Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with darkstat_redirect.php since update.

    Scheduled Pinned Locked Moved Traffic Monitoring
    7 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      haddock
      last edited by

      So I updated darkstat to 3.1.3_2.

      The darkstat webgui has been configured to bind to loopback interface and I've then NAT'ed port 666 to 127.0.0.1.

      Before the update the link to "Access darkstat" was just pointing to http://IP:666  Since the update it now uses darkstat_redirect.php to check systemconfig and will redirect to HTTPS if it's enabled in pfSense:

      ($proto = $config['system']['webgui']['protocol'];)
      

      However darkstat does not seem to listen on HTTPS.

      TLDR; New darkstat_redirect.php will check for HTTPS when darkstat does not work with HTTPS requests.
      Fix: change url variable in  /usr/local/www/darkstat_redirect.php from:

      $url = "{$proto}://{$baseurl}:{$port}";
      

      to:

      $url = "http://{$baseurl}:{$port}";
      
      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        FFS, I swear this is the last time I've touched this stone-age behemoth. (It worked just fine here with HTTPS, well… because it's behind haproxy. Which would be my suggestion if you really need this package - and you can make it available on IPv6 this way as well).

        https://github.com/pfsense/FreeBSD-ports/pull/285

        1 Reply Last reply Reply Quote 0
        • H
          haddock
          last edited by

          Thanks for pushing the update.

          As you said, probably best to run this behind HAProxy in any case. I will install HAProxy it when I get some sparetime.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            So, thinking about it, I don't get what's the regression here. Was broken before, is same broken now. Nothing changed, except that you can configure a port.

            You'll probably need to configure an alias (CNAME) for it or access it via IP if you have webGUI on HTTPS, namely due to https://redmine.pfsense.org/issues/6650 (that is no regression and nothing I could fix in the package, was exactly the same before the redirect hack, and pretty much the reason I did stick this behind haproxy.) As said above, stick this behind haproxy is the preferred way to do things here.

            1 Reply Last reply Reply Quote 0
            • H
              haddock
              last edited by

              Hmm.

              I don't have access to any older installation now so I cannot check, but I'm pretty sure the earlier link to darkstats did not redirect to https.

              I access my install via an A record, the same DNS name is configured under "Alternate Hostnames".

              
              HTTP://hostname:666 works, whereas HTTPS://hostname:666 does not.
              
              HTTP://IP:666 works, HTTPS://IP:666 does not.
              

              I don't want to argue, just stating my experience. Will setup HAProxy after coffee.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                It did not redirect to https. But pfSense itself will redirect to HTTPS if you even visited it by hostname, because the browser will save the HSTS header sent by nginx for that FQDN. HSTS does not give a damn about ports. (And yeah, IP works, browsers don't do HSTS on IPs. Not the point here really.)

                Anyway, doesn't matter, will make the hostname configurable, see https://github.com/pfsense/FreeBSD-ports/pull/285.

                That's really the only way around HSTS here.

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  Merged in 3.1.3_3. Use the LAN (or another darkstat interface) IP for the redirect if you don't want to be bothered with HSTS/DNS/reverse proxies.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.