[Solved] Refusing connections when on IPv6 using external.conf and SSL Engine
Added by kellytrinh almost 4 years ago
Hi - posted this on issues but realised seems to be no traffic there (only one issue outstanding? not sure if actually used)
please excuse if this is a double post.
Have error related to installation of SSL cert on pihole installation and would like ideas on how to fix.
Operating System (OS): Ubuntu 18.04 LTS
Version of Lighttpd: lighttpd/1.4.45 (ssl) (Jun 24 2019 22:58:56)
Configuration: Default pi-hole installation
What client you used (Browser, curl, etc.): Both Chrome and Edge show error as described below.
Original writeup below on issues page below:
What happened:
Follow instruction in OP of this thread
https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771
Testing and errors as described in this post:
https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771/84
tl;dr - IPv6 working before changes; IPv6 stopped working once changes made to add SSL cert; IPv4 working the whole time and shows cert coming through hence issue may be something related to lighttpd treatment of IPv6.
What I expect
That IPv4 and IPv6 treated equally so if working for v4 then should work for v6.
Replies (5)
RE: Refusing connections when on IPv6 using external.conf and SSL Engine - Added by gstrauss almost 4 years ago
This site is the official site for lighttpd.
However, any Linux distribution which packages lighttpd does so independently from this site, and the configuration they provide is also independent from this site. Similarly, independent distributions are responsible (or not) for keeping up with the latest lighttpd releases, which include bug fixes. lighttpd 1.4.45 was released Jan 2017, over three years ago. There have been ten (10) major releases since then (and 831 commmits). The latest lighttpd is lighttpd 1.4.55, released Jan 2020.
My goal in saying all this is to temper your expectations. Were you using the latest lighttpd, it would be much easier for us to help you. Instead, what you are asking is that we go back and troubleshoot lighttpd from 3 years ago, and lighttpd has been greatly improved in the interim.
Please attach the output of `lighttpd -p -f /etc/lighttpd/lighttpd.conf` so that we can better see what you are trying to do.
RE: Refusing connections when on IPv6 using external.conf and SSL Engine - Added by gstrauss almost 4 years ago
What I expect
That IPv4 and IPv6 treated equally so if working for v4 then should work for v6.
IPv4 and IPv6 are configured independently in lighttpd. They are treated equally, but separately. ssl configuration is also configured independently in lighttpd, and needs to be repeated for IPv4 socket configuration and IPv6 socket configuration.
In lighttpd 1.4.46 (released Oct 2017) and later, the ssl configuration can be inherited from the global scope and shared between IPv4 and IPv6 configurations.
RE: Refusing connections when on IPv6 using external.conf and SSL Engine - Added by kellytrinh almost 4 years ago
Hi,
Thanks for fast revert. I'll convey to the pihole guys on this feedback to update the lighttpd used and let them decide on how to handle the change/testing/etc.
Expectation wise - recognize this is free of charge so happy to get community any help.
For `lighttpd -p -f /etc/lighttpd/lighttpd.conf` - see below. Its a pi-hole standard install but the extra parts added related to SSL are based on thread below and show up in block 5-8 in below.
(https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771)
> config {
> var.PID = 15092
> var.CWD = "/home/username"
> fastcgi.server = (
> ".php" => (
> (
> "bin-path" => "/usr/bin/php-cgi",
> "socket" => "/var/run/lighttpd/php.socket",
> "max-procs" => 1,
> "bin-environment" => (
> "PHP_FCGI_CHILDREN" => "4",
> "PHP_FCGI_MAX_REQUESTS" => "10000",
> # 2
> ),
> "bin-copy-environment" => ("PATH", "SHELL", "USER"),
> # 5
> "broken-scriptfilename" => "enable",
> # 6
> ),
> ),
> )
> server.document-root = "/var/www/html"
> server.error-handler-404 = "/pihole/index.php"
> server.upload-dirs = ("/var/cache/lighttpd/uploads")
> server.errorlog = "/var/log/lighttpd/error.log"
> server.pid-file = "/var/run/lighttpd.pid"
> server.username = "www-data"
> server.groupname = "www-data"
> server.port = 80
> accesslog.filename = "/var/log/lighttpd/access.log"
> accesslog.format = "%{%s}t|%V|%r|%s|%b"
> index-file.names = ("index.php", "index.html", "index.lighttpd.html")
> url.access-deny = ("~", ".inc", ".md", ".yml", ".ini")
> static-file.exclude-extensions = (".php", ".pl", ".fcgi")
> compress.cache-dir = "/var/cache/lighttpd/compress/"
> compress.filetype = ("application/javascript", "text/css", "text/html", "text/plain")
> mimetype.assign = (
> ".png" => "image/png",
> ".jpg" => "image/jpeg",
> ".jpeg" => "image/jpeg",
> ".html" => "text/html",
> ".css" => "text/css; charset=utf-8",
> # 5
> ".js" => "application/javascript",
> ".json" => "application/json",
> ".txt" => "text/plain",
> ".svg" => "image/svg+xml",
> # 9
> )
> server.modules = (
> "mod_access",
> "mod_accesslog",
> "mod_auth",
> "mod_expire",
> "mod_compress",
> "mod_redirect",
> "mod_setenv",
> "mod_rewrite",
> "mod_fastcgi",
> # 9
> )
>
>
> $SERVER["socket"] == "[::]:80" {
> # block 1
>
> } # end of $SERVER["socket"] == "[::]:80"
>
> $HTTP["url"] =~ "^/admin/" {
> # block 2
> setenv.add-response-header = (
> "X-Pi-hole" => "The Pi-hole Web interface is working!",
> "X-Frame-Options" => "DENY",
> # 2
> )
>
>
> $HTTP["url"] =~ ".ttf$" {
> # block 3
> setenv.add-response-header = (
> "Access-Control-Allow-Origin" => "*",
> )
>
> } # end of $HTTP["url"] =~ ".ttf$"
> } # end of $HTTP["url"] =~ "^/admin/"
>
> $HTTP["url"] =~ "^/admin/\.(.*)" {
> # block 4
> url.access-deny = ("")
>
> } # end of $HTTP["url"] =~ "^/admin/\.(.*)"
>
> $HTTP["host"] == "pihole.v6.example.com" {
> # block 5
> setenv.add-environment = (
> "fqdn" => "true",
> )
>
>
> $SERVER["socket"] == ":443" {
> # block 6
> ssl.engine = "enable"
>
> # 2
> )
>
>
> $HTTP["url"] =~ ".ttf$" {
> # block 3
> setenv.add-response-header = (
> "Access-Control-Allow-Origin" => "*",
> )
>
> } # end of $HTTP["url"] =~ ".ttf$"
> } # end of $HTTP["url"] =~ "^/admin/"
>
> $HTTP["url"] =~ "^/admin/\.(.*)" {
> # block 4
> url.access-deny = ("")
>
> } # end of $HTTP["url"] =~ "^/admin/\.(.*)"
>
> $HTTP["host"] == "pihole.v6.example.com" {
> # block 5
> setenv.add-environment = (
> "fqdn" => "true",
> )
>
>
> $SERVER["socket"] == ":443" {
> # block 6
> ssl.engine = "enable"
> ssl.pemfile = "/home/username/combined.pem"
> ssl.honor-cipher-order = "enable"
> ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
> ssl.use-sslv2 = "disable"
> ssl.use-sslv3 = "disable"
>
> } # end of $SERVER["socket"] == ":443"
>
> $HTTP["scheme"] == "http" {
> # block 7
>
>
> $HTTP["host"] =~ ".*" {
> # block 8
> url.redirect = (
> ".*" => "https://%0$0",
> )
>
> } # end of $HTTP["host"] =~ ".*"
> } # end of $HTTP["scheme"] == "http"
> } # end of $HTTP["host"] == "pihole.v6.example.com"
> }
RE: Refusing connections when on IPv6 using external.conf and SSL Engine - Added by gstrauss almost 4 years ago
In the above config you provided, I don't see configuration for IPv6 on port 443. There should be a section like:
$SERVER["socket"] == "[::]:443" {
ssl.engine = "enable"
ssl.pemfile = "/home/username/combined.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
RE: Refusing connections when on IPv6 using external.conf and SSL Engine - Added by kellytrinh almost 4 years ago
Tested and it works. Thank you kindly for assistance.