443           0.0.0.0:*               LISTEN      756/kresd
tcp        0      0 127.0.1.1:443           0.0.0.0:*               LISTEN      755/kresd
tcp6       0      0 ::13:443                :::*                    LISTEN      756/kresd
tcp6       0      0 ::13:443                :::*                    LISTEN      755/kresd

In /etc/pihole/pihole.toml I have set:

 port = "192.168.144.13:80,443s" ### CHANGED, default = "80,[::]:80,443s,[::]:443s"

avoiding IPv6 for the moment.

PiHole fails to start with the webserver logging errors of:

[2024-08-30 14:12:19.837 CDT 811] Initializing HTTP server on port 192.168.144.13:80,443s
[2024-08-30 14:12:19.839 CDT 811] cannot bind to 443s: 98 (Address in use)
[2024-08-30 14:12:19.839 CDT 811] Failed to setup server ports
[2024-08-30 14:12:35.052 CDT 803] Initializing HTTP server on port 192.168.144.13:80,443s
[2024-08-30 14:12:35.062 CDT 803] cannot bind to 443s: 98 (Address in use)
[2024-08-30 14:12:35.062 CDT 803] Failed to setup server ports

You can see from the netstat above, that the only reason it might complain about address in use is if it is trying to bind to all interfaces and all IPs.

I don't see an option to set the network interface as is done in dns.interface, so is there a way to constrain the promiscuous behavior and restrict it to listen on just one interface?

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

Defaults:
port = "80,[::]:80,443s,[::]:443s"

IPv4 specified:
port = "192.168.144.13:80,443s"

For both, FTL reports life is good:

$ sudo pihole status
  [βœ“] FTL is listening on port 53
     [βœ“] UDP (IPv4)
     [βœ“] TCP (IPv4)
     [βœ“] UDP (IPv6)
     [βœ“] TCP (IPv6)

  [βœ“] Pi-hole blocking is enabled

but the webUI fails:

[2024-08-30 18:31:02.223 CDT 807] Initializing HTTP server on port 80,[::]:80,443s,[::]:443s
[2024-08-30 18:31:02.225 CDT 807] cannot bind to 443s: 98 (Address in use)
[2024-08-30 18:31:02.226 CDT 807] cannot bind to IPv6 [::]:443s: 98 (Address in use)
[2024-08-30 18:31:02.226 CDT 807] Failed to setup server ports
[2024-08-30 18:35:13.149 CDT 807] Initializing HTTP server on port 192.168.144.13:80,443s
[2024-08-30 18:35:13.151 CDT 807] cannot bind to 443s: 98 (Address in use)
[2024-08-30 18:35:13.151 CDT 807] Failed to setup server ports
[2024-08-30 18:35:31.102 CDT 804] Initializing HTTP server on port 192.168.144.13:80,443s
[2024-08-30 18:35:31.104 CDT 804] cannot bind to 443s: 98 (Address in use)
[2024-08-30 18:35:31.105 CDT 804] Failed to setup server ports

and just to be complete:

 $ sudo netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.1.2:53            0.0.0.0:*               LISTEN      735/unbound
tcp        0      0 127.0.1.2:53            0.0.0.0:*               LISTEN      735/unbound
tcp        0      0 192.168.144.13:53       0.0.0.0:*               LISTEN      804/pihole-FTL
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      735/unbound
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      704/sshd: /usr/sbin
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      756/kresd
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      757/kresd
tcp        0      0 127.0.1.1:443           0.0.0.0:*               LISTEN      756/kresd
tcp        0      0 127.0.1.1:443           0.0.0.0:*               LISTEN      757/kresd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      824/dnsdist
tcp        0      0 127.0.1.1:853           0.0.0.0:*               LISTEN      756/kresd
tcp        0      0 127.0.1.1:853           0.0.0.0:*               LISTEN      757/kresd
tcp6       0      0 ::14:53                 :::*                    LISTEN      735/unbound
tcp6       0      0 ::14:53                 :::*                    LISTEN      735/unbound
tcp6       0      0 ::13:53                 :::*                    LISTEN      757/kresd
tcp6       0      0 ::13:53                 :::*                    LISTEN      756/kresd
tcp6       0      0 ::13:443                :::*                    LISTEN      757/kresd
tcp6       0      0 ::13:443                :::*                    LISTEN      756/kresd
tcp6       0      0 ::1:8953                :::*                    LISTEN      735/unbound
tcp6       0      0 ::13:853                :::*                    LISTEN      757/kresd
tcp6       0      0 ::13:853                :::*                    LISTEN      756/kresd
tcp6       0      0 fde4:b3e2:db9e:1000::53 :::*                    LISTEN      804/pihole-FTL
tcp6       0      0 :::22                   :::*                    LISTEN      704/sshd: /usr/sbin
udp        0      0 0.0.0.0:40901           0.0.0.0:*                           536/avahi-daemon: r
udp        0      0 127.0.0.1:53            0.0.0.0:*                           824/dnsdist
udp        0      0 192.168.144.13:53       0.0.0.0:*                           804/pihole-FTL
udp        0      0 127.0.1.1:53            0.0.0.0:*                           756/kresd
udp        0      0 127.0.1.1:53            0.0.0.0:*                           757/kresd
udp        0      0 127.0.1.2:53            0.0.0.0:*                           735/unbound
udp        0      0 127.0.1.2:53            0.0.0.0:*                           735/unbound
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           536/avahi-daemon: r
udp6       0      0 fde4:b3e2:db9e:1000::53 :::*                                804/pihole-FTL
udp6       0      0 ::14:53                 :::*                                735/unbound
udp6       0      0 ::14:53                 :::*                                735/unbound
udp6       0      0 ::13:53                 :::*                                757/kresd
udp6       0      0 ::13:53                 :::*                                756/kresd
udp6    2752      0 fe80::b438:cbda:45e:546 :::*                                589/NetworkManager
udp6       0      0 :::37578                :::*                                536/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                536/avahi-daemon: r

Did you try 192.168.144.13:80,192.168.144.13:443s

1 Like

That works for IPv4 - though I will say that the in-file documentation doesn't make the need to specify IP address each time very clear, though after re-reading about 5-6 times and ignoring the examples, it does seem that the IP needs to be specified for each port.

I still think that the v5 behavior, whether or not it was an artifact of the separate dnsmasq configurations, where binding to a specific network interface and/or to specific IP addresses was possible for both the FTL and the Web processes was less complex to configure and less opaque to comprehend.

I got a bit over-enthusiastic though and tried IPv6 as well with:

port = "192.168.144.13:80,192.168.144.13:443s,[fde4:b3e2:db9e:1000::13]:80,[fde4:b3e2:db9e:1000::13]:443s"

which naturally broke with an error:

[2024-08-30 21:07:09.203 CDT 820] Initializing HTTP server on port 192.168.144.13:80,[fde4:b3e2:db9e:1000::13]:80,192.168.144.13:443s,[fde4:b3e2:db9e:1000::13]:443s
[2024-08-30 21:07:09.205 CDT 820] cannot bind to IPv6 [fde4:b3e2:db9e:1000::13]:80: 99 (Address not available)
[2024-08-30 21:07:09.205 CDT 820] cannot bind to IPv6 [fde4:b3e2:db9e:1000::13]:443s: 99 (Address not available)
[2024-08-30 21:07:09.205 CDT 820] Failed to setup server ports

Even though:

$ ip addr show dev eth0 | grep 13
    inet 192.168.144.13/24 brd 192.168.144.255 scope global noprefixroute eth0
    inet6 fde4:b3e2:db9e:1000::13/64 scope global noprefixroute

IPv6 debug file

It's after 9 p.m. local, so I'll try more options /variants in the morning.

Thanks for the pointers and it's so close I can "smell the electrons"... :smile:

Your last debug log shows Pi-hole is using the expected ports:

[βœ“] tcp:192.168.144.13:443 is in use by pihole-FTL
[βœ“] tcp:192.168.144.13:53 is in use by pihole-FTL
[βœ“] tcp:192.168.144.13:80 is in use by pihole-FTL
...
[βœ“] tcp:[fde4:b3e2:db9e:1000::13]:443 is in use by pihole-FTL
[βœ“] tcp:[fde4:b3e2:db9e:1000::13]:53 is in use by pihole-FTL
[βœ“] tcp:[fde4:b3e2:db9e:1000::13]:80 is in use by pihole-FTL

And the last entry in webserver.log is:

[2024-08-30 21:14:38.494 CDT 820] Initializing HTTP server on port 192.168.144.13:80,192.168.144.13:443s,[fde4:b3e2:db9e:1000::13]:80,[fde4:b3e2:db9e:1000::13]:443s

(no errors after that)

Regarding Pi-hole's documentation:

The value description states:

Allowed values: comma-separated list of <[ip_address:]port>

To me, that makes it quite clear that you'd need at least one such <[ip_address:]port> for each port.

The relevant example reads:

For example, to bind to the loopback interface on port 80 (IPv4) and to all interfaces port 8080 (IPv4), use "127.0.0.1:80,8080".

That example again demonstrates the need to have at least one port definition for each ip address to port mapping, and it explicitly emphasises that a port without an IP would bind to all interfaces.

How would you suggest that should be improved?

It could be I'm just slow - it did take me several read throughs to comprehend that instruction set.

I would make it more explicit - maybe something like:
"... Pi-Hole will bind to all available interfaces and IP addresses in the absence of a configured IP and port pair ..."

I still would like to see the webserver section have an option for .interface, and/or .listen.ipv4 and .listen.ipv6 and then the ports with the r and s flags.

Well, as of this morning, the WebUI still reports:

This site can’t be reached

coeus.lan.null-route.us refused to connect.

Try:

ERR_CONNECTION_REFUSED

and the log tail says:

[2024-08-31 17:01:48.390 CDT 20378] Initializing HTTP server on port 192.168.144.13:80r,192.168.144.13:443s,[fde4:b3e2:db9e:1000::13]:80r,[fde4:b3e2:db9e:1000::13]:443s
[2024-08-31 17:04:40.292 CDT 793] Initializing HTTP server on port 192.168.144.13:80r,192.168.144.13:443s,[fde4:b3e2:db9e:1000::13]:80r,[fde4:b3e2:db9e:1000::13]:443s
[2024-08-31 17:04:40.294 CDT 793] cannot bind to IPv6 [fde4:b3e2:db9e:1000::13]:80r: 99 (Address not available)
[2024-08-31 17:04:40.294 CDT 793] cannot bind to IPv6 [fde4:b3e2:db9e:1000::13]:443s: 99 (Address not available)
[2024-08-31 17:04:40.294 CDT 793] Failed to setup server ports
$ ip addr show dev eth0 | grep 13
    inet 192.168.144.13/24 brd 192.168.144.255 scope global noprefixroute eth0
    inet6 fde4:b3e2:db9e:1000::13/64 scope global noprefixroute

Latest Debug Log