Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG - DNSBL web server doesn't start

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    12 Posts 7 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MikeV7896M
      MikeV7896
      last edited by

      Possible issue with the change of pfSense from lighttpd to nginx? Or is something else used as the web server?

      I ran into this both on a VM I was running temporarily, as well as the bare metal (my Celeron J1900 box) that I'm running it on now.

      The S in IOT stands for Security

      1 Reply Last reply Reply Quote 0
      • G
        grandrivers
        last edited by

        yes know by developer he is working on it, yes it was switch to nginx

        pfsense plus 25.03 super micro A1SRM-2558F
        C2558 32gig ECC  60gig SSD

        1 Reply Last reply Reply Quote 0
        • F
          f34rinc
          last edited by

          The rest of the package converted so quickly the DNSBL part must use a function that nginx doesn't have\different method.  Does anyone know if it would have to be a whole rewrite to use nginx or if its not even possible to use nginx in the same way lighttpd was used?

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            With the change to NGINX from Lighttpd, it caused some issues with how HTTPS rejected domains are being logged, or not logged to be exact…

            I am working with the devs on the possibility of compiling LUA in NGINX, which should allow for reporting the SNI domain name to the dnsbl.log.

            Will keep you updated on my progress to get DNSBL working again in 2.3....

            Thanks!

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • B
              bluepr0
              last edited by

              Thanks! I can't wait for pfblocker to work on 2.3. It's literally the only thing that stops me from upgrading!

              1 Reply Last reply Reply Quote 0
              • J
                jwt Netgate
                last edited by

                @BBcan177:

                With the change to NGINX from Lighttpd, it caused some issues with how HTTPS rejected domains are being logged, or not logged to be exact…

                I am working with the devs on the possibility of compiling LUA in NGINX, which should allow for reporting the SNI domain name to the dnsbl.log.

                Will keep you updated on my progress to get DNSBL working again in 2.3....

                Thanks!

                Which dev(s) are you working with?

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  @jwt:

                  Which dev(s) are you working with?

                  Renato sent me a message this morning that he was going to verify if there are any issues with adding LUA dependencies to NGINX…

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    @BBcan177:

                    @jwt:

                    Which dev(s) are you working with?

                    Renato sent me a message this morning that he was going to verify if there are any issues with adding LUA dependencies to NGINX…

                    You will know soon enough, once there is a build after this commit https://github.com/pfsense/pfsense/commit/0f75670b32b03f12362f230083e33e0b3177fc4d

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • J
                      jwt Netgate
                      last edited by

                      https://github.com/pfsense/FreeBSD-ports/commit/14c8df8f024950c4d68e54ae3be8a9d8cd84da7b

                      1 Reply Last reply Reply Quote 0
                      • BBcan177B
                        BBcan177 Moderator
                        last edited by

                        NGINX has been updated to the latest version, however, to use the new LUA directive ssl_certificate_by_lua_block will require updating openssl to v1.0.2e or above… This looks to be the only LUA directive that can read the pre-SSL-handshake and allow logging of blocked HTTPS domains for DNSBL...

                        There are some complications with that, so I will wait for the devs to review and advise a path forward...

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          Devs:

                          Would you consider adding the python module to Unbound?
                          https://unbound.net/documentation/pythonmod/examples/example0.html#how-to-enable-python-module

                          This could potentially allow for DNS Filtering by ACL, and the logging of DNSBL rejected domains could be done for both http/https DNS requests without any of the SSL issues. The DNSBL web server would still be required to timeout the browser, or it could just be set to NXDOMAIN the requests and eliminate the web server completely as the logging etc is being achieved by the python script…

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • J
                            jwt Netgate
                            last edited by

                            I'm unlikely to add python

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.