Project

General

Profile

[Solved] Pi-hole sets port 80 on every update

Added by triatic almost 4 years ago

When installing and updating Pi-hole, lighttpd.conf is written with:

$SERVER["socket"] == "[::]:80" { }

I am trying to unset port 80 in a later configuration file (conf-enabled directory) which Pi-hole does not overwrite with every update.

Can this be done?


Replies (11)

RE: Pi-hole sets port 80 on every update - Added by gstrauss almost 4 years ago

No, there is not a way to "undo" socket configuration in lighttpd. The trivial solution is not to do it in the first place. If pi-hole updates will overwrite a customized lighttpd config, that is not very user-friendly, and something that most package managers avoid doing. Are you sure that is the case?

To try to help you come up with a solution: Why are you trying to modify the pi-hole configuration of lighttpd?

Have you considered running a second instance of lighttpd, with your own custom configuration file, listening on your own designated ports?

If you do not want lighttpd listening on port 80, and pi-hole operations make it difficult for you to change it, can you instead block port 80 in your firewall config?

.

If it has not been made clear, the issues you seem to be having are with pi-hole configuration, and what it does and does not allow you to do for persistent customizations.

RE: Pi-hole sets port 80 on every update - Added by triatic almost 4 years ago

Thanks for your reply and apologies for my late reply, Gmail spam-foldered the forum notification.

I am sure that Pi-hole overwrites lighttpd.conf on every update. Pi-hole is not distributed as an OS package, it's a downloadable bash script. Their advice is to configure customisations in lighttpd.conf.d which is mostly fine, aside from not being able to shut off port 80 set by $SERVER["socket"].

I prefer to leave port 80 unconfigured so certbot can renew certificates in standalone mode. I could use lighttpd for letsencrypt but 99.999% of the time it would be listening on port 80 for no reason.

I could also script iptables to open/close port 80 just prior and just after letsencrypt renewal, but I find this a little messy.

I accept Pi-hole is at error for overwriting lighttpd.conf on every update, your forum post at least proves not all user customisations are possible with their approach.

In any case I've now written my own "lite" version of Pi-hole (also utilising dnsmasq) so I probably won't pursue this further with them.

RE: Pi-hole sets port 80 on every update - Added by gstrauss almost 4 years ago

HowToSimpleSSL lighttpd supports Let's Encrypt and TLS-ALPN-01 using dehydrated, and does not require port 80 at all.
See the section "Let's Encrypt bootstrap using TLS-ALPN-01 verification challenge and dehydrated" in HowToSimpleSSL

I am not aware of a way to "unconfigure" listening directives in Apache or Nginx, which is why I ultimately asked you "Why are you trying to modify the pi-hole configuration of lighttpd?"

You didn't mention your use of certbot on port 80 in your initial post, so you have lost time (yours and mine) on an incorrect solution that you "concluded" was the answer, and you did not properly explain your actual issue in your question. Even if you have a proposed solution to your issue, please always attempt to explain your issue when asking questions, before proposing a solution.

RE: Pi-hole sets port 80 on every update - Added by triatic almost 4 years ago

I explained that Pi-hole overwrites the lighttpd.conf file on every update, and that I don't want port 80 open (firewalled or otherwise). Renewing Let's Encrypt on an alternative port doesn't close port 80. Apache and Nginx are not especially relevant since Pi-hole does not utilise them.

Side note: I don't need a patronising lecture on how to ask a question, thanks.

RE: Pi-hole sets port 80 on every update - Added by gstrauss almost 4 years ago

Side note: I don't need a patronising lecture on how to ask a question, thanks.

You could do better.

While pi-hole overwrites /etc/lighttpd/lighttpd.conf, pi-hole does not overwrite /etc/lighttpd/external.conf. The lighttpd.conf contains server.port = 80. However, lighttpd allows you to overwrite variables using :=, so you if put server.port := 8080 in /etc/lighttpd/external.conf, then lighttpd would listen on port 8080 instead of on port 80. If you are also listening on port 443 via $SERVER["socket"] = ":443", then you could as well set server.port := 443 in /etc/lighttpd/external.conf

In the lighttpd configuration documentation, the third line of the first section says
replace : NAME := VALUE (replace/overwrite earlier value)

RE: [Solved] Pi-hole sets port 80 on every update - Added by triatic almost 4 years ago

Unfortunately server.port := 8080 is not enough because of this line in lighttpd.conf:

include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port

Which results in:

$SERVER["socket"] == "[::]:80

I believe we established that ports opened with $SERVER["socket"] cannot be modified.

I'm not saying lighttpd is at fault here, I'm just establishing that Pi-hole always opens port 80 after upgrade and that it can't be rectified in /etc/lighttpd/external.conf.

RE: [Solved] Pi-hole sets port 80 on every update - Added by gstrauss almost 4 years ago

Comment out the line in lighttpd.conf that calls /usr/share/lighttpd/use-ipv6.pl (after each pi-hole installation or update).

Alternatively, modify /usr/share/lighttpd/use-ipv6.pl, which is part of the lighttpd package, not the pi-hole installation. Modifying /usr/share/lighttpd/use-ipv6.pl to do nothing and to immediately exit 0 is probably the easiest. Then, you can configure additional listening sockets in /etc/lighttpd/external.conf

RE: [Solved] Pi-hole sets port 80 on every update - Added by triatic almost 4 years ago

I considered editing /usr/share/lighttpd/use-ipv6.pl but normal convention is to restrict user modifications to /etc .

I also assume that this file could be overwritten as part of an OS package update.

What's the thinking behind opening port 80 on IPv4 with server.port and port 80 on IPv6 with $SERVER["socket"] ? Is server.port only for IPv4 ?

RE: [Solved] Pi-hole sets port 80 on every update - Added by gstrauss almost 4 years ago

I considered editing /usr/share/lighttpd/use-ipv6.pl but normal convention is to restrict user modifications to /etc .

Please stop belly-aching.

pi-hole modifies lighttpd config and pi-hole does not own the lighttpd package, so by your own admission pi-hole is doing something it ought not to do.

The scripts provided by package management are conveniences for people. If you don't want to use them, you don't have to use them. Stop saying "it's not doing what I want it to do, but I am not willing to change anything that I am doing".

I refer you to my comment in my first post above: https://redmine.lighttpd.net/boards/2/topics/9152?r=9153#message-9153

Have you considered running a second instance of lighttpd, with your own custom configuration file, listening on your own designated ports?

Again, the simplest solution to "unconfigure" has always been "don't configure it that way to begin with".

Try this: disable the default lighttpd service from running. Whatever scripts want to run to update it can do so. Configure a new service which runs lighttpd with a different configuration file path. That different configuration file can contain (most of) the original configuration file. Each time you run pi-hole update, make sure that it does not try to start the default lighttpd service on the system, or stop the default lighttpd service immediately after you do so.

RE: [Solved] Pi-hole sets port 80 on every update - Added by triatic almost 4 years ago

pi-hole modifies lighttpd config and pi-hole does not own the lighttpd package, so by your own admission pi-hole is doing something it ought not to do.

I'll readily admit that, and my "belly-aching" here is to show to the Pi-hole devs that there is justifiable merit in requesting that they handle their update procedure differently, given that it is not possible to make a user modification for this in external.conf as is their usual suggestion.

I have taken on board the new service solution you proposed.

I'm still curious as to why IPv6 port 80 needs setting via $SERVER["socket"] , if it were set via server.port then the := operator could be utilised for port reassignment.

RE: [Solved] Pi-hole sets port 80 on every update - Added by gstrauss almost 4 years ago

If the pi-hole devs read this, they'll probably come to the same conclusion about you that I have, and it is less than rosy and not constructive.

If you do not have the vanilla setup that most people have for pi-hole, then you have multiple options that I presented above. The vanilla setup by pi-hole appears to work well for the vast majority.

.

Optional improvements to pi-hole:

The pi-hole devs could improve their install if the install added specific text to /etc/lighttpd/lighttpd.conf, and future updates checked to see if that text was present -- i.e. that pi-hole was already installed -- before replacing /etc/lighttpd/lighttpd.conf again. grep "The Pi-hole Web interface is working!" /etc/lighttpd/lighttpd.conf. As long as the text was present, you could then make customization to /etc/lighttpd/lighttpd.conf and those customizations could be preserved.

It would be even better, but might be slightly more work, for the pi-hole devs to isolate the changes specific to pi-hole into a separate file which is included in /etc/lighttpd/lighttpd.conf. Then, the modification to /etc/lighttpd/lighttpd.conf would not be replacement, but merely adding a line. On systems that include /etc/lighttpd/conf.d/* (Fedora) or /etc/lighttpd/conf-enabled/* (Debian), no change to lighttpd.conf would be needed. Instead, the pi-hole config would be an independent file installed and linked in the appropriate locations.

On Debian, it looks like pi-hole filters out /etc/lighttpd/conf-enabled/letsencrypt.conf, and I wonder why they do not instead run lighty-disable-mod letsencrypt

I'd encourage the pi-hole devs to reach out in IRC freenode #lighttpd, rather than go through your mistranslation of misinformed "solutions"

    (1-11/11)