From c520b293264f1761cd008e73f4ff3d5d22db8822 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Sun, 1 Jan 2023 12:47:00 +0000 Subject: [PATCH] some more lighttpd refs (tests can come later) Signed-off-by: Adam Warner --- advanced/Scripts/piholeDebug.sh | 57 ++++++++++----------- advanced/lighttpd.conf.debian | 73 --------------------------- advanced/lighttpd.conf.fedora | 87 --------------------------------- advanced/pihole-admin.conf | 82 ------------------------------- 4 files changed, 26 insertions(+), 273 deletions(-) delete mode 100644 advanced/lighttpd.conf.debian delete mode 100644 advanced/lighttpd.conf.fedora delete mode 100644 advanced/pihole-admin.conf diff --git a/advanced/Scripts/piholeDebug.sh b/advanced/Scripts/piholeDebug.sh index 7462cba3..9f895aab 100755 --- a/advanced/Scripts/piholeDebug.sh +++ b/advanced/Scripts/piholeDebug.sh @@ -64,8 +64,6 @@ PIHOLE_SCRIPTS_DIRECTORY="/opt/pihole" BIN_DIRECTORY="/usr/local/bin" RUN_DIRECTORY="/run" LOG_DIRECTORY="/var/log/pihole" -#WEB_SERVER_LOG_DIRECTORY="/var/log/lighttpd" #TODO: FTL access log? -#WEB_SERVER_CONFIG_DIRECTORY="/etc/lighttpd" #TODO: FTL access log? HTML_DIRECTORY="/var/www/html" WEB_GIT_DIRECTORY="${HTML_DIRECTORY}/admin" SHM_DIRECTORY="/dev/shm" @@ -75,9 +73,6 @@ ETC="/etc" # https://discourse.pi-hole.net/t/what-files-does-pi-hole-use/1684 PIHOLE_CRON_FILE="${CRON_D_DIRECTORY}/pihole" -#WEB_SERVER_CONFIG_FILE="${WEB_SERVER_CONFIG_DIRECTORY}/lighttpd.conf" -#WEB_SERVER_CUSTOM_CONFIG_FILE="${WEB_SERVER_CONFIG_DIRECTORY}/external.conf" - PIHOLE_INSTALL_LOG_FILE="${PIHOLE_DIRECTORY}/install.log" PIHOLE_RAW_BLOCKLIST_FILES="${PIHOLE_DIRECTORY}/list.*" PIHOLE_LOCAL_HOSTS_FILE="${PIHOLE_DIRECTORY}/local.list" @@ -762,34 +757,34 @@ check_networking() { [ -z "${DOCKER_VERSION}" ] && check_required_ports } -check_x_headers() { - # The X-Headers allow us to determine from the command line if the Web - # lighttpd.conf has a directive to show "X-Pi-hole: A black hole for Internet advertisements." - # in the header of any Pi-holed domain - # Similarly, it will show "X-Pi-hole: The Pi-hole Web interface is working!" if you view the header returned - # when accessing the dashboard (i.e curl -I pi.hole/admin/) - # server is operating correctly - echo_current_diagnostic "Dashboard headers" - # Use curl -I to get the header and parse out just the X-Pi-hole one - local full_curl_output_dashboard - local dashboard - full_curl_output_dashboard="$(curl -Is localhost/admin/)" - dashboard=$(echo "${full_curl_output_dashboard}" | awk '/X-Pi-hole/' | tr -d '\r') - # Store what the X-Header should be in variables for comparison later - local dashboard_working - dashboard_working="X-Pi-hole: The Pi-hole Web interface is working!" +# check_x_headers() { +# # The X-Headers allow us to determine from the command line if the Web +# # lighttpd.conf has a directive to show "X-Pi-hole: A black hole for Internet advertisements." +# # in the header of any Pi-holed domain +# # Similarly, it will show "X-Pi-hole: The Pi-hole Web interface is working!" if you view the header returned +# # when accessing the dashboard (i.e curl -I pi.hole/admin/) +# # server is operating correctly +# echo_current_diagnostic "Dashboard headers" +# # Use curl -I to get the header and parse out just the X-Pi-hole one +# local full_curl_output_dashboard +# local dashboard +# full_curl_output_dashboard="$(curl -Is localhost/admin/)" +# dashboard=$(echo "${full_curl_output_dashboard}" | awk '/X-Pi-hole/' | tr -d '\r') +# # Store what the X-Header should be in variables for comparison later +# local dashboard_working +# dashboard_working="X-Pi-hole: The Pi-hole Web interface is working!" - # If the X-Header matches what a working system should have, - if [[ $dashboard == "$dashboard_working" ]]; then - # then we can show a success - log_write "$TICK Web interface X-Header: ${COL_GREEN}${dashboard}${COL_NC}" - else - # Otherwise, it's a failure since the X-Headers either don't exist or have been modified in some way - log_write "$CROSS Web interface X-Header: ${COL_RED}X-Header does not match or could not be retrieved.${COL_NC}" +# # If the X-Header matches what a working system should have, +# if [[ $dashboard == "$dashboard_working" ]]; then +# # then we can show a success +# log_write "$TICK Web interface X-Header: ${COL_GREEN}${dashboard}${COL_NC}" +# else +# # Otherwise, it's a failure since the X-Headers either don't exist or have been modified in some way +# log_write "$CROSS Web interface X-Header: ${COL_RED}X-Header does not match or could not be retrieved.${COL_NC}" - log_write "${COL_RED}${full_curl_output_dashboard}${COL_NC}" - fi -} +# log_write "${COL_RED}${full_curl_output_dashboard}${COL_NC}" +# fi +# } dig_at() { # We need to test if Pi-hole can properly resolve domain names diff --git a/advanced/lighttpd.conf.debian b/advanced/lighttpd.conf.debian deleted file mode 100644 index f31f7bcd..00000000 --- a/advanced/lighttpd.conf.debian +++ /dev/null @@ -1,73 +0,0 @@ -# Pi-hole: A black hole for Internet advertisements -# (c) 2017 Pi-hole, LLC (https://pi-hole.net) -# Network-wide ad blocking via your own hardware. -# -# Lighttpd config for Pi-hole -# -# This file is copyright under the latest version of the EUPL. -# Please see LICENSE file for your rights under this license. - -################################################################################################### -# IF THIS HEADER EXISTS, THE FILE WILL BE OVERWRITTEN BY PI-HOLE'S UPDATE PROCEDURE. # -# ANY CHANGES MADE TO THIS FILE WILL BE LOST ON THE NEXT UPDATE UNLESS YOU REMOVE THIS HEADER # -# # -# ENSURE THAT YOU DO NOT REMOVE THE REQUIRED LINE: # -# # -# include "/etc/lighttpd/conf-enabled/*.conf" # -# # -################################################################################################### - -server.modules = ( - "mod_access", - "mod_auth", - "mod_expire", - "mod_redirect", - "mod_setenv", - "mod_rewrite" -) - -server.document-root = "/var/www/html" -server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) -server.errorlog = "/var/log/lighttpd/error-pihole.log" -server.pid-file = "/run/lighttpd.pid" -server.username = "www-data" -server.groupname = "www-data" -# For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator -# e.g. server.port := 8000 -server.port = 80 - -# Allow streaming response -# reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails -server.stream-response-body = 1 -#ssl.read-ahead = "disable" - -index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) -url.access-deny = ( "~", ".inc", ".md", ".yml", ".ini" ) -static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) - -mimetype.assign = ( - ".ico" => "image/x-icon", - ".jpeg" => "image/jpeg", - ".jpg" => "image/jpeg", - ".png" => "image/png", - ".svg" => "image/svg+xml", - ".css" => "text/css; charset=utf-8", - ".html" => "text/html; charset=utf-8", - ".js" => "text/javascript; charset=utf-8", - ".json" => "application/json; charset=utf-8", - ".map" => "application/json; charset=utf-8", - ".txt" => "text/plain; charset=utf-8", - ".eot" => "application/vnd.ms-fontobject", - ".otf" => "font/otf", - ".ttc" => "font/collection", - ".ttf" => "font/ttf", - ".woff" => "font/woff", - ".woff2" => "font/woff2" -) - -# Add user chosen options held in (optional) external file -include "external*.conf" - -# default listening port for IPv6 falls back to the IPv4 port -include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port -include "/etc/lighttpd/conf-enabled/*.conf" diff --git a/advanced/lighttpd.conf.fedora b/advanced/lighttpd.conf.fedora deleted file mode 100644 index e09d7760..00000000 --- a/advanced/lighttpd.conf.fedora +++ /dev/null @@ -1,87 +0,0 @@ -# Pi-hole: A black hole for Internet advertisements -# (c) 2017 Pi-hole, LLC (https://pi-hole.net) -# Network-wide ad blocking via your own hardware. -# -# Lighttpd config for Pi-hole -# -# This file is copyright under the latest version of the EUPL. -# Please see LICENSE file for your rights under this license. - -################################################################################################### -# IF THIS HEADER EXISTS, THE FILE WILL BE OVERWRITTEN BY PI-HOLE'S UPDATE PROCEDURE. # -# ANY CHANGES MADE TO THIS FILE WILL BE LOST ON THE NEXT UPDATE UNLESS YOU REMOVE THIS HEADER # -# # -# ENSURE THAT YOU DO NOT REMOVE THE REQUIRED LINE: # -# # -# include "/etc/lighttpd/conf.d/pihole-admin.conf" # -# # -################################################################################################### - -server.modules = ( - "mod_access", - "mod_auth", - "mod_expire", - "mod_fastcgi", - "mod_accesslog", - "mod_redirect", - "mod_setenv", - "mod_rewrite" -) - -server.document-root = "/var/www/html" -server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) -server.errorlog = "/var/log/lighttpd/error-pihole.log" -server.pid-file = "/run/lighttpd.pid" -server.username = "lighttpd" -server.groupname = "lighttpd" -# For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator -# e.g. server.port := 8000 -server.port = 80 - -# Allow streaming response -# reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails -server.stream-response-body = 1 -#ssl.read-ahead = "disable" - -index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) -url.access-deny = ( "~", ".inc", ".md", ".yml", ".ini" ) -static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) - -mimetype.assign = ( - ".ico" => "image/x-icon", - ".jpeg" => "image/jpeg", - ".jpg" => "image/jpeg", - ".png" => "image/png", - ".svg" => "image/svg+xml", - ".css" => "text/css; charset=utf-8", - ".html" => "text/html; charset=utf-8", - ".js" => "text/javascript; charset=utf-8", - ".json" => "application/json; charset=utf-8", - ".map" => "application/json; charset=utf-8", - ".txt" => "text/plain; charset=utf-8", - ".eot" => "application/vnd.ms-fontobject", - ".otf" => "font/otf", - ".ttc" => "font/collection", - ".ttf" => "font/ttf", - ".woff" => "font/woff", - ".woff2" => "font/woff2" -) - -# Add user chosen options held in (optional) external file -include "external*.conf" - -# default listening port for IPv6 falls back to the IPv4 port -#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port -#include_shell "/usr/share/lighttpd/create-mime.assign.pl" -#include_shell "/usr/share/lighttpd/include-conf-enabled.pl" - -fastcgi.server = ( - ".php" => ( - "localhost" => ( - "socket" => "/tmp/php-fastcgi.socket", - "bin-path" => "/usr/bin/php-cgi" - ) - ) -) - -include "/etc/lighttpd/conf.d/pihole-admin.conf" diff --git a/advanced/pihole-admin.conf b/advanced/pihole-admin.conf deleted file mode 100644 index 0bb6eac9..00000000 --- a/advanced/pihole-admin.conf +++ /dev/null @@ -1,82 +0,0 @@ -# Pi-hole: A black hole for Internet advertisements -# (c) 2017 Pi-hole, LLC (https://pi-hole.net) -# Network-wide ad blocking via your own hardware. -# -# Lighttpd config for Pi-hole -# -# This file is copyright under the latest version of the EUPL. -# Please see LICENSE file for your rights under this license. - -############################################################################### -# FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE. # -# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE # -############################################################################### - -server.errorlog := "/var/log/lighttpd/error-pihole.log" - -$HTTP["url"] =~ "^/admin/" { - server.document-root = "/var/www/html" - server.stream-response-body = 1 - accesslog.filename = "/var/log/lighttpd/access-pihole.log" - accesslog.format = "%{%s}t|%h|%V|%r|%s|%b" - - fastcgi.server = ( - ".php" => ( - "localhost" => ( - "socket" => "/run/lighttpd/pihole-php-fastcgi.socket", - "bin-path" => "/usr/bin/php-cgi", - "min-procs" => 1, - "max-procs" => 1, - "bin-environment" => ( - "PHP_FCGI_CHILDREN" => "4", - "PHP_FCGI_MAX_REQUESTS" => "10000", - ), - "bin-copy-environment" => ( - "PATH", "SHELL", "USER" - ), - "broken-scriptfilename" => "enable", - ) - ) - ) - - # X-Pi-hole is a response header for debugging using curl -I - # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >. - # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled) - # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code. - # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS). - # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. - # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all. - setenv.add-response-header = ( - "X-Pi-hole" => "The Pi-hole Web interface is working!", - "X-Frame-Options" => "DENY", - "X-XSS-Protection" => "0", - "X-Content-Type-Options" => "nosniff", - "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';", - "X-Permitted-Cross-Domain-Policies" => "none", - "Referrer-Policy" => "same-origin" - ) - - # Block . files from being served, such as .git, .github, .gitignore - $HTTP["url"] =~ "^/admin/\." { - url.access-deny = ("") - } - - # allow teleporter and API qr code iframe on settings page - $HTTP["url"] =~ "/(teleporter|api_token)\.php$" { - $HTTP["referer"] =~ "/admin/settings\.php" { - setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" ) - } - } -} -else $HTTP["url"] == "/admin" { - url.redirect = ("" => "/admin/") -} - -$HTTP["host"] == "pi.hole" { - $HTTP["url"] == "/" { - url.redirect = ("" => "/admin/") - } -} - -# (keep this on one line for basic-install.sh filtering during install) -server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" )