In raising this issue, I confirm the following: {please fill the checkboxes, e.g: [X]}
- [X] I have read and understood the contributors guide.
- [X] The issue I am reporting can be replicated.
- [X] The issue I am reporting isn't a duplicate (see FAQs, closed issues, and open issues).
How familiar are you with the the source code relevant to this issue?:
7
Expected behaviour:
lighttpd binds to port 80 only on the IP address / interface where Pi-hole was installed (similarly to dnsmasqd where this is even an option in the settings)
Actual behaviour:
lighttpd binds to all IP addresses / interfaces on port 80
Steps to reproduce:
Add a second IP address to existing Pi-hole setup and try binding a different server (or just query new ip address), e.g.
ip address add 192.168.1.3/24 dev eth0(assuming pi-hole is on 192.168.1.2)- launch browers and go to 192.168.1.3
Potential solution:
Within lighttpd.conf add server.bind = "192.168.1.2" configuration (with Pi-hole IP). This should require changes with the two config files in the advanced folder and some sed during installation to fix the IP. (I was playing around with it earlier but got some issues when testing)
flo80
All 5 comments
Why is this an issue?
I'd consider it to be the default to bind to all interfaces as this will e.g. allow you to use it regardless if you are connecting through eth0 or e.g. through a VPN service installed on the same machine. You can still limit the availability of the dashboard via suitable firewall rules. Also something like server.bind = "192.168.1.2" may even prevent localhost to be able to reach the dashboard.
DL6ER
on 8 Jan 2018
In my case, I wanted to have a different web-service running on the Raspi as well (which for convenience I also wanted on port 80).
But in case the Pi-hole is running in a multi-homed environment (the most likely case to have multiple IPs) it could pose a security risk when the admin interface is accessible from the outside (or at least is a privacy issue since everybody can see the dashboard with access to the server, which potentially then could be the whole internet). Setting firewall rules, of course, can solve this but then the user at least should be made aware that lighttpd will bind to post 80 on all available IPs, also when new interfaces are added (e.g. VPNs), so firewall rules have to be set up for this as well.
I also think for user expectation management lighttpd should use the same interfaces as dnsmasqd or there should be an explicit warning that it is not.
flo80
on 9 Jan 2018
This "issue bothered" me a while ago too. I uptvote this. It's also a problem if you run each of your services on a different ip. If you add 6 new vinterfaces pihole will distrbute dhcp and dns on all of this ips per default. in case pihole runs on a border router between 2 networks, it would be a nice feature to configure the interfaces or ips to bind to via webinterface instead of dropping to shell and tell pihole/lighttpd to stfi.
Also if you try to setup samba-AD on the same machine or another subdomain with its own dns or dhcp you wish for more control about piholes actual behaviour.
Note that this is only a problem in advanced setups and should not be consindered a problem for a "default" installation or usecase of pihole. IIRC the behaviour of pihole binding to all interfaces raised some "issues" here too.
The fix from @flo80 is sufficient/correct. I don't know about setup though.
I would set it in an extra conffile instead of lighttpd.conf
sudo nano /etc/lighttpd/conf-enabled/99-bla.conf
server.bind = "10.0.0.2"
burnbabyburn
on 21 Nov 2018
Support for binding to different IPs/ports will come with the new API and web interface.
Mcat12
on 21 Nov 2018
Because of the number of requests and the very limited resources we have as a free open-source project run by volunteers, we ask that you open all Feature Requests at our Discourse Forum.
Thank you for your understanding.
dschaper
on 15 Jan 2019
Related issues
FallenKN
路
4Comments
josvliet
路
5Comments
PromoFaux
路
3Comments
cmonty14
路
3Comments
JamborJan
路
3Comments
Most helpful comment
In my case, I wanted to have a different web-service running on the Raspi as well (which for convenience I also wanted on port 80).
But in case the Pi-hole is running in a multi-homed environment (the most likely case to have multiple IPs) it could pose a security risk when the admin interface is accessible from the outside (or at least is a privacy issue since everybody can see the dashboard with access to the server, which potentially then could be the whole internet). Setting firewall rules, of course, can solve this but then the user at least should be made aware that lighttpd will bind to post 80 on all available IPs, also when new interfaces are added (e.g. VPNs), so firewall rules have to be set up for this as well.
I also think for user expectation management lighttpd should use the same interfaces as dnsmasqd or there should be an explicit warning that it is not.