Access Pi-hole with FQDN, Authelia TrueNAS app, and Nginx Proxy Manager(NPM)

ikomrad · February 3, 2024, 6:24pm

The issue I am facing:

I cannot fully access the Pi-hole Web interface when used in conjunction with Authelia for security and Nginx Proxy Manager for HTTPS endpoint and reverse proxy of a vanity FQDN.

The dashboard sort of loads, but there isn't any data and it has a black background.

Details about my system:
Pi-Hole * 5.17.3 running bare-metal on an rpi4.
NPM v2.11.1 running in docker compose on a different rpi4
Authelia v4.37.5 running as a custom app in TrueNAS Scale v23 running on a PC

What I have changed since installing Pi-hole:
I added a FQDN - pihole.mydomain CNAME to local DNS in pihole. It returned the IP address for my NPM instance.

I installed Authelia and configure NPM advanced settings to redirect request for pihole to authelia to authenticate there first, before redirecting the client to my pi-hole instance.

Here are my nginx settings pasted from Nginx Proxy Manage advanced settings tab for pihole.


location /authelia {
    internal;
    set $upstream_authelia http://192.168.1.238:9091/api/verify;
    proxy_pass_request_body off;
    proxy_pass $upstream_authelia;    
    proxy_set_header Content-Length "";
 
    # Timeout if the real server is dead
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    client_body_buffer_size 128k;
    proxy_set_header Host $host;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr; 
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_redirect  http://  $scheme://;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;
 
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}
    location /admin/ {
        set $upstream_pihole2 http://192.168.1.9:80/admin/; 
        proxy_pass $upstream_pihole2;  
		auth_request /authelia;
		auth_request_set $target_url $scheme://$http_host$request_uri;
		auth_request_set $user $upstream_http_remote_user;
		auth_request_set $groups $upstream_http_remote_groups;
		proxy_set_header Remote-User $user;
		proxy_set_header Remote-Groups $groups;
		error_page 401 =302 https://auth.mydomain/?rd=$target_url; 
 
		client_body_buffer_size 128k;
 
		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 
		send_timeout 5m;
		proxy_read_timeout 360;
		proxy_send_timeout 360;
		proxy_connect_timeout 360;
 
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host $http_host;
		proxy_set_header X-Forwarded-Uri $request_uri;
		proxy_set_header X-Forwarded-Ssl on;
		proxy_redirect  http://  $scheme://;
		proxy_http_version 1.1;
		proxy_set_header Connection "";
		proxy_cache_bypass $cookie_session;
		proxy_no_cache $cookie_session;
		proxy_buffers 64 256k;
 
		set_real_ip_from 192.168.1.0/16;
		real_ip_header X-Forwarded-For;
		real_ip_recursive on;
 
    }

This screenshot is what I see after I navigate to /admin , whether I click on links or just leave it on the dashboard. It doesn't change.

chrislph · February 4, 2024, 6:20am

Does the browser have developer tools available? If so, load the Pi-hole Dashboard and observe it failing to load correctly, then launch the developer tools on the browser and view the Console tab. This will reveal things that failed to load, and you'll be able to tie those in to the operation of the software you're running to see where they might be interfering.

ikomrad · February 4, 2024, 6:23pm

I went back to my original nginx configuration, and now it works. To share my solution with other, this is my code from the advanced tab that worked. Note that you'll need to change the IPs for authelia and pi-hole accordingly.

location /authelia {
    internal;
    set $upstream_authelia http://192.168.1.238:9091/api/verify;
    proxy_pass_request_body off;
    proxy_pass $upstream_authelia;    
    proxy_set_header Content-Length "";
 
    # Timeout if the real server is dead
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    client_body_buffer_size 128k;
    proxy_set_header Host $host;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr; 
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_redirect  http://  $scheme://;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;
 
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}
    location / {
        set $upstream_pihole2 http://192.168.1.9:80; 
        proxy_pass $upstream_pihole2;  
		auth_request /authelia;
		auth_request_set $target_url $scheme://$http_host$request_uri;
		auth_request_set $user $upstream_http_remote_user;
		auth_request_set $groups $upstream_http_remote_groups;
		proxy_set_header Remote-User $user;
		proxy_set_header Remote-Groups $groups;
		error_page 401 =302 https://auth.mydomain/?rd=$target_url; 
 
		client_body_buffer_size 128k;
 
		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 
		send_timeout 5m;
		proxy_read_timeout 360;
		proxy_send_timeout 360;
		proxy_connect_timeout 360;
 
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host $http_host;
		proxy_set_header X-Forwarded-Uri $request_uri;
		proxy_set_header X-Forwarded-Ssl on;
		proxy_redirect  http://  $scheme://;
		proxy_http_version 1.1;
		proxy_set_header Connection "";
		proxy_cache_bypass $cookie_session;
		proxy_no_cache $cookie_session;
		proxy_buffers 64 256k;
 
		set_real_ip_from 192.168.1.0/16;
		real_ip_header X-Forwarded-For;
		real_ip_recursive on;
 
    }

Why it didn't work initially, I may never know.

system · February 25, 2024, 6:24pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.