PiPass/blockpage

PiPass returning 404 instead of blockpage

mihcox opened this issue · 47 comments

I have setup pipass successfully and have tested it and working as expected on the pihole itself. IT does not work on any other machine in my network, did I miss something in the configuration?

roenw commented

Could you please elaborate on how it's not working? Is it not blocking ads and what happens when you visit what should be a blocked domain?

When i go to a blocked webpage on my pihole, i see the pipass notification as expected. When i access the same page from another device in my lan, i do not see the block page only a 404 error.

roenw commented

Are you using lighttpd as your webserver? You need to configure it to direct all 404 pages to index.php.

Im sorry, i am still new to this. I have confirmed i have lighttpd, and do not have apache. How do i direct all 404s to index.php?

I did configure the config file as below:

$conf['blockpage_url'] = "http://192.168.254.9/blockpage";

roenw commented

Find the line with server.error-handler-404 and replace it with server.error-handler-404 = "index.php", and if it doesn't exist, add it.

there is no line in my config that has that file. I should add a line that says:

$conf['server.error-handler-404'] = "index.php";

to my config.php file?

roenw commented

Sorry I forgot to say, it should be in the lighttpd config file, at /etc/lighttpd/lighttpd.conf

That entry exists, and a index.php file exists in my /html folder

roenw commented

Can you post the lighttpd config file?

roenw commented

Can you do cat /var/www/html/index.php and ls /var/www/html?

<script> document.getElementById('urlpass').submit(); </script> EOL; --------------------------------------------------------- admin blockpage config.php custom_disable_timer index.php pihole
roenw commented

At this point it looks like there are some config files which are broken maybe due to the installer prematurely exiting. I would recommend a reinstall of PiPass (not Pi-Hole) so to do this run the following commands and follow through the prompts. After you reinstall change the config.php file's blockpage directive to what it was before.

bash <(wget -qO- https://sputnik.roen.us/pipass/scripts/uninstall.sh)
bash <(wget -qO- https://sputnik.roen.us/pipass/scripts/install.sh)

I have done this. Still working on the local machine (pihole) but not on my phone or desktop or laptop on the same network. Do I need to bounce the pihole/router/anything to make sure the DNS connections are proper?

roenw commented

Ok, this is a weird issue. What is the result of NSlookup of a blocked domain, it should return the Pi's IP address.

On a different device, attempt to access a blocked domain without a path, such as ads.google.com instead of http://ads.google.com/home/.

Also try to access a blocked domain with a path, like http://ads.google.com/home/

C:\Users\Michael Cox>nslookup www.facebook.com
Server: raspberrypi
Address: 192.168.254.9
Name: star-mini.c10r.facebook.com
Addresses: 2a03:2880:f134:183:face:b00c:0:25de
192.168.254.9
Aliases: www.facebook.com

Both "facebook.com" and "http://www.facebook.com" come back "refused to connect"

roenw commented

Issue might be related to the use of HSTS on Facebook’s website. If you open a private browsing window and go to http://facebook.com does it show the PiPass page?

Is the IPv6 address the one belonging to your Pi-Hole?

Edit: Nevermind, it looks like your Pi-Hole is blocking or IPv4 but not IPv6. Can you do cat /etc/pihole/pihole-FTL.conf?

If you recently introduced v6 to your network you will likely need to perform a full reinstall of your Pi-Hole to enable v6 blocking.

roenw commented

Please see my edited post. Also I would like to clarify on the LAN devices (not PiHole) is it showing a 404 or connection refused page?

I have never used ipv6.

root@raspberrypi:/var/www/html# cat /etc/pihole/pihole-FTL.conf
PRIVACYLEVEL=0
BLOCKINGMODE=IP

The 192.168.254.9 is pihole IP, but the ipv6 does not match the one when I run "ip -6 addr" on the pihole.

www.facebook.com refused to connect.

Even in congito it does the same thing

One thing I am running, on my merlin/asus router I am running DNS filtering to push everything through the PiHole with my pihole as the only dns server inside the network configuration.

roenw commented

Ok. To make sure this isn’t a HTTPS-related issue which it might be please go into the Admin console and manually blacklist neverssl.com. Then go into a private window and try to access it and we’ll see what happens.

If i go to 192.168.254.9, instead of 192.168.254.9/admin/ on another machine on my network, i do see the block page. But not for any other blocked site. i will check what you suggested now

When i go to neverssl.com, i do see the block page as expected, even though it takes about 3 seconds to load.

http://192.168.254.9/blockpage/?url=neverssl.com is what is in the address bar, i assume as expected.

roenw commented

Yes, that is what we expected. What happens if you go to http://neverssl.com/abcdefghi? 404?

400 Bad Request

Bump, @roenw thanks for your help so far.

roenw commented

Sorry I was asleep :) I think that lighttpd substitutes "400 bad request" for "404 not found" so it's not dealing with the 404s correctly. One possibility is that lighttpd hasn't been restarted since the PiPass installer ran, so I would try to first restart it.

If that doesn't work, which is likely, back the original config up and replace it with this:

# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Lighttpd config for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#              CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE:              #
#                         /etc/lighttpd/external.conf                         #
###############################################################################

server.modules = (
	"mod_access",
	"mod_accesslog",
	"mod_auth",
	"mod_expire",
	"mod_compress",
	"mod_redirect",
	"mod_setenv",
	"mod_rewrite"
)

server.document-root        = "/var/www/html"
server.error-handler-404    = "index.php"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80
accesslog.filename          = "/var/log/lighttpd/access.log"
accesslog.format            = "%{%s}t|%V|%r|%s|%b"

index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc", ".md", ".yml", ".ini" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

mimetype.assign   = ( ".png"  => "image/png",
                      ".jpg"  => "image/jpeg",
                      ".jpeg" => "image/jpeg",
                      ".html" => "text/html",
                      ".css" => "text/css; charset=utf-8",
                      ".js" => "application/javascript",
                      ".json" => "application/json",
                      ".txt"  => "text/plain",
                      ".svg"  => "image/svg+xml" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port

# Prevent Lighttpd from enabling Let's Encrypt SSL for every blocked domain
#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include \"%p\"\n' 2>/dev/null"

# If the URL starts with /admin, it is the Web interface
$HTTP["url"] =~ "^/admin/" {
    # Create a response header for debugging using curl -I
    setenv.add-response-header = (
        "X-Pi-hole" => "The Pi-hole Web interface is working!",
        "X-Frame-Options" => "DENY"
    )

    $HTTP["url"] =~ ".ttf$" {
        # Allow Block Page access to local fonts
        setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
    }
}

# Block . files from being served, such as .git, .github, .gitignore
$HTTP["url"] =~ "^/admin/\.(.*)" {
     url.access-deny = ("")
}

# Add user chosen options held in external file
# This uses include_shell instead of an include wildcard for compatibility
include_shell "cat external.conf 2>/dev/null"

And restart it.

I did both of those. Still not working as expected.

I get the blockpage for neverssl.com on all devices locally now.
I get 400 Bad Request on http://neverssl.com/12341241
facebook.com (in my blocklist) gets www.facebook.com refused to connect

roenw commented

Facebook is refusing to connect because it uses HSTS. Paging @plankobostjan and @yoinx if they have any ideas on the 400 Bad Request. Unfortunately we don't have a fix for this but there's something in the works.

roenw commented

Right now I think we would come to a resolution faster if you create an image of your Pi and I can spin it up in a VM on my LAN to try and debug until I find the problem.

If you'd like to go this route, please do the following:

  1. Flush your Pi-Hole's DNS logs through the Administration panel for privacy reasons
  2. Change the user password to something that doesn't remotely resemble your current password. If you don't want to transmit the password in the clear, feel free to encrypt your password with my public PGP key available at https://pgp.roen.us.
  3. Take an ISO image of your Pi-Hole
  4. Upload ISO to this Google Drive folder

Thanks for being so patient! The whole process should take no more than 10-20 minutes.

I did all of that, but I have the pihole running on a 32 GB stick, which is too large for your google drive. I have hosted it on my oneDrive: https://1drv.ms/u/s!AqUMsZf4BnC1gqsJKs387y5FRAwoLQ?e=r90bd3

Hopefully, that works for you, and thank you for working on my issue!

roenw commented

Yes, that works great!! I will have a look tomorrow.

roenw commented

As I’m on my phone right now I can’t extract the imagine at this moment, could you tell me where to find the image username/password?

that would be the username/password for my raspian?

roenw commented

Yes

pi / Ticket1310

Thanks again!

roenw commented

Screenshot from 2020-01-01 20-24-50

Dang... got super close to the end of the download then it cut out. Hopefully Firefox keeps the first bit cached and then I can just download what's left.

roenw commented

That might be the better option since I wasn’t able to finish the 32gb download in the first place

I am still struggling to move the SD card to a smaller format. If you want to continue again while I continue to work on it, I would appreciate it.

I will continue to work on moving it to an 8gb card today.

roenw commented

I was able to completely download the file now, no need to try to shrink the image.

roenw commented

Sorry I've been really busy with life stuff lately, I'll try to get to debugging tomorrow.

No problem, take your time!

roenw commented

I'm having trouble running the .img file, do you think you can provide a .iso?

roenw commented

Closed due to inactivity. Feel free to repoen later if you still need help.