Connection refused error PiPass

[istrait]

I have a standard install of pihole using lighttpd.

I have used the automated install script and have installed this very cool looking mod three times and have met disaster each time.

Having a standard install, I have put https://192.168.1.250/blockpage/index.php into the config (192.168.1.250 is the ip of the pihole). when I do this, the 192.168.1.250 page starts going to HTTP ERROR 500 and the pages that are blocked by pihole still go to ERR_NAME_NOT_RESOLVED, so I think I am screwing up this config setting.

I have installed both PHP-curl and git, made the changes to lighttpd/external.config and pihole-FTL.conf and have had to rebuild this system after each attempt. Any help?

EDIT: put in http://192.168.1.250/blockpage and still have same issue.

EDIT 2: here is what lighttpd.config says. server.document-root = "/var/www/html" server.error-handler-404 = "/index.php"

EDIT 3: nslookup of blocked site. Server: 127.0.0.1 Address: 127.0.0.1#53

Name: www.techsmith.com Address: 192.168.1.250

EDIT 3: the installation address at the top of the reddit thread points to the wrong place.

[roenw]

Please upload your full lighttpd config and PiPass config.php file so we can better assist you.

[Argent999]

i'm probably not the best person to be answering this, but i ran into the same issue in my ongoing struggle to make pipass work for me. if you followed the install script for pipass to the letter and entered '/var/www/' as your root, change the lighttpd.config line to:

server.document-root = "/var/www/"

(delete the 'html' at the end.)

if all things went right, a url like http://192.168.X.X/blockpage/index.php should be display the pipass block page.

hope this helps.

yeah, please don't try this. bad advice. i had to do a pihole -r after a while because i couldn't bring up the pihole admin console. i'll be quiet now.

[istrait]

Files attached...

This is a pretty much vanilla install of pihole. (there is an instance of the unifi wifi controller running on the pi, but it's port it 8443.)

config.txt

lighttpd.txt

[roenw]

I'm going to flash one of my spare RPis with dietpi and use the lighttpd version of Pi-Hole and I'll reply back once I have a working configuration.

[istrait]

Thank you...

[EvanGrote]

@istrait - Not sure if this is your problem or not, but in your config file you only have one forward slash in your blockpage URL e.g. http:/192.168.1.250/blockpage instead of http://192.168.1.250/blockpage

[istrait]

@EvanGrote Good catch. Made the change, but it did not fix it.

[EvanGrote]

How are you testing if PiPass is working? I think I'm in a similar situation as you, but I'm not sure what to do to verify the expected behavior

[roenw]

Your config.php file is severely malformed. A few characters got deleted, including ?> at the end and / to begin the top comment. I would recommend pulling a fresh config.php file from the repository and filling it in again.

[istrait]

the final ?> was there, it just did not get copied. (I am not sure how to pull the actual file off of the pi so I copied it from nano. I did mess up the slash though.

Will rebuild it. Did the path look right?

[istrait]

@EvanGrote I am visiting a blocked site and am getting a ERR_CONNECTION_REFUSED from chrome.

[roenw]

What is the output of systemctl status lighttpd?

[roenw]

This is what it should look like.

[istrait]

I get:

On another note, now when I go to http://192.168.1.250 I get the PiPass blockpage. I still get connection refused when I go to a blocked page though.

When I go to the PiPass blockpage, in /var/log/lighttpd/error.log, I see the following error 2019-05-29 04:12:32: (mod_fastcgi.c.2543) FastCGI-stderr: PHP Notice: Undefined variable: adminurl in /var/www/html/blockpage/index.php on line 103

[roenw]

adminurl is an underfunded variable, and that bug has been fixed and will be pushed in the next update, so ignore that warning. Can you run:

cat /etc/pihole/pihole-FTL.conf

[istrait]

BLOCKINGMODE=IP PRIVACYLEVEL=0

[roenw]

All I can think of right now is flushing your browser cache and DNS cache. If that doesn’t work, the website might actually be down, can you try to ping it if that doesn’t work?

[istrait]

Flushed both and rebooted the Pi.

When I ping from the pihole, I get this....

So the blocked domain is www.techsmith.com. When I ping it, it resolves back to the pihole pi ip.

It is almost like the 404 redirect setting in lighttpd .conf is not working right.

[roenw]

PiPass is set to ignore the PiHole’s own IP address but it shouldn’t be resulting in connection refused. Interesting.

[istrait]

I would be willing to allow you to SSH into my pi if you are interested in poking around.

[istrait]

Did a little looking and found that the 404 setting is working correctly. In my browser if I go to a address that does not exist on the Pi, it sends me to the PiPass blockpage.

I am guessing that when I go to a page that is blocked, the system is giving an error that is not 404 so the server does not bring up the blockpage. (I am not very familiar with how you did this, so this is only a theory.)

[roenw]

Is tecsmith blocked through a blocklist or the blacklist? Try another domain, such as ads.google.com. At this point, I too am as confused and I don't think sshing will help.

[roenw]

I'll explain how it works:

When you try to access a blocked page, your computer sends a DNS request to the Pi-Hole. The Pi-Hole responds and says that the server is the Pi-Hole's own IP. The reason for 404 is, for example, if you click on a link on Google. It might be https://blockeddomain.com/home/, in which your Pi-Hole will return a 404 error and the blockpage will not appear. The initial PiPass page captures the URL you tried to access, then passes it on to the blockpage along with a redirect.

[istrait]

OK... after looking more, I have something else going on.

ipconfig /all gives the following fragment for the adapter that I am accessing the internet from. IPv4 Address. . . . . . . . . . . : 192.168.1.83(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Tuesday, May 28, 2019 8:57:08 PM Lease Expires . . . . . . . . . . : Wednesday, May 29, 2019 8:57:07 PM Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 242108245 DHCPv6 Client DUID. . . . . . . . : 00-03-00-01-6E-47-55-2F-42-B5 DNS Servers . . . . . . . . . . . : 192.168.1.250

Notice that I have only one DNS server and it is 192.168.1.250, the address of PiHole.

When I nslookup any blocked domain, for some reason, my computer is resolving it. Here is an example. PS C:\Users\Ian> nslookup update.bittorrent.com Server: PiHole Address: 192.168.1.250

Non-authoritative answer: Name: update.bittorrent.com Address: 173.254.195.58

This happens for several of the addresses I pulled out of the blocklist.

When I go and do the same nslookup from PiHole, the I get resolution to the pihole server localhost. for example, same blacklisted domain. pi@PiHole:~ $ nslookup update.bittorrent.com Server: 127.0.0.1 Address: 127.0.0.1#53

Name: update.bittorrent.com Address: 192.168.1.250

So, in summary, I put in a blocked address >> Computer resolves the real IP from the pihole for some reason >> PiHole though resolves it to 127.0.0.1.

I am confused too and am starting to think there is something going on with my router that is causing the issue.

[roenw]

Would you be willing to try a full reinstall of both Pi-Hole and PiPass? I have no idea what else could be causing this.

On Tue, May 28, 2019 at 6:43 PM Ian Strait notifications@github.com wrote:

OK... after looking more, I have something else going on.

ipconfig /all gives the following fragment for the adapter that I am accessing the internet from. IPv4 Address. . . . . . . . . . . : 192.168.1.83(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Tuesday, May 28, 2019 8:57:08 PM Lease Expires . . . . . . . . . . : Wednesday, May 29, 2019 8:57:07 PM Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 242108245 DHCPv6 Client DUID. . . . . . . . : 00-03-00-01-6E-47-55-2F-42-B5 DNS Servers . . . . . . . . . . . : 192.168.1.250

Notice that I have only one DNS server and it is 192.168.1.250, the address of PiHole.

When I nslookup any blocked domain, for some reason, my computer is resolving it. Here is an example. PS C:\Users\Ian> nslookup update.bittorrent.com Server: PiHole Address: 192.168.1.250

Non-authoritative answer: Name: update.bittorrent.com Address: 173.254.195.58

This happens for several of the addresses I pulled out of the blocklist.

When I go and do the same nslookup from PiHole, the I get resolution to the pihole server localhost. for example, same blacklisted domain. pi@PiHole:~ $ nslookup update.bittorrent.com Server: 127.0.0.1 Address: 127.0.0.1#53

Name: update.bittorrent.com Address: 192.168.1.250

So, in summary, I put in a blocked address >> Computer resolves the real IP from the pihole for some reason >> PiHole though resolves it to 127.0.0.1.

I am confused too and am starting to think there is something going on with my router that is causing the issue.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/roenw/PiPass/issues/9?email_source=notifications&email_token=ADIUAFRR64RCRDOED6TOJWTPXYCU7A5CNFSM4HQHKRRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWOESXA#issuecomment-496781660, or mute the thread https://github.com/notifications/unsubscribe-auth/ADIUAFQC7TTMBHFZXV2COBTPXYCU7ANCNFSM4HQHKRRA .

-- Roen Wainscoat › roenw22@gmail.com

[EvanGrote]

@roenw could you give a little more context about what the blockpage URL should be? I've been following your suggestions in this thread and my config is mostly identical to istrait's. I'm also not seeing the PiPass page, but I am now seeing the pihole blockpage when navigating to a blocked URL (e.g. ads.google.com)

[roenw]

@EvanGrote The blockpage URL should be:

$conf['blockpage_url] = "http://<your_pihole_ip>/blockpage/";

Please create a new issue if you need any more assistance. I don't think Ian's problem is the same as yours.

[istrait]

So after rebuilding and reinstalling everything a couple of times this morning, I get a blockpage now and unblocking works. Cannot figure out what was going on.

I am going to re-install the unifi controller on the pi and see if that causes any other issues.

[istrait]

I now know what is causing my problem, but do not know how to fix it or even where to go for help.

I am running pihole and the ubiquity unifi controller on the same pi.

I have used the script that installs only the unifi controller and the dependencies without pihole from here (https://community.ubnt.com/t5/UniFi-Routing-Switching/Step-By-Step-Tutorial-Guide-Raspberry-Pi-with-UniFi-Controller/td-p/2470231). Once the unifi controller is installed, any blocked page gives me a ERR_CONNECTION_REFUSED error in chrome. I am not sure why the unifi controller is blocking connections that result in a 404 and am not sure how to proceed.

[roenw]

I know it wouldn’t be ideal, but having a secondary webserver such as nginx would probably solve the issue. I don’t know why UniFi controller would be blocking 404s.

[mickeygoldsmith]

I am also having this issue...the pihole blocked sites are showing up in chrome as "ERR_CONNECTION_REFUSED" rather than the pipass site options. I've tried flushing the DNS cache on the pihole server and i've looked at the error log and found the following:

2019-05-29 16:37:49: (mod_fastcgi.c.2543) FastCGI-stderr: PHP Notice: Undefined variable: url in /var/www/html/blockpage/index.php on line 19 2019-05-29 16:37:49: (mod_fastcgi.c.2543) FastCGI-stderr: PHP Notice: Undefined variable: adminurl in /var/www/html/blockpage/index.php on line 103 2019-05-29 16:37:49: (mod_fastcgi.c.2543) FastCGI-stderr: PHP Notice: Undefined variable: url in /var/www/html/blockpage/index.php on line 105 2019-05-29 16:44:49: (mod_fastcgi.c.2543) FastCGI-stderr: PHP Notice: Undefined variable: url in /var/www/html/blockpage/index.php on line 19 2019-05-29 16:44:49: (mod_fastcgi.c.2543) FastCGI-stderr: PHP Notice: Undefined variable: adminurl in /var/www/html/blockpage/index.php on line 103 2019-05-29 16:44:49: (mod_fastcgi.c.2543) FastCGI-stderr: PHP Notice: Undefined variable: url in /var/www/html/blockpage/index.php on line 105

Can anyone help?

[istrait]

@roenw what should I put in the /etc/nginx/sites-available/default file?

I am using these instructions to install pihole on nginx webserver. https://docs.pi-hole.net/guides/nginx-configuration/

[roenw]

Here is my nginx configuration file. It is confirmed working with both Pi-Hole and PiPass. Make sure you replace with the actual ip. @mickeygoldsmith you're welcome to try this solution as well, you might want to wait until Ian tells us whether it works.

Thank you for being so patient with me and my software, Ian :) Working this issue out will help others as well in the future.

server {

        root /var/www;
        index index.php index.html index.htm;

        location / {
                try_files $uri $uri/ =404;
                error_page 404 =200 <your_pihole_ip>;
        }

        location ~ \.php(?:$|/) {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_pass php;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }

    listen 80;
}

[istrait]

Well... I got nginx installed and working, installed pihole without the lighttpd server and have installed pipass.

Now when I go to the server ip, it goes into a loop of some kind on the blockpage i.e. the page just keeps loading in circles with nothing coming up on the screen. Have not even installed UniFi controller yet.

Going to take a little break and dig into this again this weekend. I am not going to give up on this. It is way too cool of a mod for pihole.

@mickeygoldsmith are you running something else on the Pi or is it a standard install? (This may help me track it down.)

[roenw]

@istrait sounds like you have not entered blockpage_url in config, but yeah, sounds like a good idea to take a break. I’m gonna start working on some other projects for the rest of this week as well.

[roenw]

I was screwing around with my NGINX configuration file and I was able to replicate your issue by....................................................................................disabling SSL! Bingo! Turns out most websites these days pass along an HSTS header (HTTP Strict Transport Security) which forces SSL to happen and drops the connection if an SSL certificate is not supplied. Self signed certificate will work just fine.

I edited the title of your issue so that people facing the same issue can find the answer more easily. Let me know how it goes.

[mickeygoldsmith]

I was screwing around with my NGINX configuration file and I was able to replicate your issue by....................................................................................disabling SSL! Bingo! Turns out most websites these days pass along an HSTS header (HTTP Strict Transport Security) which forces SSL to happen and drops the connection if an SSL certificate is not supplied. Self signed certificate will work just fine.

I edited the title of your issue so that people facing the same issue can find the answer more easily. Let me know how it goes.

Do you have suggestions on how to fix this problem?

[roenw]

@mickeygoldsmith Sorry, I was so shocked I might've found the solution that I didn't even write how to apply the fix.

If using lighttpd: https://www.cyberciti.biz/tips/howto-lighttpd-create-self-signed-ssl-certificates.html

If using NGINX: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04

[mickeygoldsmith]

@mickeygoldsmith Sorry, I was so shocked I might've found the solution that I didn't even write how to apply the fix.

If using lighttpd: https://www.cyberciti.biz/tips/howto-lighttpd-create-self-signed-ssl-certificates.html

If using NGINX: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04

For what domain are we creating the creating the certificate? for the pihole IP address?

[roenw]

Yes. Due to the nature of SSL, you will end up receiving a security warning every time before you reach the blockpage, unless you have a domain with a signed certificate.

[mickeygoldsmith]

Yes. Due to the nature of SSL, you will end up receiving a security warning every time before you reach the blockpage, unless you have a domain.

But, for some webpages, the pipass came up. For others, it didn't. This is before I implemented any fix. Why would that be?

[roenw]

Yes. Due to the nature of SSL, you will end up receiving a security warning every time before you reach the blockpage, unless you have a domain.

But, for some webpages, the pipass came up. For others, it didn't. This is before I implemented any fix. Why would that be?

Some websites pass an HSTS header and some don't. Websites that pass an HSTS header, PiPass will not work on.

[mickeygoldsmith]

Im new at this, but I think the problem is actually with the iptables: for port 443 (secure connections) the connection is rejected with tcp-reset on the pihole... We should want to change the reject with for port 443 to go to the blockpage, no?

[roenw]

@mickeygoldsmith That very well could be one of the causes. You’re saying that if we simply add 443 to our webserver configuration (no SSL) it’ll work?

[mickeygoldsmith]

@roenw maybe? Tell me what to do and I’ll try it!

[roenw]

@mickeygoldsmith I have tried it, without an SSL certificate, and using 443 results in ERR_SSL_PROTOCOL_ERROR. Unfortunately, it looks like an SSL certificate and listen on 443 is required for it to function properly.

[mickeygoldsmith]

@roenw Im still getting connection refused...

[roenw]

Can you confirm you have both an SSL certificate and you are listening on 443 for an SSL connection? Please send your webserver configuration file.

On Thu, May 30, 2019 at 2:27 PM mickeygoldsmith notifications@github.com wrote:

@roenw https://github.com/roenw Im still getting connection refused...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/roenw/PiPass/issues/9?email_source=notifications&email_token=ADIUAFXLF5DEYFQAAQL2XC3PYBWIZA5CNFSM4HQHKRRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWT323Q#issuecomment-497532270, or mute the thread https://github.com/notifications/unsubscribe-auth/ADIUAFXER4X2MMVMW7KD2OLPYBWIZANCNFSM4HQHKRRA .

-- Roen Wainscoat › roenw22@gmail.com

[JoeSchubert]

For lighttpd, these directions work easier. U couldn't get the cyberciti ones above to work and it took down my whole webserver.

Just do the top two code sections here and you'll have working ssl on lighttpd

https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL

[mickeygoldsmith]

For lighttpd, these directions work easier. U couldn't get the cyberciti ones above to work and it took down my whole webserver.

Just do the top two code sections here and you'll have working ssl on lighttpd

https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL

this worked until i got an error for not having the subjectAltName in the SSL cert...