Merge pull request #1296 from pi-hole/dev

Dev

README.md

@@ -96,7 +96,7 @@ There are other environment variables if you want to customize various things in
 | -------- | ------- | ----- | ---------- |
 | `TZ` | UTC | `<Timezone>` | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight.
 | `WEBPASSWORD` | random | `<Admin password>` | http://pi.hole/admin password. Run `docker logs pihole \| grep random` to find your random pass.
-| `FTLCONF_LOCAL_IPV4` | unset | `<Host's IP>` | Set to your server's LAN IP, used by web block modes and lighttpd bind address.
+| `FTLCONF_LOCAL_IPV4` | unset | `<Host's IP>` | Set to your server's LAN IP, used by web block modes.
 
 ### Optional Variables
 
@@ -132,6 +132,7 @@ There are other environment variables if you want to customize various things in
 | `INTERFACE` | unset | `<NIC>` | The default works fine with our basic example docker run commands.  If you're trying to use DHCP with `--net host` mode then you may have to customize this or DNSMASQ_LISTENING.
 | `DNSMASQ_LISTENING` | unset | `<local\|all\|single>` | `local` listens on all local subnets, `all` permits listening on internet origin subnets in addition to local, `single` listens only on the interface specified.
 | `WEB_PORT` | unset | `<PORT>` | **This will break the 'webpage blocked' functionality of Pi-hole** however it may help advanced setups like those running synology or `--net=host` docker argument.  This guide explains how to restore webpage blocked functionality using a linux router DNAT rule: [Alternative Synology installation method](https://discourse.pi-hole.net/t/alternative-synology-installation-method/5454?u=diginc)
+| `WEB_BIND_ADDR` | unset | `<IP>` | Lighttpd's bind address. If left unset lighttpd will bind to every interface, except when running in host networking mode where it will use `FTLCONF_LOCAL_IPV4` instead.
 | `SKIPGRAVITYONBOOT` | unset | `<unset\|1>` | Use this option to skip updating the Gravity Database when booting up the container.  By default this environment variable is not set so the Gravity Database will be updated when the container starts up.  Setting this environment variable to 1 (or anything) will cause the Gravity Database to not be updated when container starts up.
 | `CORS_HOSTS` | unset | `<FQDNs delimited by ,>` | List of domains/subdomains on which CORS is allowed. Wildcards are not supported. Eg: `CORS_HOSTS: domain.com,home.domain.com,www.domain.com`.
 | `CUSTOM_CACHE_SIZE` | `10000` | Number | Set the cache size for dnsmasq. Useful for increasing the default cache size or to set it to 0. Note that when `DNSSEC` is "true", then this setting is ignored.

src/s6/debian-root/usr/local/bin/bash_functions.sh

@@ -338,11 +338,24 @@ setup_FTL_ProcessDNSSettings(){
 }
 
 setup_lighttpd_bind() {
-    local serverip="${FTLCONF_LOCAL_IPV4}"
-    # if using '--net=host' only bind lighttpd on $FTLCONF_LOCAL_IPV4 and localhost
-    if grep -q "docker" /proc/net/dev && [[ $serverip != 0.0.0.0 ]]; then #docker (docker0 by default) should only be present on the host system
+    local bind_addr="${WEB_BIND_ADDR}"
+
+    if [[ -z "$bind_addr" ]]; then
+        # if using '--net=host' bind lighttpd on $FTLCONF_LOCAL_IPV4 (for backward compatibility with #154).
+        if grep -q "docker" /proc/net/dev && [[ $FTLCONF_LOCAL_IPV4 != 0.0.0.0 ]]; then #docker (docker0 by default) should only be present on the host system
+            echo "  [i] WARNING: running in host network mode forces lighttpd's bind address to \$FTLCONF_LOCAL_IPV4 ($FTLCONF_LOCAL_IPV4)."
+            echo "  [i] This behaviour is deprecated and will be removed in a future version. If your installation depends on a custom bind address (not 0.0.0.0) you should set the \$WEB_BIND_ADDR environment variable to the desired value."
+            bind_addr="${FTLCONF_LOCAL_IPV4}"
+        # bind on 0.0.0.0 by default
+        else
+            bind_addr="0.0.0.0"
+        fi
+    fi
+
+    # Overwrite lighttpd's bind address, always listen on localhost
+    if [[ $bind_addr != 0.0.0.0 ]]; then
         if ! grep -q "server.bind" /etc/lighttpd/lighttpd.conf ; then # if the declaration is already there, don't add it again
-            sed -i -E "s/server\.port\s+\=\s+([0-9]+)/server.bind\t\t = \"${serverip}\"\nserver.port\t\t = \1\n"\$SERVER"\[\"socket\"\] == \"127\.0\.0\.1:\1\" \{\}/" /etc/lighttpd/lighttpd.conf
+            sed -i -E "s/server\.port\s+\=\s+([0-9]+)/server.bind\t\t = \"${bind_addr}\"\nserver.port\t\t = \1\n"\$SERVER"\[\"socket\"\] == \"127\.0\.0\.1:\1\" \{\}/" /etc/lighttpd/lighttpd.conf
         fi
     fi
 }
@@ -386,7 +399,7 @@ setup_web_port() {
         return
     fi
     echo "  [i] Custom WEB_PORT set to $web_port"
-    echo "  [i] Without proper router DNAT forwarding to $FTLCONF_LOCAL_IPV4:$web_port, you may not get any blocked websites on ads"
+    echo "  [i] Without proper router DNAT forwarding to ${WEB_BIND_ADDR:-$FTLCONF_LOCAL_IPV4}:$web_port, you may not get any blocked websites on ads"
 
     # Update lighttpd's port
     sed -i '/server.port\s*=\s*80\s*$/ s/80/'"${WEB_PORT}"'/g' /etc/lighttpd/lighttpd.conf

test/tests/test_bash_functions.py

@@ -247,3 +247,44 @@ def test_setupvars_trumps_random_password_if_set(docker, args_env, test_args):
 
     assert "Pre existing WEBPASSWORD found" in function.stdout
     assert docker.run(_grep("WEBPASSWORD=volumepass", SETUPVARS_LOC)).rc == 0
+
+
+@pytest.mark.parametrize(
+    "args_env,test_args,expected_bind,expect_warning",
+    [
+        ("-e FTLCONF_LOCAL_IPV4=192.0.2.10", "--net=host", "192.0.2.10", True),
+        ("-e FTLCONF_LOCAL_IPV4=192.0.2.10", "", "0.0.0.0", False),
+        (
+            "-e WEB_BIND_ADDR=192.0.2.20 -e FTLCONF_LOCAL_IPV4=192.0.2.10",
+            "--net=host",
+            "192.0.2.20",
+            False,
+        ),
+        (
+            "-e WEB_BIND_ADDR=192.0.2.20 -e FTLCONF_LOCAL_IPV4=192.0.2.10",
+            "",
+            "192.0.2.20",
+            False,
+        ),
+    ],
+)
+def test_setup_lighttpd_bind(
+    docker, args_env, test_args, expected_bind, expect_warning
+):
+    """Lighttpd's bind address is correctly set"""
+    WEB_CONFIG = "/etc/lighttpd/lighttpd.conf"
+    WARNING_EXTRACT = "[i] WARNING: running in host network mode forces"
+
+    function = docker.run(". /usr/local/bin/bash_functions.sh ; setup_lighttpd_bind")
+
+    if expect_warning:
+        assert WARNING_EXTRACT in function.stdout
+    else:
+        assert WARNING_EXTRACT not in function.stdout
+
+    config = docker.run(f"cat {WEB_CONFIG} | grep 'server.bind'")
+
+    if expected_bind == "0.0.0.0":
+        assert "server.bind" not in config.stdout
+    else:
+        assert f'server.bind		 = "{expected_bind}"' in config.stdout