RPi 4 | pihole web interface forbidden

Hello dietpi community!

I am currently totally dispaired :cry: I am trying to set up pihole on DietPi and it does not work.
Spent already 3d x 4h… and still not working, so I decided to create an account and ask for assistance.
Used device: RPi 4, Mod. B, 4GB
DietPi: DietPi_v6.25_RPi-ARMv6-Buster

Problem: It seems that pihole is installed and configured properly, lighttpd is running but the admin and pihole web interface is not accessible. I only see the message: 403 Forbidden


root@DietPi:~# curl -I http://120.0.0.101/admin/
HTTP/1.1 403 Forbidden
Content-Type: text/html
X-Pi-hole: The Pi-hole Web interface is working!
X-Frame-Options: DENY
Content-Length: 341
Date: Wed, 20 Nov 2019 22:13:50 GMT
Server: lighttpd/1.4.53

I searched already the “whole” internet for a solution:
https://forum.armbian.com/topic/10564-pi-hole-admin-page-not-reachable-or-403-forbidden-error/
https://discourse.pi-hole.net/t/403-forbidden-solution-on-armbian-ubuntu-18-04-2/20519
https://github.com/pi-hole/pi-hole/issues/2129
https://www.reddit.com/r/pihole/comments/8gyc6p/403_forbidden_when_trying_to_access_admin_page/

But nothing helped.

Here is the output after pihole- d:

This process collects information from your Pi-hole, and optionally uploads it to a unique and random directory on tricorder.pi-hole.net.

The intent of this script is to allow users to self-diagnose their installations.  This is accomplished by running tests against our software and providing the user with links to FAQ articles when a problem is detected.  Since we are a small team and Pi-hole has been growing steadily, it is our hope that this will help us spend more time on development.

NOTE: All log files auto-delete after 48 hours and ONLY the Pi-hole developers can access your data via the given token. We have taken these extra steps to secure your data and will work to further reduce any personal information gathered.

*** [ INITIALIZING ]
[i] 2019-11-20:23:19:10 debug log has been initialized.

*** [ INITIALIZING ] Sourcing setup variables
[i] Sourcing /etc/pihole/setupVars.conf...

*** [ DIAGNOSING ]: Core version
[i] Core: v4.3.2 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Branch: master
[i] Commit: v4.3.2-0-ge41c4b5

*** [ DIAGNOSING ]: Web version
[i] Web: v4.3.2 (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)
[i] Branch: master
[i] Commit: v4.3.2-0-g38d8e77

*** [ DIAGNOSING ]: FTL version
[✓] FTL: v4.3.1

*** [ DIAGNOSING ]: lighttpd version
[i] 1.4.53

*** [ DIAGNOSING ]: php version
[i] 7.3.11

*** [ DIAGNOSING ]: Operating system
[✓] Raspbian GNU/Linux 10 (buster)

*** [ DIAGNOSING ]: SELinux
[i] SELinux not detected

*** [ DIAGNOSING ]: Processor
[✓] armv7l

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
   120.0.0.101/24 matches the IP found in /etc/pihole/setupVars.conf

[✗] No IPv6 address(es) found on the eth0 interface.

[i] Default IPv4 gateway: 120.0.0.1
   * Pinging 120.0.0.1...
[✓] Gateway responded.

*** [ DIAGNOSING ]: Ports in use
[*:53] is in use by pihole-FTL
[*:53] is in use by pihole-FTL
[127.0.0.1:4711] is in use by pihole-FTL
*:22 dropbear (IPv4)
*:22 dropbear (IPv6)
[*:80] is in use by lighttpd
[*:80] is in use by lighttpd

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] optimumadsmedia.go2cloud.org is 0.0.0.0 via localhost (127.0.0.1)
[✓] optimumadsmedia.go2cloud.org is 0.0.0.0 via Pi-hole (120.0.0.101)
[✓] doubleclick.com is 172.217.23.46 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Pi-hole processes
[✓] lighttpd daemon is active
[✓] pihole-FTL daemon is active

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_INTERFACE=eth0
    IPV4_ADDRESS=120.0.0.101/24
    IPV6_ADDRESS=
    PIHOLE_DNS_1=8.8.8.8
    PIHOLE_DNS_2=8.8.4.4
    QUERY_LOGGING=false
    INSTALL_WEB_SERVER=false
    INSTALL_WEB_INTERFACE=true
    LIGHTTPD_ENABLED=true
    BLOCKING_ENABLED=true

*** [ DIAGNOSING ]: Dashboard and block page
[✗] Block page X-Header: X-Header does not match or could not be retrieved.
HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 341
Date: Wed, 20 Nov 2019 22:19:15 GMT
Server: lighttpd/1.4.53

[✓] Web interface X-Header: X-Pi-hole: The Pi-hole Web interface is working!

*** [ DIAGNOSING ]: Gravity list
-rw-r--r-- 1 root root 2715381 Nov 20 22:59 /etc/pihole/gravity.list
   -----head of gravity.list------
   0.0.0.0
   0.nextyourcontent.com
   0.r.msn.com
   0.start.bz

   -----tail of gravity.list------
   zzz.clickbank.net
   zzzezeroe.fr
   zzzpooeaz-france.com
   zzzrtrcm2.com

*** [ DIAGNOSING ]: contents of /etc/pihole

-rw-r--r-- 1 root root 313 Nov 20 22:57 /etc/pihole/adlists.list
   https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
   https://mirror1.malwaredomains.com/files/justdomains
   http://sysctl.org/cameleon/hosts
   https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
   https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
   https://hosts-file.net/ad_servers.txt

-rw-r--r-- 1 root root 39 Nov 20 22:59 /etc/pihole/local.list
   120.0.0.101 DietPi
   120.0.0.101 pi.hole

-rw-r--r-- 1 root root 234 Nov 20 22:58 /etc/pihole/logrotate
   /var/log/pihole.log {
        su root root
        daily
        copytruncate
        rotate 5
        compress
        delaycompress
        notifempty
        nomail
   }
   /var/log/pihole-FTL.log {
        su root root
        weekly
        copytruncate
        rotate 3
        compress
        delaycompress
        notifempty
        nomail
   }

*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d

-rw-r--r-- 1 root root 1388 Nov 20 22:58 /etc/dnsmasq.d/01-pihole.conf
   addn-hosts=/etc/pihole/gravity.list
   addn-hosts=/etc/pihole/black.list
   addn-hosts=/etc/pihole/local.list
   localise-queries
   no-resolv
   cache-size=10000
   log-facility=/var/log/pihole.log
   local-ttl=2
   log-async
   server=8.8.8.8
   server=8.8.4.4
   interface=eth0

*** [ DIAGNOSING ]: contents of /etc/lighttpd

-rw-r--r-- 1 root root 2053 Nov 20 22:58 /etc/lighttpd/lighttpd.conf
   server.modules = (
        "mod_indexfile",
        "mod_setenv",
        "mod_access",
        "mod_alias",
        "mod_redirect",
   )
   server.document-root        = "/var/www"
   server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
   server.errorlog             = "/var/log/lighttpd/error.log"
   server.pid-file             = "/var/run/lighttpd.pid"
   server.username             = "www-data"
   server.groupname            = "www-data"
   server.port                 = 80
   server.http-parseopts = (
     "header-strict"           => "enable",
     "host-strict"             => "enable",
     "host-normalize"          => "enable",
     "url-normalize-unreserved"=> "enable",
     "url-normalize-required"  => "enable",
     "url-ctrls-reject"        => "enable",
     "url-path-2f-decode"      => "enable",

     "url-path-dotseg-remove"  => "enable",


   )
   index-file.names            = ( "index.php", "index.html" )
   url.access-deny             = ( "~", ".inc" )
   static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
   compress.cache-dir          = "/var/cache/lighttpd/compress/"
   compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
   include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
   include_shell "/usr/share/lighttpd/create-mime.conf.pl"
   include "/etc/lighttpd/conf-enabled/*.conf"
   server.modules += (
        "mod_compress",
        "mod_dirlisting",
        "mod_staticfile",
   )

*** [ DIAGNOSING ]: contents of /etc/cron.d

-rw-r--r-- 1 root root 1704 Nov 20 22:58 /etc/cron.d/pihole
   41 3   * * 7   root    PATH="$PATH:/usr/local/bin/" pihole updateGravity >/var/log/pihole_updateGravity.log || cat /var/log/pihole_updateGravity.log
   00 00   * * *   root    PATH="$PATH:/usr/local/bin/" pihole flush once quiet
   @reboot root /usr/sbin/logrotate /etc/pihole/logrotate
   */10 *  * * *   root    PATH="$PATH:/usr/local/bin/" pihole updatechecker local
   43 19  * * *   root    PATH="$PATH:/usr/local/bin/" pihole updatechecker remote
   @reboot root    PATH="$PATH:/usr/local/bin/" pihole updatechecker remote reboot

*** [ DIAGNOSING ]: contents of /var/log/lighttpd

-rw-r--r-- 1 www-data www-data 0 Nov 20 23:17 /var/log/lighttpd/error.log

*** [ DIAGNOSING ]: contents of /var/log

-rw-r--r-- 1 pihole pihole 0 Nov 20 23:17 /var/log/pihole-FTL.log
   -----head of pihole-FTL.log------

   -----tail of pihole-FTL.log------

*** [ DIAGNOSING ]: contents of /dev/shm
-rw------- 1 pihole pihole 323584 Nov 20 22:59 /dev/shm/FTL-clients
-rw------- 1 pihole pihole 108 Nov 20 22:59 /dev/shm/FTL-counters
-rw------- 1 pihole pihole 65536 Nov 20 22:59 /dev/shm/FTL-domains
-rw------- 1 pihole pihole 12288 Nov 20 22:59 /dev/shm/FTL-forwarded
-rw------- 1 pihole pihole 28 Nov 20 22:59 /dev/shm/FTL-lock
-rw------- 1 pihole pihole 53248 Nov 20 22:59 /dev/shm/FTL-overTime
-rw------- 1 pihole pihole 196608 Nov 20 22:59 /dev/shm/FTL-queries
-rw------- 1 pihole pihole 12 Nov 20 22:59 /dev/shm/FTL-settings
-rw------- 1 pihole pihole 4096 Nov 20 22:59 /dev/shm/FTL-strings

*** [ DIAGNOSING ]: Locale
    LANG=de_DE.UTF-8

*** [ DIAGNOSING ]: Pi-hole log
-rw-r--r-- 1 pihole pihole 0 Nov 20 23:17 /var/log/pihole.log
   -----head of pihole.log------


********************************************
********************************************
[✓] ** FINISHED DEBUGGING! **

    * The debug log can be uploaded to tricorder.pi-hole.net for sharing with developers only.
    * For more information, see: https://pi-hole.net/2016/11/07/crack-our-medical-tricorder-win-a-raspberry-pi-3/
    * If available, we'll use openssl to upload the log, otherwise it will fall back to netcat.

[?] Would you like to upload the log? [y/N] y
    * Using curl for transmission.
/opt/pihole/piholeDebug.sh: Zeile 1151: Warnung: Kommansosubstitution: NULL byte in der Eingabe ignoriert.

***********************************
***********************************
[✓] Your debug token is: https://tricorder.pi-hole.net/brvbgo6vz8
***********************************
***********************************

My guess is, that the problem is related to PHP and CGI.

I am wondering that no one has this problem and no one replied to my post.

I think I found a solution, but I am not sure if it is save. I removed the configuration

/etc/lighttpd/conf-available/99-dietpi-pihole.conf

Here is the content:

# Based on: https://github.com/pi-hole/pi-hole/blob/master/advanced/lighttpd.conf.debian

# If the URL starts with /admin, it is the Web interface
$HTTP["url"] =~ "^(/html)?/admin/" {
        # Create a response header for debugging using curl -I
        setenv.add-response-header = (
                "X-Pi-hole" => "The Pi-hole Web interface is working!",
                "X-Frame-Options" => "DENY"
        )

        $HTTP["url"] =~ "\.ttf$" {
                # Allow Block Page access to local fonts
                setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )
        }
}

# Block . files from being served, such as .git, .github, .gitignore
$HTTP["url"] =~ "^(/html)?/admin/\." {
        url.access-deny = ("")
}

# If it's a request to Pi-hole blocking page...
$HTTP["url"] =~ "^(/html)?/pihole/" {
        # ... and the request isn't local
        $HTTP["remoteip"] !~ "^1(27|92\.168|0|72\.(1[6-9]|2[0-9]|3[0-1]))\." {
                # block!
                url.access-deny = ("")
        }
}

# Enable blocking page via 404 handler
#server.error-handler-404 = "/html/pihole/index.php"

Is this a missconfiguration of lighttpd?

Are you trying to connect from a remote system that is not inside the local LAN?
We implemented an option to allow access only from local network, but you should have been asked to enable or deny it on install.

To allow it:

lighttpd-disable-mod dietpi-pihole-block_public_admin
systemctl restart lighttpd

No, tried to access directly from the same LAN.

I was asked during setup. First time I selected “no”. But I also reinstalled DietPi a couple of times and tried even with activated access from wan. Always same result…

My first idea was, that lighttpd is not running, but an dummy index.html was accessible. Renaiming admin folder to admin1 worked as well. So only the admin and the pihole directories are blocked.

Will test the command tomorrow…

Just did a fresh install of DietPi.
Installed only PiHole. Static IP is set. LAN of my machine and Pi is the same.
Set “Do you want to block publick access to the admin interface.” to NO. See reply to your suggested command.


root@DietPi:/var/www# curl -I http://120.0.0.101/admin/
HTTP/1.1 200 OK
Set-Cookie: PHPSESSID=lrs32cq13ri25nuh2li94umvke; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
X-Pi-hole: The Pi-hole Web interface is working!
X-Frame-Options: DENY
Date: Tue, 26 Nov 2019 19:23:32 GMT
Server: lighttpd/1.4.53

root@DietPi:/var/www# lighttpd-disable-mod dietpi-pihole-block_public_admin
Already disabled dietpi-pihole-block_public_admin
Run "service lighttpd force-reload" to enable changes

root@DietPi:/var/www# systemctl restart lighttpd

root@DietPi:/var/www# curl -I http://120.0.0.101/admin/
HTTP/1.1 200 OK
Set-Cookie: PHPSESSID=b1ertn2ecmreku83ovkflo2ljm; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
X-Pi-hole: The Pi-hole Web interface is working!
X-Frame-Options: DENY
Date: Tue, 26 Nov 2019 19:24:22 GMT
Server: lighttpd/1.4.53

root@DietPi:/var/www# ip addr show
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether <removed> brd ff:ff:ff:ff:ff:ff
    inet 120.0.0.101/24 brd 120.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever

As soon as I delete

/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf

it works…

root@DietPi:/etc/lighttpd/conf-enabled# ll
insgesamt 8,0K
drwxr-xr-x 2 root root 4,0K Nov 26 20:17 .
drwxr-xr-x 4 root root 4,0K Nov 26 20:17 ..
lrwxrwxrwx 1 root root   33 Nov 26 20:17 10-fastcgi.conf -> ../conf-available/10-fastcgi.conf
lrwxrwxrwx 1 root root   37 Nov 26 20:17 15-fastcgi-php.conf -> ../conf-available/15-fastcgi-php.conf
lrwxrwxrwx 1 root root   39 Nov 26 20:17 99-dietpi-pihole.conf -> ../conf-available/99-dietpi-pihole.conf
lrwxrwxrwx 1 root root   38 Nov 26 20:14 99-unconfigured.conf -> ../conf-available/99-unconfigured.conf

root@DietPi:/etc/lighttpd/conf-enabled# rm 99-dietpi-pihole.conf
root@DietPi:/etc/lighttpd/conf-enabled# systemctl restart lighttpd

root@DietPi:/etc/lighttpd/conf-enabled# curl -I http://120.0.0.101/admin/
HTTP/1.1 200 OK
Set-Cookie: PHPSESSID=183l9aomkcv1hp48rj8rbfvm68; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Date: Tue, 26 Nov 2019 19:32:09 GMT
Server: lighttpd/1.4.53

Is maybe

/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf

missconfigured?

dima
No sure which curl result you were expecting, but everything was exactly as it should be, curl reports a successful access (“200 OK”) with the wanted headers etc. Browser access should hence work as well, doesn’t it?

No, it showed me a white page with the text

403 Forbidden

The curl result shows as well that the access was denied:

X-Frame-Options: DENY

After deletion of the mentioned config file the access is allowed and the proper admin page is shown.

Found the problem.
Used a non standard private IP address for my LAN.

dima
Glad you found it. X-Frame-Options: DENY is just a security header which denies to add the web page as frame into another website. But the direct access is not affected by this.

Yeah we check for local IP by comparing with the pattern for reserved local IPs. Using any other IPs for local networks means that you break access to those on www, hence there is high likely a host out there that you cannot reach anymore, since you local LAN host duplicates it and takes priority probably from within local network :wink:. Always use 192.168./10. or 172.[16 to 31].* for local networks, the first pattern is most common. 10.* is mostly found for VPNs, 127.* btw. is reserved/resolved as loopback to the localhost itself.

I also have “forbidden” having just installed pi-hole using the DietPi interface.
Not sure what is wrong with my internal Ithough which is 192.168.1.101 - seems “normal” to me.

Can you share the website you are trying to open? What is the exact address?

a restart fixed it :sunglasses: