Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove 443 from example yaml/readme and scripts. #755

Closed
dschaper opened this issue Jan 9, 2021 · 17 comments · Fixed by #808
Closed

Remove 443 from example yaml/readme and scripts. #755

dschaper opened this issue Jan 9, 2021 · 17 comments · Fixed by #808

Comments

@dschaper
Copy link
Member

dschaper commented Jan 9, 2021

Expected behavior

We don't use 443, not sure why it's being configured.

@casperklein
Copy link
Contributor

https://github.com/pi-hole/docker-pi-hole/blob/master/Dockerfile

@johntdavis84
Copy link

johntdavis84 commented Jan 18, 2021

What is the practical effect of not giving pi-hole access to 443?

I get that there is some portion of ads that use SSL, but do we know generally how many?

I'm struggling to run pi-hole on the same server as NGINX Proxy Manager because they both need to listen on 443. I can give the server's ethernet interface a second IPv4 address with ease and bind pi-hole to that, but since I'm getting the server's primary address with DHCPv6, I can't add a static IPv6 address to eth0. Manjaro uses network manager, and it just won't do it.

Funnily enough, more often than not, the set up tutorials I find for pi-hole deliberately do something like "4343:443" when setting up the docker container. It breaks ad-blocking for SSL ads, but apparently it's enough of a problem that people just do it anyway (?).

@PromoFaux
Copy link
Member

PromoFaux commented Jan 18, 2021

TL;DR - you can safely unbind port 443. There is nothing inside the container listening on that port

It harks back to a time when the default blocking mode on FTL was IP blocking. The idea being that a request for a blocked domain would be given the IP address of the Pi-hole, and the Pi-hole would then be able to serve up a page in place of the blocked content.

However, with the rise of https, this is next to impossible without forging/self-signing certificates for all the blocked domains. As such, the default blocking mode is to return 0.0.0.0, and we will be making moves to remove the advanced block page functionality.

@johntdavis84
Copy link

johntdavis84 commented Jan 18, 2021 via email

@tcurdt
Copy link

tcurdt commented Feb 14, 2021

I still haven't quite understood why it even would need 80?! (besides the web interface that could be on any other port)
I thought the idea is to just return 0.0.0.0 for certain DNS entries. That's on 53.

@dschaper
Copy link
Member Author

Blockpage.

@limes007
Copy link
Contributor

As @johntdavis84 I worked on getting SSL working on my pi-hole, as the documentation states this is important

Port 443 is to provide a sinkhole for ads that use SSL. If only port 80 is used, then blocked HTTPS queries will fail to connect to port 443 and may cause long loading times. Rejecting 443 on your firewall can also serve this same purpose. Ubuntu firewall example: sudo ufw reject https

I had some issues with slow response times using the web and assumed that Pi-Hole could be the source. So I looked for downsides in my setup and one of them seems missing SSL.

Please remove this from the documentation, as it obviously confused users like me.

@dschaper
Copy link
Member Author

Please remove this from the documentation

Remove what from where? Please link to the exact section that you are referring to.

@limes007
Copy link
Contributor

Remove what from where? Please link to the exact section that you are referring to.

I'm referring to the quoted paragraph ("Port 443 is to provide...") above, it's in https://github.com/pi-hole/docker-pi-hole/blob/master/README.md#running-pi-hole-docker

(I don't now, how to link this more exactly.)

@PromoFaux
Copy link
Member

I gotcha

4f531d9

@limes007
Copy link
Contributor

I gotcha

Thanks!

@craph
Copy link

craph commented May 8, 2021

@dschaper , @PromoFaux , Hi,
I was looking for a documentation to setup HTTPS for pi-hole in docker and I land on this issue.

Sorry, but I don't understand why 443 is not used in the container ? Does this mean I can't connect to pi-hole with HTTPS ?

Is it possible, to have a dedicated documentation / sample to setup pi-hole in docker with HTTPS to access it with Caddy may be ?

Shoud I open a dedicated issue about that because I suppose I'm not the only one that is trying to do that… ?

Thank you very much.

Best regards,

@PromoFaux
Copy link
Member

If you're just trying to access the web interface via https, then set it up behind a reverse proxy as you would any other website - no dedicated documentation needed on this end.

@craph
Copy link

craph commented May 9, 2021

Hi @PromoFaux , @dschaper ,

Thank you for the update but I think a dedicated documentation is needed because on Discourse there is a FAQ that explain How to do that in the "normal" setup BUT not in the case of Docker.

Here is the link

Moreover, in the pihole official documentation, there is a part for the installation "normal" but no mention How to do that with Docker and the same there is a part about "webserver" and Caddy BUT not mention of How to setup correctly Docker pi-hole + Caddy as a reverse proxy to enable https…
In the documentation here in the docker part, there is only "DHCP", but I think a dedicated part for the "setup" and links would be very helpfull. Then, in this documentation it talk about webserver but I think it's reverse proxy the correct world. And this page don't explain How to setup in case we are using docker pi-hole.

Is it possible to improve the documentation with more clarification it would be very helpfull for the community.

Is it possible to do PR for the documentation ?

How to proceed ?

Thank you very much for your help.

Best regards,

@PromoFaux
Copy link
Member

Official stance:

There is no need to expose the Pi-hole web interface to the public internet.

If you do need to access it remotely - use a VPN.

We have a guide on how to set up a VPN.

I've retagged the post on discourse as a community how-to, as it's not really an officially supported guide.

If you really really insist on accessing your Pi-hole web interface over the internet, then there are plenty of hits on Google (or your favourite search engine) for how to set up a reverse proxy (such as traefik, caddy, nginx) to put your site's behind Https rather than http.

It's a pretty generic process that doesn't need a specific Pi-hole guide, so it's not something we will be writing a guide for.

Ps. A note of courtesy:
No need to tag people in your replies - we get notified anyway.

@pi-hole pi-hole locked and limited conversation to collaborators May 9, 2021
@PromoFaux
Copy link
Member

Closing as no longer relevant - V6 (currently on the developmenttag) introduces pihole-FTL's native ability to listen on HTTP AND HTTPS

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
7 participants