Remove 443 from example yaml/readme and scripts. #755
Comments
|
What is the practical effect of not giving pi-hole access to 443? I get that there is some portion of ads that use SSL, but do we know generally how many? I'm struggling to run pi-hole on the same server as NGINX Proxy Manager because they both need to listen on 443. I can give the server's ethernet interface a second IPv4 address with ease and bind pi-hole to that, but since I'm getting the server's primary address with DHCPv6, I can't add a static IPv6 address to eth0. Manjaro uses network manager, and it just won't do it. Funnily enough, more often than not, the set up tutorials I find for pi-hole deliberately do something like "4343:443" when setting up the docker container. It breaks ad-blocking for SSL ads, but apparently it's enough of a problem that people just do it anyway (?). |
|
TL;DR - you can safely unbind port 443. There is nothing inside the container listening on that port It harks back to a time when the default blocking mode on FTL was IP blocking. The idea being that a request for a blocked domain would be given the IP address of the Pi-hole, and the Pi-hole would then be able to serve up a page in place of the blocked content. However, with the rise of https, this is next to impossible without forging/self-signing certificates for all the blocked domains. As such, the default blocking mode is to return 0.0.0.0, and we will be making moves to remove the advanced block page functionality. |
|
Thank you.
I’ve been struggling with this for a few weeks now. I read the docs on the main page and assumed I had to let pihole listen on 443, and it’s been causing me issues ever sense.
The most reliable solution I found was to buy a USB-to-Ethernet dongle and devote that second interface entirely to pihole, but that made the Pi’s network unstable and slow. I spun up a Linode Nanode for the first time ever last night and was going to put pihole in that, but I’m getting hit by that 5.4 bug that won’t let it launch ( #762 (comment) )—even the solution that worked for pretty much everyone else isn’t working for me.
I was about to give up on the whole thing.
I’ll try it again without binding 443. Thanks again!
- JTD.
… On Jan 18, 2021, at 2:22 AM, Adam Warner ***@***.***> wrote:
TL;DR - you can safely unbind port 443. There is nothing inside the container listening on that port
It harks back to a time when the default blocking mode <https://docs.pi-hole.net/ftldns/blockingmode/>on FTL was IP blocking. The idea being that a request for a blocked domain would be given the IP address of the Pi-hole, and the Pi-hole would then be able to serve up a page <https://github.com/pi-hole/pi-hole/blob/master/advanced/index.php> in place of the blocked content.
However, with the rise of https, this is next to impossible without forging/self-signing certificates for all the blocked domains. As such, the default blocking mode is to return 0.0.0.0, and we will be making moves to remove the advanced block page functionality <pi-hole/pi-hole#3910>.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#755 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGI5CYRLABIBIBYGMENDHQLS2PVV5ANCNFSM4V3577KQ>.
|
|
I still haven't quite understood why it even would need 80?! (besides the web interface that could be on any other port) |
|
Blockpage. |
|
As @johntdavis84 I worked on getting SSL working on my pi-hole, as the documentation states this is important
I had some issues with slow response times using the web and assumed that Pi-Hole could be the source. So I looked for downsides in my setup and one of them seems missing SSL. Please remove this from the documentation, as it obviously confused users like me. |
Remove what from where? Please link to the exact section that you are referring to. |
I'm referring to the quoted paragraph ("Port 443 is to provide...") above, it's in https://github.com/pi-hole/docker-pi-hole/blob/master/README.md#running-pi-hole-docker (I don't now, how to link this more exactly.) |
|
I gotcha |
Thanks! |
|
@dschaper , @PromoFaux , Hi, Sorry, but I don't understand why 443 is not used in the container ? Does this mean I can't connect to pi-hole with HTTPS ? Is it possible, to have a dedicated documentation / sample to setup pi-hole in docker with HTTPS to access it with Caddy may be ? Shoud I open a dedicated issue about that because I suppose I'm not the only one that is trying to do that… ? Thank you very much. Best regards, |
|
If you're just trying to access the web interface via https, then set it up behind a reverse proxy as you would any other website - no dedicated documentation needed on this end. |
|
Hi @PromoFaux , @dschaper , Thank you for the update but I think a dedicated documentation is needed because on Discourse there is a FAQ that explain How to do that in the "normal" setup BUT not in the case of Docker. Moreover, in the pihole official documentation, there is a part for the installation "normal" but no mention How to do that with Docker and the same there is a part about "webserver" and Caddy BUT not mention of How to setup correctly Docker pi-hole + Caddy as a reverse proxy to enable https… Is it possible to improve the documentation with more clarification it would be very helpfull for the community. Is it possible to do PR for the documentation ? How to proceed ? Thank you very much for your help. Best regards, |
|
Official stance: There is no need to expose the Pi-hole web interface to the public internet. If you do need to access it remotely - use a VPN. We have a guide on how to set up a VPN. I've retagged the post on discourse as a community how-to, as it's not really an officially supported guide. If you really really insist on accessing your Pi-hole web interface over the internet, then there are plenty of hits on Google (or your favourite search engine) for how to set up a reverse proxy (such as traefik, caddy, nginx) to put your site's behind Https rather than http. It's a pretty generic process that doesn't need a specific Pi-hole guide, so it's not something we will be writing a guide for. Ps. A note of courtesy: |
Expected behavior
We don't use 443, not sure why it's being configured.
The text was updated successfully, but these errors were encountered: