-
-
Notifications
You must be signed in to change notification settings - Fork 506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DietPi-Software | Pi-hole: Block access to blocking page from web by default #3054
Conversation
Where in the |
Also, how do I check for IPv6 addresses? Is that still a part of |
@AtkLordOverAll About IPv6. I will check, I think it can be added to the same regex, allowing But actually I am not sure if there is any user which an IPv6-only local network. Also this does not make any sense. So adding local IPv6 support IMO is not important. Also DietPi-Config/network setup currently only supports IPv4, IPv6 addresses are available through SLAAC but not used in local network. The config is pulled here: https://github.com/MichaIng/DietPi/blob/dev/dietpi/dietpi-software#L8756 |
I tested with IPv6. I always get two IPv6 addresses assigned. One with the external IPv6 prefix, that matches the one from the router, with an internal suffix. That allows to access a specific local device remotely without a NAT.
The problem is now, that I can ping6 devices on all those up to 3 IPv6 addresses, the one with external prefix, the fe80 one and most likely the fc/fd one as well, if assigned/enabled in router settings. All this is without any remote access to any of the two devices, so all this can happen within local network/access only. So best we can do is allowing Regex would be: |
Michalng knows best #3054 (comment)
Okay I've updated my code as per the review, and shall look at the rest tomorrow.
Could make a prompt asking this if you wanted? Something like "Are you going to need to remotely access the admin page? y/N" (no default for enhanced security) |
@AtkLordOverAll
Actually, as the Pi-hole installer asks a lot of questions anyway, it would not hurt. But it would need to be implemented a way that can be simply reverted. E.g. when Pi-hole is reinstalled, and users chooses different, it should be able to change the behaviour.
Let's see if there are some other opinions about admin panel block and/or IPv6: https://dietpi.com/phpbb/viewtopic.php?p=19137#p19137 |
Uses G_WHIP_YESNO dialogue during install to ask, config is always made available to lighttpd even if it's not enabled so that the user may do so themselves later on
How's that @MichaIng? Optional admin panel blocking 😄
We do not talk about this 😂 So apart from maybe IPv6 support I consider this PR mostly done, so I'm marking it as ready for review |
+ DietPi-Software | Pi-hole: Fix regex, since admin penel URL is /html/admin or /admin (symlink). Simplify and failsafe regex, so that all access to either /admin/<anything> or /admin<end> is blockt, not only php scripts. + DietPi-Software | Pi-hole: Minor tab alignment and tiny comment for user info
@AtkLordOverAll I fixed the admin panel block a bid, it is located beside /pihole, so /pihole is the blocking page and /admin the admin panel. However nice work, I think it is best like this to give user the choice and always install the config, so it can be easily enabled/disabled. I will run some final test later and would merge then, if finished from your side. EDIT: Changed the config name on server, to allow Nginx and Apache configs later as well. |
Looks good, what you've changed makes sense, happy to have helped 😃 |
@AtkLordOverAll The problem is that Pi-hole requires the blocking page index.php accessible in webroot. So it creates a symlink from webroot to html/pihole/index.php, more precisely from html/index.php, since it expects webroot there. We then move/create it at the actual webroot /var/www. Nasty is that Lighttpd does not allow to block access based on local directory structure, at least I could not find any directive that would allow this, but only on URL. So the blocking page is always available by accessing the domain/IP without any appending path... This would additionally require to block access to "/$" and "/index.php". But then, if the blocking page is disabled, this location contains the default webserver test page and users might want to create any other entering page there. So to be sure, either we need to only block this, if blocking page is enabled, then user needs to remove this block manually when disabling the blocking page, or we need to check the symlink target or something, but that seems to be not possible via Lighttpd either... One other idea I have is to not create/use any symlinks, but add rewrite rules. But I guess $HTTP["url"] does not change via rewrite, only via permanent redirect. And redirect means a second request from clients, being a huge access overhead and some clients to not follow redirects, e.g. curl without "-L" option etc. No idea currently how to solve this reliable, as long as there is no option to block dir/file access via absolute path in Lighttpd, including symlink targets. There is no equivalent to Apache's directive, that is a petty... However I will test the rewrite solution later, as this would be the only acceptable solution. |
This is sad 😞 So we need to regex based on the browser URL as opposed to the file path? Or am I missing a layer of complexity here due to redirects? |
@AtkLordOverAll In contrast, Apache has a Best would be actually, if blocked requests would not be redirected to webroot, but to |
Okay got some clarifications in the referenced issue and as well a solution for us:
So this means for us:
Okay will implement this over the weekend for all webservers. Hmm what fits best for this kind of access: |
Sounds like you've got a handle on it, I'm on holiday currently so that's probably just as well. Best of luck 👍 I'd say |
@AtkLordOverAll I will merge this PR as a starting point. It even works when we remove the |
Okay the idea I had cannot be realised easily. The problem is that directory and location sections are "statically" parsed on server start. So those cannot existing within any conditional statement against a specific request, like remote IP check we need. And there are no usual ways to block access to certain paths without the related statement. So it can only be the other way round, like
And since the IP check must be done anyway for each software title/dir/location individually, having a general public access control module is obsolete. No drama however and performance-wise it might be even better, since the IP check is not done on every request, but only those to defined paths. PR is up to fix blocking page implementation and add related configs and public access control for all webservers: #3072 |
Status: Ready
Reference: #3024
Commit list/description:
lighttpd.pihole.conf
file