Pi-hole/lighttpd config

Creating a bug report/issue

Required Information

  • DietPi version |
    G_DIETPI_VERSION_CORE=8
    G_DIETPI_VERSION_SUB=20
    G_DIETPI_VERSION_RC=1
    G_GITBRANCH=‘master’
    G_GITOWNER=‘MichaIng’
    G_LIVE_PATCH_STATUS[0]=‘applied’
  • Distro version
    bookworm
  • Kernel version
    Linux DietPi 6.1.11-meson64 #23.02.2 SMP PREEMPT Sat Feb 18 00:07:55 UTC 2023 aarch64 GNU/Linux
  • Architecture
    arm64
  • SBC model
    Odroid N2 (aarch64)
  • Power supply used
    provided power adapter
  • SD card used
    none - eMMC

Additional Information (if applicable)

  • Software title | lighttpd/1.4.69, unbound 1.17.1
  • Software title freshly installed
  • Can this issue be replicated on a fresh installation of DietPi? Did not try

Steps to reproduce

pihole appears to not follow lighttpd config standards and places a COPY of the 99-dietpi-pihole.conf in the conf-enabled director vs making a link eg:

/etc/lighttpd/conf-enabled# ls -l

lrwxrwxrwx 1 root root 32 Jul 29 06:48 05-setenv.conf → …/conf-available/05-setenv.conf
lrwxrwxrwx 1 root root 33 Jul 29 06:43 10-fastcgi.conf → …/conf-available/10-fastcgi.conf
lrwxrwxrwx 1 root root 32 Aug 2 05:31 10-status.conf → …/conf-available/10-status.conf
lrwxrwxrwx 1 root root 41 Jul 29 06:43 15-fastcgi-php-fpm.conf → …/conf-available/15-fastcgi-php-fpm.conf
lrwxrwxrwx 1 root root 58 Jul 29 06:49 99-dietpi-pihole-block_public_admin.conf → …/conf-available/99-dietpi-pihole-block_public_admin.conf
-rw-r–r-- 1 root root 1136 Jul 30 23:36 99-dietpi-pihole.conf
lrwxrwxrwx 1 root root 38 Jul 29 06:43 99-unconfigured.conf → …/conf-available/99-unconfigured.conf

diff between the two files:

/etc/lighttpd/conf-available# diff 99-dietpi-pihole.conf …/conf-enabled/99-dietpi-pihole.conf
15c15
< “X-XSS-Protection” => “1; mode=block”,

 "X-XSS-Protection" => "0",

Expected behaviour

Per lighttpd config notes - a link is to be generated TO the appropriate /conf-available file in the conf-enabled file.

Actual behaviour

There’s an actual file in the /conf-enable directory AND it does not match the /conf-available file.

Extra details

I’m new to both dietpi and to lighttpd. The setup (lighttpd/pihole/unbound) seems to be working correctly, and I don’t recall any weird steps when installing except installing pihole/unbound the day after I installed dietpi and lighttpd… So this may be a user error, but I wanted to document it and see if anyone else was seeing the same thing…

Same on my system, also same differences in the files.
But according to pihole-admin.conf on piholes GitHub, this option (x-xss-protection) is deprecated and should be set to 0.
So the fix is

mv /etc/lighttpd/conf-enabled/99-dietpi-pihole.conf /etc/lighttpd/conf-available/99-dietpi-pihole.conf
lighttpd-enable-mod dietpi-pihole
systemctl force-reload lighttpd.service

Optional verifycation to check if the symlink was set: ls -la /etc/lighttpd/conf-enabled

Ok the initial config of pihole looks fine, but the culprit is a dietpi patch, which cares about the deprecated X-XXS-protection setting.

https://github.com/MichaIng/DietPi/blob/17a32753cea78821406556b1e0738eff8c6a526e/.update/patches#L1401

See also:
https://github.com/JappeHallunken/DietPi/pull/1/commits/ae8b56d4b51cbf400f32f1111eca2d1592f2d158

@Jappe are you going to take care on this together with @MichaIng

Yes, I already made a PR but not sure which is best practice.
The sed command could be executed with --follow-symlinks but we also need to care about the already false configs from the patch with the fix I mentioned earlier.

First of all I fixed the patch. It was never intended to do any sed on conf-enabled. I just did not review carefully when merging the related PR: v8.21 · MichaIng/DietPi@d2edff5 · GitHub

Shall we also add a new patch for DietPi v8.21, like this:

[[ -f '/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf' && ! -L '/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf' ]] && G_EXEC mv /etc/lighttpd/conf-{enabled,available}/99-dietpi-pihole.conf && G_EXEC ln -sf /etc/lighttpd/conf-{available,enabled}/99-dietpi-pihole.conf

So if the one in conf-enabled exists but is not a symlink, move it from enabled to available (hence preserve the currently effectvie config) and then recreate the intended symlink.

2 Likes

Hi Guys, I just want to say ‘thank you’ and note that I’m impressed as to the speed that you have addressed this minor concern, while at the same time preventing any data loss if changes have been made to the config file. Dan

Yes, it will work without this but also prevent possible future confusion.