Closed AlfaJackal closed 5 years ago
roenw
commented
5 years ago Unfortunately I think this is expected behavior if you have visited the website before and the HSTS header is cached. That prevents the SAN (subject alternative name) of the website from being changed, e.g. to redirect you to a blockpage.
I’ll experiment later and see if I can make it work.
roenw
commented
5 years ago If my findings come up negative, there isn’t much we can do about it. The HSTS header is a website implying that the connection must have maximum security at all times. Personally I feel like it is being misused as its main purpose is to prevent Man-in-the-middle attacks, such as on banks but most Google services now include it.
AlfaJackal
commented
5 years ago Hmm, seems like there is another problem:
For example if I open https://analytics.twitter.com, I receive a ssl connection error NSURLErrorDomain.
And if I simple open insecure http://analytics.twitter.com, I will be redirected to my apache. How can that be??
Sent with GitHawk
roenw
commented
5 years ago I'm pretty sure that's the same problem. To solve this issue, I believe you can install the SSL certificate's CA certificate on your device.
This is what OpenDNS users have to do, as their blockpage works in the exact same way, which is DNS hijacking.
AlfaJackal
commented
5 years ago Thanks for your reply.
Edit: With https everything is fine. But I still have that problem of redirecting from http to my apache (port 80) and not to my lighttpd (81). With https every blacklisted page redirects to blockpage.
Do you have any idea?
roenw
commented
5 years ago @AlfaJackal That's very interesting, and it would make sense it would do that if you didn't explicitly specify the port for it to redirect to. If your Apache is running in a non-production environment, you might want to consider just switching its ports with lighttpd, but at the same time I would not reccomend running Pi-Hole, PiPass, lighttpd, and Apache all on one machine in a production environment.
Right now, that's all I can suggest. I'll tell you later on if I come up with anything.
AlfaJackal
commented
5 years ago @AlfaJackal That's very interesting, and it would make sense it would do that if you didn't explicitly specify the port for it to redirect to. If your Apache is running in a non-production environment, you might want to consider just switching its ports with lighttpd, but at the same time I would not reccomend running Pi-Hole, PiPass, lighttpd, and Apache all on one machine in a production environment. ...
@roenw Thank you! Simply changed ports vice versa and everything seem to work now. Will test Let’s encrypt tomorrow and see if it works all together on one Pi.
Permanent solution for the future is to have a single Pi-Hole Pi and the apache separated from that one.
Sent with GitHawk
Successfully installed certificate for dns.domain.com. The problem is, that I will not be redirected to the dns.domain.com/blockpage after clicking a link.
I am able to open the secured site dns.domain.com/blockpage and also dns.domain.com/admin:
But if I click on a link, e.g. in a search result in google that leads to a googleadservices.com, I always get an error page in my browser. See screenshot: https://imgur.com/UF1jvzA
Seems not to be an issue but changed my port from 80 to 81 in lightttp. Also doesn't matter if I change blockpage_url in config with or without port.
$conf['blockpage_url'] = "https://dns.domain.com:81/blockpage";Changes in external.conf: