Not possible to enable / disable list behind apache proxy

[RobMeerwijk]

Versions

• Pi-hole: 6.0
• AdminLTE: 6.0
• FTL: 6.0

Platform

• Platform: Debian bookworm / docker compose

Expected behavior

My pihole docker container is behind an apache reverse proxy that is normally working for the most part, except enabling/disabling subscribed lists. I would expect to be able to enable / disable list items.

Actual behavior / bug

When pressing enabled / disabled item in "subscribed lists" settings are not changed. In my proxy I find the following lines (404):
"PUT /api/lists/https%3A%2F%2Fs3.amazonaws.com%2Flists.disconnect.me%2Fsimple_tracking.txt?type=block HTTP/1.1" 404 518 "https://pihole.example.com/admin/groups/lists"

I switched back to the previous version, there was no problem in that case. If I bypass the proxy in version 6.0 also no problem.

Steps to reproduce

1 Put pihole v6.0 behind a reverse proxy (apache)
2 Test enable/disable button: error
3 Go to pihole without reverse proxy
4 Test enable/disable button: normal behavior
5 Switch to v5.x behind same proxy, nothing changed in proxy!
6 Test enable/disable button: normal behavior
7 Switch back to v6.0 behind proxy
8 Test button: error

Thanks for looking into this (not so important) problem.

Rob

[yubiuser]

I've seen similar reports, this was mostly due to damaged gravity.db.

Please post a debug token.

[conturNDE]

Difficult without configs, but I had to add the forwarding of /api/ in addition to the forwarding of /admin/ in my proxy after updating to the new version. Then everything worked for me again.
The 404 status code indicates that there is an forwarding problem.

[RobMeerwijk]

Difficult without configs, but I had to add the forwarding of /api/ in addition to the forwarding of /admin/ in my proxy after updating to the new version. Then everything worked for me again. The 404 status code indicates that there is an forwarding problem.

Could you help me out, what is your config now?

My current apache conf-file contains:

`
RewriteEngine On
RewriteRule ^/$ /admin [R]
ProxyPass / http://host.exampe.lan:81/
ProxyPassReverse / http://host.exampe.lan:81/
ProxyPreserveHost On

`

[RobMeerwijk]

I've seen similar reports, this was mostly due to damaged gravity.db.

Please post a debug token.

https://tricorder.pi-hole.net/nWYVh6Oc/

[yubiuser]

There were no immediate errors in your debug log regarding the databases.

Please run the debug again with the -c flag to perform a database integrity check

pihole -d -c

[RobMeerwijk]

https://tricorder.pi-hole.net/qkJNP9J6/

[yubiuser]

The database is fine.

*** [ DIAGNOSING ]: Pi-hole FTL Query Database
-rw-r----- 1 pihole pihole 9.4M Feb 22 22:30 /etc/pihole/pihole-FTL.db
[i] Checking integrity of /etc/pihole/pihole-FTL.db ... (this can take several minutes)
[✓] Integrity of /etc/pihole/pihole-FTL.db intact
[i] Checking foreign key constraints of /etc/pihole/pihole-FTL.db ... (this can take several minutes)
[✓] No foreign key errors in /etc/pihole/pihole-FTL.db

*** [ DIAGNOSING ]: Gravity Database
-rw-rw---- 1 pihole pihole 8.6M Feb 22 03:12 /etc/pihole/gravity.db
[i] Checking integrity of /etc/pihole/gravity.db ... (this can take several minutes)
[✓] Integrity of /etc/pihole/gravity.db intact
[i] Checking foreign key constraints of /etc/pihole/gravity.db ... (this can take several minutes)
[✓] No foreign key errors in /etc/pihole/gravity.db

[yubiuser]

Transfering into FTL as this seems to be an API issue

[RobMeerwijk]

@conturNDE seems to have solved it by changing the proxy-conf file since it is a 404 error. But I dont know what he means by forwarding in his proxy config.

Maybe this helps? 3rd line contains the 404 error:

pihole.robsweb.nl:443 192.168.178.37 - [22/Feb/2025:23:25:45 +0100] "GET /api/info/ftl HTTP/1.1" 200 5330 "https://pihole.robsweb.nl/admin/groups/lists" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0" - "-"
pihole.robsweb.nl:443 192.168.178.37 - [22/Feb/2025:23:25:45 +0100] "GET /api/dns/blocking HTTP/1.1" 200 1078 "https://pihole.robsweb.nl/admin/groups/lists" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0" - "-"
pihole.robsweb.nl:443 192.168.178.37 - [22/Feb/2025:23:25:47 +0100] "PUT /api/lists/https%3A%2F%2Fs3.amazonaws.com%2Flists.disconnect.me%2Fsimple_tracking.txt?type=block HTTP/1.1" 404 518 "https://pihole.robsweb.nl/admin/groups/lists" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0" - "-"
pihole.robsweb.nl:443 192.168.178.37 - [22/Feb/2025:23:25:55 +0100] "GET /api/dns/blocking HTTP/1.1" 200 1078 "https://pihole.robsweb.nl/admin/groups/lists" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0" - "-"
pihole.robsweb.nl:443 192.168.178.37 - [22/Feb/2025:23:26:05 +0100] "GET /api/info/system HTTP/1.1" 200 1524 "https://pihole.robsweb.nl/admin/groups/lists" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0" - "-"

[conturNDE]

Hi @RobMeerwijk
I use an nginX as a reverse proxy, so the configuration is slightly different. Have a look at the last block location /api/. I had to enter it additionally after I had updated. Only then did everything work again.

server {
        listen 443 ssl http2;
        server_name pihole.myprivatedomain.de;
        #proxy_set_header some header like X-Real-IP, X-Forwarded-For and so on
        #include own_params/ssl_params; #some tls stuff, letsencrypt etc. 

        location / {
                return 301 $scheme://$host/admin/;
        }
        location /admin/ {
                proxy_pass http://localhost:8001/admin/;
        }
        
        # new block since updateing from 2024.07.0 to 2025.02.3
        location /api/ {
                proxy_pass http://localhost:8001/api/;
        }
}

[RobMeerwijk]

@conturNDE Thanks, I tried what I think is the equivalent in Apache:

RewriteEngine On
RewriteRule ^/$ /admin/ [R]

<Location /admin>
ProxyPass            http://host.domain:81/admin/
ProxyPassReverse     http://host.domain.lan:81/admin/
ProxyPreserveHost On
</Location>

<Location /api>
ProxyPass            http://host.domain.lan:81/api/
ProxyPassReverse     http://host.domain.lan:81/api/
ProxyPreserveHost On
</Location>

#<Location />
#ProxyPass              http://docker-nas-1.robsweb.lan:81/
#ProxyPassReverse       http://docker-nas-1.robsweb.lan:81/
#ProxyPreserveHost On
#<Location />

That did not work at all, no data loaded in dashboard or any other screen

When I uncomment the last lines, behaviour is te same as before, cannot enable / disable list items. I cannot find a clue in the logs, except 404 errors, in the proxy-logs, not even with debugging webserver on.

[DL6ER]

I'd propose you run

sudo pihole-FTL --config debug.api true

and then try accessing the page again. This debug setting will not only be rather verbose about what is happening in /var/log/pihole/FTL.log but will also enable a full access log at /var/log/pihole/webserver.log. This should make it rather easy to debug any reverse proxy configuration.

[RobMeerwijk]

Funny, no 404 in the pihole webserver log, only in the proxy-log. In the FTL log I find this, but I do not understand what is going on there. I give up for now. If I need to change list settings, I will bypass the proxy. Much easier. Thanks everybody:

025-02-23 20:50:52.580 CET [57/T180] DEBUG_API: Processing GET /api/info/system in /api/info/system
2025-02-23 20:50:52.580 CET [57/T180] DEBUG_API: Done
2025-02-23 20:50:53.112 CET [57/T181] DEBUG_API: Requested API URI: 192.168.99.3 -> GET /api/dns/blocking ? (null) (Content-Type (null))
2025-02-23 20:50:53.113 CET [57/T181] DEBUG_API: Received no payload
2025-02-23 20:50:53.113 CET [57/T181] DEBUG_API: Read sid="4DCeG50q02BwuHxlzMyWWQ=" from cookie
2025-02-23 20:50:53.113 CET [57/T181] DEBUG_API: Recognized known user: user_id 0, valid_until: 2025-02-23 21:20:53 CET, remote_addr 192.168.99.3 (192.168.99.3 at login)

[pauruiz]

I think this may be the same issue I just reported here (v6 not honouring X-Forwarded-For header): Issue 2298