Adding entries to whitelist/blacklist not working about adminlte HOT 4 CLOSED

Interesting... I've not thought of this usage, but I'm sure it can be manually modified or an editable approved list of domain names can be implemented. The reason for those lines are to make sure that ads aren't trying to whitelist themselves, which would be a bad thing.

from adminlte.

Thanks for clarifying! I suspected it being a kind of "security feature". Quite sure this won't be an issue for 99.9% of users though.
It might even be sufficient to just show an error message that an entry could not be added due to not using pi.hole or the IP address for AdminLTE access.

Cheers
/Jens

from adminlte.

I looked into using SERVER_NAME variable to securely verify access but found out it isn't always safe from tampering after some reading (nor is the $HTTP_HOST currently used but I assume its there for non-chrome browsers): https://stackoverflow.com/questions/1459739/php-serverhttp-host-vs-serverserver-name-am-i-understanding-the-ma

That post talks about apache but seems in lighttpd SERVER_NAME inherits from HTTP_HOST also when I tested. I tested this in my NGINX alpine docker container too and it seems to happily report NOTHING when no hostname is set instead of HTTP_HOST. So that's a much better default configuration and would actually make SERVER_NAME safe.

_SERVER["SERVER_NAME"]  no value
vs
_SERVER["HTTP_HOST"]    pihole.diginc.lan

from adminlte.

I made a similar suggesting in our slack yesterday that might get around this:

Perhaps we could read the existing host name out, if it is there, and if not, set it to pi.hole as default, with the option of giving the user a chance to set their own
Then we set that in those lines there, and then when they access it with their host name, as they expect to be able to do, it will work?

from adminlte.