dschaper
commented
3 years ago Open dschaper opened 3 years ago
dschaper
commented
3 years ago 
casperklein
commented
3 years ago 
johntdavis84
commented
3 years ago What is the practical effect of not giving pi-hole access to 443?
I get that there is some portion of ads that use SSL, but do we know generally how many?
I'm struggling to run pi-hole on the same server as NGINX Proxy Manager because they both need to listen on 443. I can give the server's ethernet interface a second IPv4 address with ease and bind pi-hole to that, but since I'm getting the server's primary address with DHCPv6, I can't add a static IPv6 address to eth0. Manjaro uses network manager, and it just won't do it.
Funnily enough, more often than not, the set up tutorials I find for pi-hole deliberately do something like "4343:443" when setting up the docker container. It breaks ad-blocking for SSL ads, but apparently it's enough of a problem that people just do it anyway (?).
PromoFaux
commented
3 years ago TL;DR - you can safely unbind port 443. There is nothing inside the container listening on that port
It harks back to a time when the default blocking mode on FTL was IP blocking. The idea being that a request for a blocked domain would be given the IP address of the Pi-hole, and the Pi-hole would then be able to serve up a page in place of the blocked content.
However, with the rise of https, this is next to impossible without forging/self-signing certificates for all the blocked domains. As such, the default blocking mode is to return 0.0.0.0, and we will be making moves to remove the advanced block page functionality.
johntdavis84
commented
3 years ago Thank you.
I’ve been struggling with this for a few weeks now. I read the docs on the main page and assumed I had to let pihole listen on 443, and it’s been causing me issues ever sense.
The most reliable solution I found was to buy a USB-to-Ethernet dongle and devote that second interface entirely to pihole, but that made the Pi’s network unstable and slow. I spun up a Linode Nanode for the first time ever last night and was going to put pihole in that, but I’m getting hit by that 5.4 bug that won’t let it launch ( https://github.com/pi-hole/docker-pi-hole/issues/762#issuecomment-762099147 )—even the solution that worked for pretty much everyone else isn’t working for me.
I was about to give up on the whole thing.
I’ll try it again without binding 443. Thanks again!
- JTD.On Jan 18, 2021, at 2:22 AM, Adam Warner notifications@github.com wrote:
TL;DR - you can safely unbind port 443. There is nothing inside the container listening on that port
It harks back to a time when the default blocking mode https://docs.pi-hole.net/ftldns/blockingmode/on FTL was IP blocking. The idea being that a request for a blocked domain would be given the IP address of the Pi-hole, and the Pi-hole would then be able to serve up a page https://github.com/pi-hole/pi-hole/blob/master/advanced/index.php in place of the blocked content.
However, with the rise of https, this is next to impossible without forging/self-signing certificates for all the blocked domains. As such, the default blocking mode is to return 0.0.0.0, and we will be making moves to remove the advanced block page functionality https://github.com/pi-hole/pi-hole/pull/3910.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pi-hole/docker-pi-hole/issues/755#issuecomment-762073533, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGI5CYRLABIBIBYGMENDHQLS2PVV5ANCNFSM4V3577KQ.
tcurdt
commented
3 years ago I still haven't quite understood why it even would need 80?! (besides the web interface that could be on any other port) I thought the idea is to just return 0.0.0.0 for certain DNS entries. That's on 53.
dschaper
commented
3 years ago Blockpage.
limes007
commented
3 years ago As @johntdavis84 I worked on getting SSL working on my pi-hole, as the documentation states this is important
Port 443 is to provide a sinkhole for ads that use SSL. If only port 80 is used, then blocked HTTPS queries will fail to connect to port 443 and may cause long loading times. Rejecting 443 on your firewall can also serve this same purpose. Ubuntu firewall example: sudo ufw reject https
I had some issues with slow response times using the web and assumed that Pi-Hole could be the source. So I looked for downsides in my setup and one of them seems missing SSL.
Please remove this from the documentation, as it obviously confused users like me.
dschaper
commented
3 years ago Please remove this from the documentation
Remove what from where? Please link to the exact section that you are referring to.
limes007
commented
3 years ago Remove what from where? Please link to the exact section that you are referring to.
I'm referring to the quoted paragraph ("Port 443 is to provide...") above, it's in https://github.com/pi-hole/docker-pi-hole/blob/master/README.md#running-pi-hole-docker
(I don't now, how to link this more exactly.)
PromoFaux
commented
3 years ago limes007
commented
3 years ago I gotcha
Thanks!
craph
commented
3 years ago @dschaper , @PromoFaux , Hi, I was looking for a documentation to setup HTTPS for pi-hole in docker and I land on this issue.
Sorry, but I don't understand why 443 is not used in the container ? Does this mean I can't connect to pi-hole with HTTPS ?
Is it possible, to have a dedicated documentation / sample to setup pi-hole in docker with HTTPS to access it with Caddy may be ?
Shoud I open a dedicated issue about that because I suppose I'm not the only one that is trying to do that… ?
Thank you very much.
Best regards,
PromoFaux
commented
3 years ago If you're just trying to access the web interface via https, then set it up behind a reverse proxy as you would any other website - no dedicated documentation needed on this end.
craph
commented
3 years ago Hi @PromoFaux , @dschaper ,
Thank you for the update but I think a dedicated documentation is needed because on Discourse there is a FAQ that explain How to do that in the "normal" setup BUT not in the case of Docker.
Moreover, in the pihole official documentation, there is a part for the installation "normal" but no mention How to do that with Docker and the same there is a part about "webserver" and Caddy BUT not mention of How to setup correctly Docker pi-hole + Caddy as a reverse proxy to enable https… In the documentation here in the docker part, there is only "DHCP", but I think a dedicated part for the "setup" and links would be very helpfull. Then, in this documentation it talk about webserver but I think it's reverse proxy the correct world. And this page don't explain How to setup in case we are using docker pi-hole.
Is it possible to improve the documentation with more clarification it would be very helpfull for the community.
Is it possible to do PR for the documentation ?
How to proceed ?
Thank you very much for your help.
Best regards,
PromoFaux
commented
3 years ago Official stance:
There is no need to expose the Pi-hole web interface to the public internet.
If you do need to access it remotely - use a VPN.
We have a guide on how to set up a VPN.
I've retagged the post on discourse as a community how-to, as it's not really an officially supported guide.
If you really really insist on accessing your Pi-hole web interface over the internet, then there are plenty of hits on Google (or your favourite search engine) for how to set up a reverse proxy (such as traefik, caddy, nginx) to put your site's behind Https rather than http.
It's a pretty generic process that doesn't need a specific Pi-hole guide, so it's not something we will be writing a guide for.
Ps. A note of courtesy: No need to tag people in your replies - we get notified anyway.
Expected behavior
We don't use 443, not sure why it's being configured.