Pi-hole/lighttpd config

CA_Lobo · August 20, 2023, 3:31am

Creating a bug report/issue

Required Information

DietPi version |
G_DIETPI_VERSION_CORE=8
G_DIETPI_VERSION_SUB=20
G_DIETPI_VERSION_RC=1
G_GITBRANCH=‘master’
G_GITOWNER=‘MichaIng’
G_LIVE_PATCH_STATUS[0]=‘applied’
Distro version
bookworm
Kernel version
Linux DietPi 6.1.11-meson64 #23.02.2 SMP PREEMPT Sat Feb 18 00:07:55 UTC 2023 aarch64 GNU/Linux
Architecture
arm64
SBC model
Odroid N2 (aarch64)
Power supply used
provided power adapter
SD card used
none - eMMC

Additional Information (if applicable)

Software title | lighttpd/1.4.69, unbound 1.17.1
Software title freshly installed
Can this issue be replicated on a fresh installation of DietPi? Did not try

Steps to reproduce

pihole appears to not follow lighttpd config standards and places a COPY of the 99-dietpi-pihole.conf in the conf-enabled director vs making a link eg:

/etc/lighttpd/conf-enabled# ls -l

lrwxrwxrwx 1 root root 32 Jul 29 06:48 05-setenv.conf → …/conf-available/05-setenv.conf
lrwxrwxrwx 1 root root 33 Jul 29 06:43 10-fastcgi.conf → …/conf-available/10-fastcgi.conf
lrwxrwxrwx 1 root root 32 Aug 2 05:31 10-status.conf → …/conf-available/10-status.conf
lrwxrwxrwx 1 root root 41 Jul 29 06:43 15-fastcgi-php-fpm.conf → …/conf-available/15-fastcgi-php-fpm.conf
lrwxrwxrwx 1 root root 58 Jul 29 06:49 99-dietpi-pihole-block_public_admin.conf → …/conf-available/99-dietpi-pihole-block_public_admin.conf
-rw-r–r-- 1 root root 1136 Jul 30 23:36 99-dietpi-pihole.conf
lrwxrwxrwx 1 root root 38 Jul 29 06:43 99-unconfigured.conf → …/conf-available/99-unconfigured.conf

diff between the two files:

/etc/lighttpd/conf-available# diff 99-dietpi-pihole.conf …/conf-enabled/99-dietpi-pihole.conf
15c15
< “X-XSS-Protection” => “1; mode=block”,

 "X-XSS-Protection" => "0",

Expected behaviour

Per lighttpd config notes - a link is to be generated TO the appropriate /conf-available file in the conf-enabled file.

Actual behaviour

There’s an actual file in the /conf-enable directory AND it does not match the /conf-available file.

Extra details

I’m new to both dietpi and to lighttpd. The setup (lighttpd/pihole/unbound) seems to be working correctly, and I don’t recall any weird steps when installing except installing pihole/unbound the day after I installed dietpi and lighttpd… So this may be a user error, but I wanted to document it and see if anyone else was seeing the same thing…

Jappe · August 20, 2023, 10:44am

Same on my system, also same differences in the files.
But according to pihole-admin.conf on piholes GitHub, this option (x-xss-protection) is deprecated and should be set to 0.
So the fix is

mv /etc/lighttpd/conf-enabled/99-dietpi-pihole.conf /etc/lighttpd/conf-available/99-dietpi-pihole.conf
lighttpd-enable-mod dietpi-pihole
systemctl force-reload lighttpd.service

Optional verifycation to check if the symlink was set: ls -la /etc/lighttpd/conf-enabled

Jappe · August 20, 2023, 12:11pm

Ok the initial config of pihole looks fine, but the culprit is a dietpi patch, which cares about the deprecated X-XXS-protection setting.

https://github.com/MichaIng/DietPi/blob/17a32753cea78821406556b1e0738eff8c6a526e/.update/patches#L1401

See also:
https://github.com/JappeHallunken/DietPi/pull/1/commits/ae8b56d4b51cbf400f32f1111eca2d1592f2d158

Joulinar · August 20, 2023, 1:51pm

@Jappe are you going to take care on this together with @MichaIng

Jappe · August 20, 2023, 2:56pm

Yes, I already made a PR but not sure which is best practice.
The sed command could be executed with --follow-symlinks but we also need to care about the already false configs from the patch with the fix I mentioned earlier.

MichaIng · August 20, 2023, 7:51pm

First of all I fixed the patch. It was never intended to do any sed on conf-enabled. I just did not review carefully when merging the related PR: v8.21 · MichaIng/DietPi@d2edff5 · GitHub

Shall we also add a new patch for DietPi v8.21, like this:

[[ -f '/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf' && ! -L '/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf' ]] && G_EXEC mv /etc/lighttpd/conf-{enabled,available}/99-dietpi-pihole.conf && G_EXEC ln -sf /etc/lighttpd/conf-{available,enabled}/99-dietpi-pihole.conf

So if the one in conf-enabled exists but is not a symlink, move it from enabled to available (hence preserve the currently effectvie config) and then recreate the intended symlink.

CA_Lobo · August 20, 2023, 8:15pm

Hi Guys, I just want to say ‘thank you’ and note that I’m impressed as to the speed that you have addressed this minor concern, while at the same time preventing any data loss if changes have been made to the config file. Dan

Jappe · August 21, 2023, 4:05pm

Yes, it will work without this but also prevent possible future confusion.