Can't get v6 webinterface behind nginx reverse proxy to work

General Beta 6.0
1

Hey there,

after upgrading Pi-hole to v6, I can't reach the webinterface behind a nginx reverse proxy anymore.
I use nginx, because I have more web services running on the Pi-hole box, so I configure them to different ports, and reverse-proxy them to an internal hostname, e.g. pi-hole.home for my Pi-hole instance.

For v5 I configured lighttpd to localhost:

server.port                 = 8001
server.bind                 = "127.0.0.1"

and used this nginx config for years which worked like a charm:

server {
        listen 192.168.0.1:80;
        listen [::]:80 ;

        server_name pi-hole.home;

        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://127.0.0.1:8001/admin/;
        }

        location /admin/ {
                return 301 $scheme://$host/;
        }
}

Now after update, I can't get this to work.
I already figured out with this post to run
pihole-FTL --config webserver.port 8001 to get back "my" port.

But this now ends in a redirect loop:

So I stripped down the config to just do a plain reverse proxy:

server {
        listen 192.168.0.1:80;
        listen [::]:80 ;

        server_name pi-hole.home;

        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://127.0.0.1:8001/;
        }
}

Which ends in a different situation: http://pi-hole.home/ replys with 403 Forbidden, and nearly all script/stylesheet requests (except /admin/vendor/datatables/, /admin/vendor/daterangepicker/ and /admin/vendor/bootstrap-toggle/) return a 301 Moved Permanently to http://pi-hole.home/
This results in black text on black background:

image
image387×146 603 Bytes

Which basically wants to tell me:
image
image373×128 2.68 KB

So how can I get my configuration to work?
It seems as other users got it to work with a lighttpd reverse proxy config.

PS: http://pi.hole:8001/ works, but that's not the url I want it to be at.

2

I got one step further:

image
image503×305 6.2 KB

The new server doesn't seem to expect X-Real-IP but classic X-Forwarded-For

But when I click the http://pi-hole.home/admin/ I get a 301 Moved permanently to http://pi-hole.home/ which doesn't help me.

Manually going to http://pi-hole.home/admin/login shows this:

image
image491×395 8.99 KB

But login doesn't work and http://pi-hole.home/admin/img/logo.svg replys with 301 Moved Permanently http://pi-hole.home/, that's why the logo is missing.

3

I'm not a nginx user, but maybe this should be location /admin/ {

4

Thanks! I just wanted to object because a location / with proxy_pass http://127.0.0.1:8001/; should reverse proxy all paths including /admin...

But weirdly, this config works, setting up two separate reverse proxies for /admin and /api
So this is the full config I now use:

server {
        listen 192.168.0.1:80;
        listen [::]:80 ;

        server_name pi-hole.home;

        location / {
                return 301 $scheme://$host/admin/;
        }
        location /admin/ {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8001/admin/;
        }
        location /api/ {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8001/api/;
        }
}

server {
        # redirect non-standard TLD to proper domain
        listen 192.168.0.1:80;
        listen [::]:80 ;

        server_name pi.hole;

        location / {
                return 301 $scheme://pi-hole.home/admin/;
        }
}

So run pihole-FTL --config webserver.port "127.0.0.1:8001" to not expose this port to the network interface(s) and you are done.

With v5 I didn't see a reason to have Pi-hole set up under /admin, that's why I moved it to the root. But I don't insist on that, so I'm fine with the new setup.

So thanks for making me try out that way.

5

As per the documentation (from pihole.toml or All settings » Webserver and API in the webUI), you could either set webserver.acl to e.g. +127.0.0.1,+[::1] to restrict access, or bind the webserver to the loopback addresses by setting webserver.port to e.g. 127.0.0.1:80,[::1]:80.

6

Thanks, worked for me with a podman install behind Nginx too.

7

In fact, the solution for me was also to explicitly set the location /api/. thx for sharing.

8

Thank you!

9

FTL version 6.1 had some changes to how it handled reverse proxy setups, I'm not sure if those changes fixed the need to have separate /admin and /api locations or not though. You may want to see if things are better now.

10

Thanks for the heads up! Yes indeed it did change something, I just need one reverse proxy statement now.
As I read in Implement auto-redirection to /admin - #2 by DL6ER to set webserver.domain to the domain I'm using (pi-hole.home in my example) even the redirect to /admin works, so I can skip this in nginx config too.

New config:

server {
        listen 192.168.0.1:80;
        listen [::]:80 ;

        server_name pi-hole.home;

        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1:8001/;
        }
}

server {
        # redirect non-standard TLD to proper domain
        listen 192.168.0.1:80;
        listen [::]:80 ;

        server_name pi.hole;

        location / {
                return 301 $scheme://pi-hole.home/admin/;
        }
}
11

I am glad this thread was started and that I am starting to get somewhere with my reverse proxy configuration.

My issue is that I also have homeassistant running alongside pihole and it uses the / location. Pihole V5 was using the /pihole/ location and all the locations were happily getting along.

Following the original instructions here, I could configure an /admin/ location, which worked well, but the /api/ configuration was conflicting with the homeassistant /api/ subpath.

I upgrade to V6.1 last night and tried the latest suggestion above, which works for pihole, but breaks homeassistant.

Did someone successfully configure their reverse proxy with pihole V6.1 on a subpath?

What I would like to to have everything on the /pihole/admin/ and /pihole/api/ locations so that homeassistant can remain in the / location.

Thanks!

12

See Pi-hole behind Nginx but it's not redirecting with target port. - #6 by stefan for thoughts on this.

But why put it into a subpath? I would suggest using a subdomain, that's more straight forward.

13

To lessen the burden of having to manage multiple subdomains?

I am not using a commercial server and I use a free domain provider. Your suggestion, if I understand it correctly, implies a new domain and a new SSL certificate.

I am not saying that it cannot be done, but there should be a simpler solution.

14

Your answer, if I understand it correctly, implies that you want to make Pi-hole available from the internet. This NEVER should be done, the developers strongly discourage this! Pi-hole isn't a service meant to be available from internet. I'm not going to help you on this.

Set up a proper VPN to your network, and make Pi-hole available there through LOCAL domains!

15

For later readers, I just located some new settings in Settings -> All Settings -> Webserver and API.

If you scroll halfway down, have a look at "webserver.paths.webhome", "webserver.paths.prefix", and other settings around those.

The webserver.paths.prefix setting, according to the instructions, appears to have been put there by developers specifically to configure pihole behind a reverse proxy.

That is what I will be trying next.

16

Here is my final solution.

On pihole (as root):

pihole-FTL --config webserver.paths.prefix /pihole

My location block:

location ^~ /pihole/ {
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Nginx-Proxy true;

   rewrite ^/pihole/(.*)$ /$1 break;
   proxy_pass http://localhost:8080/;
}
17

Thank you so much for this! I can't believe how difficult it has been to set up a reverse proxy for this software!

19

The excuses being offered here are truly staggering. It is clear that no one involved in this project has any idea how web servers work at a fundamental level and that is probably why they went with some utterly insane Lua-based solution no one has ever heard of before that also obeys no convention established over the last 40 years. If it did then all of this would just work without any stupid tricks involving multiple location directives to cope with the mysterious internal rewrites being performed.

One does not need to be an Nginx user to understand that this wheel re-invention is unfit for highway travel and start catching up on everything you’ve slept through so far.

20

Integrating CivetWeb is waaaay better than depending on LigHTTPd and PHP for all the webGUI stuff and avoids dependency issues while also being a lot more flexible when it comes to running on different platforms !!!

Maybe you should just read about the changes between Pi-Hole v5 and Pi-Hole v6 and why they have been applied before making such statements… :sleeping_face:

21

Personally, I kept lighttpd with my v6 install and have no issue proxying (fairly easily) to the admin UI pages and API. I wanted to preserve my system monitoring and DOH proxy, so it made sense for me. I make no judgements about the embedded web server as for my needs, it’s completely transparent.