lighthttpd listening on wanv6 interface preventing haproxy from starting.

jagdtigger

Hello!

So for some reason after last nights storm causing the power to get flaky then go out, today i noticed that haproxy werent starting up. Turns out the web server for the pfblocker webpage listens on the WANv6 interface......
My 1st thought was maybe storage developed some errors from the flaky power but zfs (2 sata ssd in a mirror) reports 0 errors.

So where should i start with this? Google didnt provide any good results over this issue (or my google-fu failed me again).....

(HW: RS100-E10-PI2 with i3-8100 and 32GB RAM [IDK what sort of modules, whatever i got it from ebay], and one 4 port intel pcie nic.)

jagdtigger

Rookie mistake, the config file location was right under my nose (more precisely in htop).

# cat  /var/unbound/pfb_dnsbl_lighty.conf
#
#pfBlockerNG DNSBL Lighttpd configuration file
#
server.tag			= "pfBlockerNG DNSBL"
server.bind			= "10.10.10.1"
server.port			= "80"
server.event-handler		= "freebsd-kqueue"
server.network-backend		= "freebsd-sendfile"
server.dir-listing		= "disable"
server.document-root		= "/usr/local/www/pfblockerng/www/"
server.max-request-size		= "1"
server.pid-file			= "/var/run/dnsbl.pid"
server.use-ipv6			= "enable"
server.modules			= ( "mod_auth", "mod_fastcgi", "mod_rewrite", "mod_openssl" )
index-file.names		= ( "index.php" )
mimetype.assign			= ( ".html" => "text/html", ".gif" => "image/gif" )
url.access-deny			= ( "~", ".inc" )
fastcgi.server			= ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) )

$HTTP["scheme"] == "http" {
	url.rewrite-once = ( ".*" => "/index.php" )
}

$HTTP["remoteip"] =~ ".*" {

	$SERVER["socket"] == "10.10.10.1:443" {
		ssl.engine			= "enable"
		ssl.pemfile			= "/var/unbound/dnsbl_cert.pem"
		ssl.dh-file			= "/etc/dh-parameters.4096"
		ssl.ec-curve			= "secp384r1"
		ssl.honor-cipher-order		= "enable"
		ssl.openssl.ssl-conf-cmd	= ("MinProtocol"	=> "TLSv1.2",
                                                   "Options"		=> "-ServerPreference",
                                                   "CipherString"	=> "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384")
	}

	$SERVER["socket"] == "[::10.10.10.1]:80" {
		#
	}

	$SERVER["socket"] == "[::10.10.10.1]:443" {
		ssl.engine			= "enable"
		ssl.pemfile			= "/var/unbound/dnsbl_cert.pem"
		ssl.dh-file			= "/etc/dh-parameters.4096"
		ssl.ec-curve			= "secp384r1"
		ssl.honor-cipher-order		= "enable"
		ssl.openssl.ssl-conf-cmd	= ("MinProtocol"	=> "TLSv1.2",
						   "Options"		=> "-ServerPreference",
						   "CipherString"	=> "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384")
	}

	$HTTP["host"] =~ ".*" {
		url.rewrite-once = ( ".*" => "/index.php" )
	}
}

But when i look at which addresses it is listening on:

# sockstat | grep lighttpd
root     lighttpd_p 93553 4   tcp6   <wanv6>:443 *:*
root     lighttpd_p 93553 5   tcp6   ::10.10.10.1:80       *:*
root     lighttpd_p 93553 6   tcp6   ::10.10.10.1:443      *:*
root     lighttpd_p 93553 7   tcp6   <wanv6>:80 *:*

Running lighttpd in debug mode didnt yield anything either....

# /usr/local/sbin/lighttpd_pfb -f  /var/unbound/pfb_dnsbl_lighty.conf -D
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/server.c.1939) server started (lighttpd/1.4.76)
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/configfile.c.1397) WARNING: unknown config-key: server.dir-listing (ignored)
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/configfile.c.1397) WARNING: unknown config-key: url.access-deny (ignored)
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/configfile.c.1397) WARNING: unknown config-key: ssl.dh-file (ignored)
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/configfile.c.1397) WARNING: unknown config-key: ssl.ec-curve (ignored)
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/configfile.c.1397) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/configfile.c.1397) WARNING: unknown config-key: ssl.dh-file (ignored)
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/configfile.c.1397) WARNING: unknown config-key: ssl.ec-curve (ignored)
2026-05-16 10:04:22: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/configfile.c.1397) WARNING: unknown config-key: ssl.honor-cipher-order (ignored)
^C2026-05-16 10:04:56: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/server.c.1230) [note] graceful shutdown started
2026-05-16 10:04:56: (/wrkdirs/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/server.c.2350) server stopped by UID = 0 PID = 0

jagdtigger

Welp this was a nice deep rabbit hole.....

But i think i found it, on reddit surprisingly:
https://www.reddit.com/r/pfBlockerNG/comments/1jb5rtc/ipv6_woes_wrong_vip/

"According to https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_use-ipv6Details, using server.use-ipv6 = "enable" will bind to ALL ipv6 addresses, i.e. wildcard."

So i commented out "server.use-ipv6" in the config, lighttpd now listens on the correct addresses.......

jagdtigger

Welp that tweak was short lived, looks like it got overwritten. Unticking "IPv6 DNSBL" obviously fixes it, but i do have IPv6 connectivity so id rather not do that......

/Edit
And before i forgot it again:
pf: 2.8.1 CE, all patches installed
pfb: 3.2.8

patient0

@jagdtigger what are your settings for the "DNSBL Webserver Configuration"?

Mine are (CE 2.8.1, pfBlockNG 3.2.8)

DNSBL Webserver.jpeg

which results in (what I would have expected):

[2.8.1-RELEASE][root@pfSense.home.arpa]/root: sockstat -ln | fgrep lighttp
0        lighttpd_p  8822 4   tcp4   10.10.10.1:443        *:*
0        lighttpd_p  8822 5   tcp6   ::10.10.10.1:80       *:*
0        lighttpd_p  8822 6   tcp6   ::10.10.10.1:443      *:*
0        lighttpd_p  8822 8   tcp4   10.10.10.1:80         *:*

jagdtigger

@patient0 same as yours, never changed it from the defaults (minus the enable ipv6 part i think) IDK what happened that suddenly it has issues....

patient0

@jagdtigger try either reboot again or disable & enable pfBlockNG, gotta be a fluke.

jagdtigger

@patient0
Triead: disable-reload-enable-reload, nothing. Rebooted several times. Uninstalled then installed the pfb package (preserve config was ticked).........

patient0

@jagdtigger mmhh, can you try choose a lan interface instead of Localhost, save and switch back? Of course only if it doesn't clash with the pfSense web gui.

jagdtigger

@patient0
Set it to opt7 (just a direct connection dangling around in the rack in case a mess-up and i need a direct line to the router, so its unused ATM). No effect.....

Gertjan

@jagdtigger said in lighthttpd listening on wanv6 interface preventing haproxy from starting.:

Welp that tweak was short lived, looks like it got overwritten....
So i commented out "server.use-ipv6" in the config

Because you're not the only one editing (creating) config file.
It's also the one and only role of the pfSense GUI - that's what pfSense is all about ^^
Find the file / place where :

where it's added to the httpd config file - you'll find it in the pfSense pfBlockrng folder, here /usr/local/pkg/pfblockerng/, and you'll be good.

Btw : I looked at my /var/unbound/pfb_dnsbl_lighty.conf file and the I don't have the "server.use-ipv6 = "enable"" line.

(pfSense Plus 26.03)

@jagdtigger said in lighthttpd listening on wanv6 interface preventing haproxy from starting.:

Triead: disable-reload-enable-reload, nothing. Rebooted several times. Uninstalled then installed the pfb package (preserve config was ticked).........

And that's good news
Rebooting with the same = identical settings should give you a identical situation.
Things shouldn't get set 'randomly'.

patient0

@jagdtigger do any changes have any effect? Eg if you change the IP4 address of DNSBL, is that reflected if you check with sockstat?

jagdtigger

@Gertjan
Set web server interface to opt7 -> reload -> reboot: still listens on wanv6.
Set it back then same method as above: same.
Not fluent enough in programming to safely alter the scripts there.

@patient0
The only thing that stops this behavior if i untick the "IPv6 DNSBL" option, which is not optimal since i do have ipv6 (he tunnel). Or modify the config file which will get wiped every time pfblocker runs an update......
The IP change reflected in sockstat, but it still listens on wanv6.

Gertjan

@jagdtigger said in lighthttpd listening on wanv6 interface preventing haproxy from starting.:

Not fluent enough in programming to safely alter the scripts there.

Good news.
Not programming.
Several presses on the 'delete' key probably do.

The file file question : /usr/local/pkg/pfblockerng/pfblockerng.inc

Around line 1766 I have this :

At the top you the place were server.pid-file is added
At the bottom : the 3 cases where 'server.modules' is added.
In between you should find a line with that mentions 'server.use-upv6'.
Delete this line.

Before you edit, make a copy of the file.

If you need guidance : past like me the part where "server.use-ipv6' is stated in your /usr/local/pkg/pfblockerng/pfblockerng.inc file. There should be only on occurrence of this 'server.use-ipv6' in the entire file.

@jagdtigger said in lighthttpd listening on wanv6 interface preventing haproxy from starting.:

Or modify the config file which will get wiped every time pfblocker runs an update......

More good news : the next time you'll receive an update for pfBlockerng, you'll have the same copy as me. And guess what : no more 'server.use-ipv6' so issue auto solved

jagdtigger

@Gertjan said in lighthttpd listening on wanv6 interface preventing haproxy from starting.:

Good news.
Not programming.
Several presses on the 'delete' key probably do.

Looks like i came off as a whiner again :S . Sorry about that, i have a habit of admitting when i dont feel confident enough doing something... -.-'

Commented out the "offending" line, looks like it solved it. Listens on correct v4 and v6 address. (Knocks on wood...)