Good afternoon Pi-hole community.
I've been using Pi-hole for a couple of years now, and really enjoy having DNS-level ad blocking, but recently I've experienced a few configuration issues, not exactly related to Pi-hole itself, as it's working fine, but it's the Nginx side giving me issues.
The problem is that I've recently been hosting a couple of flask apps via Nginx on the same Pi. I managed to configure and set these all up without issue, but before I began, I had to disable lighthttpd and set Pi-hole to use Nginx as well. I followed the instructions from here: https://docs.pi-hole.net/guides/webserver/nginx/ - This worked great and I had no problems.
Fast forward, I ended up getting a domain and I set up outside access for my main flask app running on port 443 (SSL). I've set up forwarding for all HTTP traffic to be routed via 443 instead. This works great for my apps running on sub-domains, but if I type in mydomain.com, it will take me to the pi-hole page instead of my main site. I have to specify HTTPS to get my site working - The forward doesn't work.
My domains nginx config can be found below:
server {
listen 80;
server_name *.mysite.com;
return 301 https://$host$request_uri;
}
# Main Site
server {
server_name mysite.com www.mysite.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
include proxy_params;
proxy_pass http://unix:/home/pi/site_dir/MainSite/app.sock;
}
}
# Home automation subdomain
server {
server_name home.mysite.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
include proxy_params;
proxy_pass http://unix:/home/pi/site_dir/HomeAutomation/app.sock;
}
}
I have the Pi-hole Nginx config in the default config file, and this is set to the following:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name _;
autoindex off;
index pihole/index.php index.php index.html index.htm;
location / {
expires max;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
fastcgi_param FQDN true;
auth_basic "Restricted"; # For Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location /*.js {
index pihole/index.js;
auth_basic "Restricted"; # For Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location /admin {
root /var/www/html;
index index.php index.html index.htm;
auth_basic "Restricted"; # For Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location ~ /\.ht {
deny all;
}
}
I'm just not too savvy with this stuff and was wondering if someone could help me figure out how to set it so that my pi-hole admin page is not visible outside of my network and is not the thing that attempts to load when I hit mysite.com instead of https://mysite.com. I know the fact that Pi-hole is using port 80 and has no redirect in place is an issue but I don't know what to change so that this works without me inadvertently breaking my Pi-hole, especially as I'm with Sky, and as such, have one of their terrible locked down routers so I've had to use Pi-hole as a DHCP server too. I'm happy just accessing "pi.hole" internally and don't need to be able to see it externally.
Many thanks for your help and sorry this isn't strictly related to Pi-hole exclusively. I just don't know how to change the Pi-hole Nginx config without breaking pi-hole. If there's anything else required or you have any words of advice at all, it would be greatly appreciated.
Edit: I had considered using the following in my default Nginx config instead of what I have above, but the fact it has nothing about running PHP, etc I was concerned that it's not right or is missing something.
server {
listen 80;
server_name pihole.mysite.com;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
server_name pihole.demix.network;
location / {
proxy_pass http://192.168.0.200/admin/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Kind regards
Ryan
