Https Reverse Proxy in Docker host Mode?

aquabug · July 21, 2023, 11:57am

Hi,

after fiddling a lot with pi-hole - i've decided to run it from a docker container... and it works great so far.

After that PI ist doing some Network Services now... i decided to put a own CA on it - to sign certificates for my Network.

That works great too - unfortunate - not it in the way i'd like to have it.

so far i've got the ca running on a custom Port - 8443... under a custom dns host entry... lets call it myca.mydomain.lan... also my pi-hole's web Server ist running on a different Hostname... sinkhole.mydomain.lan... its not encrypted for sure. After i have to script alot against the ca on my local machines... i would like to reverse Proxy into the ca on a regular 443. Nginx will need the local port 80 for this.

I'd started to put the webgui with WEB_BIND_ADDR and WEB_PORT on localhost - on another Port - to find out - that ftl is picking FTLCONF_LOCAL_IPV4 anyway while in Hostmode. I'd read now - thats because the Blocking Functionality. Before i'd tried also the nginx-proxy (there comes an example conf with piholes docker repo) - but lighthttp complains then - about the already in use port 80 (Host Mode).

After i need dhcp... i've set it in Hostmode - which now has some tradeoffs.

What can i do? I'd read about the macvlan thingy... was'nt follow it - after i'm lazy and it seemed to be complicated - is there another Solution i could try? Is there any Chance to get DHCP working with normal docker Port Forwarding?

Bucking_Horn · July 21, 2023, 2:40pm

Please share your docker-compose or docker run file.

aquabug · July 21, 2023, 3:45pm

That's how it kinda works right now...


version: "3"

# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md

services:
  pihole:
    container_name: pi-hole
    image: pihole/pihole:latest
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    network_mode: host
    hostname: flanger
    environment:
      TZ: 'Europe/Berlin'
      WEBPASSWORD: '***********'
      INTERFACE: enu1u1
      FTLCONF_LOCAL_IPV4: 192.168.178.3
      VIRTUAL_HOST: black.padma.lan
      VIRTUAL_PORT: 80

    extra_hosts:
      - 'padma.lan:192.168.178.3'
      - 'black black.padma.lan:192.168.178.3'
      - 'flanger flanger.padma.lan:192.168.178.3'
      - 'ghost ghost.padma.lan:192.168.178.3'

    # Volumes store your data between container upgrades
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN
    restart: unless-stopped # Recommended but not required (DHCP needs NET_ADMIN)

Bucking_Horn · July 21, 2023, 5:42pm

Try substituting that with

      WEB_PORT: 8081

or any other port number of your choice, and recreate your container.

Unrelated to your issue, but instead of defining extra_hosts, you could also consider to create respective Local DNS Records.

aquabug · July 21, 2023, 6:31pm

Oh I use the local DNS of course, so I really appreciate it. This works perfectly - but not if you enter the address of the host... dnsmasq ignores that.

I already tried to set the GUI to an alternative port... but I guess FTL needs port 80 of the host for blocking. you need to call /admin anyway until something happens... the blank page on port 80 seems part of the blocking functionality itself? I'd read something like this - because it wont work in https or something... and the nginx reverse proxy would forward any request to :443 anyway.

By the host mode - is and remains port 80 occupied and the reverse proxy can not be started. I just can't start nginx and it seems kinda logical to me - because the host mode. Its the hard way to make that dhcp thing going. I'd tried a lot - over the last day - to get it going in a regular way... without a lot of luck. While i still think pihole is a tiny piece of software... tbh it still was not a good idea to built that dhcpd thing into the source. Well... its just one service to control then...

The current state is no show breaker its more a thing of beautify... i just would like to have it in this way... while its already functional. Thank you for that great work.

i will give it another try too - anyway - with those port parameter... but it did'nt worked out earlier... thank you for your input - appreciated

Bucking_Horn · July 21, 2023, 7:00pm

This would suggest that your container didn't start with the altered WEB_PORT configuration.

No, pihole-FTL does not use port 80 at all, and it is not required for blocking.
Blocking happens for DNS requests, and those travel via port 53 exclusively.

It's the lighttpd webserver that needs that port to serve Pi-hole's UI, and that port can be configured via the WEB_PORT environment variable as mentioned.

Hmmm, this is exactly the purpose of Pi-hole's Local DNS Records UI.
It works flawlessly for others, including myself.

You mention dnsmasq - are you running a separate installation of dnsmasq in addition to Pi-hole?

aquabug · July 21, 2023, 7:42pm

No i dont run a seperate installation of dnsmasq.

I've uncommented the Webport so it should be 8100?

 environment:
      TZ: 'Europe/Berlin'
      WEBPASSWORD: '******************'
      INTERFACE: enu1u1
      FTLCONF_LOCAL_IPV4: 192.168.178.3
      #WEB_BIND_ADDR: 192.168.168.3
      WEB_PORT: 8100
      VIRTUAL_HOST: black.padma.lan
      VIRTUAL_PORT: 80
      #PROXY_LOCATION: black

i did restart the pihole container:

[root@flanger pihole]# docker-compose restart
[+] Restarting 1/1
 ✔ Container padma-hole  Started

i still can open the webgui on the regular port 80... http://black.padma.lan/admin/

If i do a portscan from another host i get this (8443 is the ca)

[aquabug@prixis ~]$ nmap 192.168.178.3
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-21 21:33 CEST
Nmap scan report for pi.hole (192.168.178.3)
Host is up (0.0074s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

So that Setting has no effect while beeing in Host Mode? Dont get me wrong all the other DNS Stuff and the DHCP is working great... if i put DNS Records regarding the "Host" itself - (the pi-hole host) they get resolved to 0.0.0.0 or something... even if i dont have anything in my local hosts File... i had strange behavior with that. The only real "hard coded" dns Record which was working well from the beginning - was the Record for the WebGUI.

i have the Hostname now in my local hosts file and also there... and it gets resolved.... so that really not the issue at all. Also it works... its just that i can't make lighthttp to use localhost and another port... which would be great... it would be pretty easy then...

Bucking_Horn · July 21, 2023, 7:49pm

My advice was to substitute VIRTUAL_PORT:

My suggestion was to use port 8081, but -as mentioned- you are free to adopt any port of your choice, as long as it meets your requirement of not causing port conflicts in your network environment.

You can check ports locally with sudo ss -tulpn.

aquabug · July 21, 2023, 7:57pm

Oh well - that did the Trick

It makes sense to substitute... and guess what... i'd never rebuild it so far... it works like a charm...

Nmap scan report for pi.hole (192.168.178.3)
Host is up (0.0074s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE
53/tcp   open  domain
8081/tcp open  blackice-icecap
8443/tcp open  https-alt

Thank you m8