Is it a problem to run pihole on a existing webserver (nginx) that already uses SSL on port 443?

General
1

Hello!

I run a webserver at home with an SSL certificate; I use an nginx reverse proxy to host a number of services under my https://my.domain.com/servicename.

I understand that pihole will block ads on both HTTP and HTTPS; but if the pihole server is not running a webserver (lighttpd or whatever) on port 443, the ads on HTTPS will timeout. I do not wish to reject HTTPS on 443 as this will interfere with the other services nginx exposes!

I saw that there is a FAQ around this, however it does not address my primary question: what is the best way of integrating pihole into an existing webserver that already runs nginx and SSL? I was considering simply setting up a pi as well, but I believe it will have the same issue. Should I simply expose my nginx root as the pihole server through a reverse proxy as well?

Thanks!

2

If you're not running anything on port 80, then Pi-hole should work fine. If you do want to use nginx on port 80, you will probably have to setup a custom reverse proxy so that all domains besides the ones you serve through nginx go through Pi-hole.

3

Port 80 isn't the issue, it's ads on HTTPS that I'm worried about.

4

I need to know a few more things from you first. Let's assume your domain is domain.com and this machine has the IP address 10.0.8.100. Assume you are running the following services:

What happens if you try to access the following non-existing pages?

5

Thank you for your response. I should have been more clear.

I run an nginx server with a few different domains, all equipped with SSL.
For the sake of this configuration, let's say I have house.domain.com and pihole.domain.com - both with SSL certificates (yay let's encrypt)!

And let's say I setup one nginx virtual host (or "server") for each; so there are now two separate websites for two separate domains, both running on port 80 & 443.

And of course, pihole is working very well on https://pihole.domain.com; it blocks ads on port 80 with gusto. So.... Here is my question:

Normally, an HTTP advertisement simply receives a blank page from my home IP @ port 80, right? Well, what if there is more than one website with an SSL certificate running on my server? When an HTTPS advertisement attempts to connect to the pihole server, does it connect to my domain or my IP? When an advertisement tries to connect, does it go to https://pihole.domain.com (port 443) or my IP address:443 ?

6

Neither, nor. It will go to the blocked domainbut the browser will resolve this to your IP address and will connect to your machine.

Hence, when you would add a virtual host for, e.g., https://malwaredomain.com in your nginx config, you would see this site (given you'd have a valid SSL certificate for this, which you obviously won't have). So the question is simply:

What does your nginx respond with when you connect to it but no virtual host configuration is matching?

7

It would throw up an nginx error (probably 404).

As a test, I setup https://pi-hole.mydomain.com. It works great; I can even access my pi-hole web server (with password) from outside the LAN. Cool!

Now, if I go to an HTTPS advertisement like https://secure.quantserve.com/quant.js (taken from pi-hole's Pages To Test page), I get a "not secure" warning on HTTPS and this page:

var x = "Pi-hole: A black hole for Internet advertisements."

The first bit I get: it's forwarding to my local SSL, which is of course not valid for that domain. Is that expected behavior? It does seem to resolve fairly quickly.

8

I should mention, I didn't add secure.quantserve.com to my blacklist or anything.

9

Yes, so it seems to work nicely.

It is included by default in two standard blocking lists Pi-hole ships with:

$ pihole -q -adlist secure.quantserve.com 
 Match found in https://hosts-file.net/ad_servers.txt:
   secure.quantserve.com
 Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts:
   secure.quantserve.com
10

Thanks for all the help!

11

Mind this:

The biggest issue with name-based virtual hosting is that it is difficult to host multiple secure websites running SSL/TLS.
Because the SSL/TLS handshake takes place before the expected hostname is sent to the server, the server doesn't know which certificate to present in the handshake.

Wiki source.

If want to present a cert on a particular socket for multiple vhost's, a SAN cert (Subject Alternate Name) with one or multiple "alternate names" could be a solution:

http://apetec.com/support/GenerateSAN-CSR.htm

12

Yeah, thanks for that. If only Let's Encrypt did wildcard certs (coming!).

13

Just curious: What do folks do when they run a local webserver with SSL, and want pihole to handle HTTPS ads appropriately? I can't block 443, and without a SAN cert, it seems like there is no perfect alternative.

14

Add all the blocked domains from the Pi-hole lists as alternate name in your cert ... joking :wink:

EDIT: You could add a virtual IP dedicated for Pi-hole (another socket) so that leaves the primary IP to dedicated web site hosting.
Top bit @ below post of mine explains how:

15

Out of curiosity, I tried:

$ openssl x509 -in pi.hole.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            dc:cc:ae:cc:ac:d9:ee:32
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = MN, L = Minneapolis, OU = Domain Control Validated, CN = noads.dehakkelaar.nl
        Validity
            Not Before: Jan 10 19:32:10 2018 GMT
            Not After : Jan  8 19:32:10 2028 GMT
        Subject: C = US, ST = MN, L = Minneapolis, OU = Domain Control Validated, CN = noads.dehakkelaar.nl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:8e:d0:ca:1d:28:80:1b:b0:6a:1c:11:6e:c3:
                    14:d7:55:e2:36:dd:5a:81:31:1a:fc:fb:6c:d4:6d:
                    63:2d:73:5e:2e:95:88:cf:9d:2f:71:3e:5d:a5:0c:
                    1d:89:42:1a:a5:9c:1c:a8:b4:fc:2e:d4:2b:13:35:
                    8d:ca:9d:3d:37:c2:c6:47:c5:69:df:f9:55:81:38:
                    59:71:96:a2:8b:7b:db:2b:8b:91:22:fd:f7:67:aa:
                    c0:c5:10:37:b8:6d:10:de:4b:83:33:ec:67:0a:4b:
                    66:44:d3:a0:43:52:ae:22:c4:0a:68:ee:ea:04:7f:
                    32:ae:d0:33:63:b2:ff:48:af:a6:44:57:bd:2a:7a:
                    35:ba:28:c7:c9:9a:9b:68:17:7e:04:50:dd:ad:f2:
                    93:a4:4f:f9:cc:94:de:ea:d8:00:c1:a3:d1:6d:bc:
                    e0:55:cb:e6:8a:f2:0d:32:3c:0f:18:06:ef:ad:2f:
                    87:7d:70:f5:0f:ae:7a:91:6a:cf:95:77:ab:37:24:
                    ed:39:74:bb:89:12:46:1d:26:38:c2:b2:0d:a7:0a:
                    1c:7c:3c:55:14:f3:e4:2c:d0:b7:ed:8c:96:51:4d:
                    b5:34:e9:a6:74:0e:d6:1e:3c:91:32:be:eb:4c:9f:
                    a4:9a:51:1b:3a:02:22:7d:75:4c:60:fe:0b:89:ab:
                    4f:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:pi.hole, DNS:0.0.0.0, DNS:0000mps.webpreview.dsl.net, DNS:0001.2waky.com, DNS:000dom.revenuedirect.com, DNS:000free.us, DNS:000info.com, DNS:000owamail0.000webhostapp.com, DNS:000security-center00.000webhostapp.com, DNS:001wen.com, DNS:005.free-counter.co.uk, DNS:006.free-adult-counters.x-xtra.com, DNS:006.free-counter.co.uk, DNS:006.freecounters.co.uk, DNS:0075-7112-e7eb-f9b9.reporo.net, DNS:007angels.com,
.
.
.
DNS:zyski-z-innowacji.pl, DNS:zytpirwai.net, DNS:zyv.tiziana.ru, DNS:zy.zeroredirect1.com, DNS:zzbroya.com.ua, DNS:zz.cqcounter.com, DNS:zzdsfy.com, DNS:z.zedo.com, DNS:z.zeroredirect1.com, DNS:z.zeroredirect2.com, DNS:z.zeroredirect.com, DNS:zzha.net, DNS:zzhomes.com, DNS:z-ziraatmobil.xyz, DNS:zzmyw.com, DNS:zzpxw.cn, DNS:zzqrt.com, DNS:zzqwaxxybf.info, DNS:zzshw.net, DNS:zzsyw.com, DNS:zztxdown.com, DNS:zzz.clickbank.net, DNS:zz.zeroredirect1.com
    Signature Algorithm: sha256WithRSAEncryption
         38:b4:e8:45:ee:f6:e2:18:fa:aa:2d:37:37:36:4c:c8:fd:d7:
         3a:4b:a2:2f:88:c6:dc:ec:7f:92:74:1a:ea:12:0a:6d:ef:89:
         da:6a:6e:78:6f:29:86:b5:56:96:f7:f0:4b:b3:41:95:d5:83:
         eb:0d:1b:20:1e:43:8e:6f:ab:78:e7:c4:7d:a0:b4:ff:21:fb:
         af:39:00:ca:3c:73:30:10:d5:cc:05:8e:05:ea:7e:24:17:6e:
         18:1b:0b:f4:43:69:3f:a9:b2:31:9d:3b:05:d0:34:cf:ee:79:
         2d:a1:3b:e1:37:3c:da:f8:f8:32:6b:71:64:e4:d2:bf:7b:e2:
         60:7f:50:33:2f:0e:ce:cc:2d:33:87:bb:03:41:e4:d7:80:da:
         a9:1f:f6:10:cc:e1:1e:cd:26:e3:96:a7:bb:de:6a:db:23:ac:
         a9:23:39:b5:db:63:9f:ae:5f:14:1a:fa:d7:d4:46:5b:81:d9:
         10:53:86:42:ee:2d:ee:f7:40:26:32:a4:a1:0a:70:91:c8:91:
         bf:bd:6d:66:43:64:4d:d0:c2:ad:6d:de:0c:4b:ed:eb:b7:95:
         8c:cc:0a:df:df:fe:9e:75:86:81:82:75:1a:6e:33:24:0b:3e:
         e7:08:ed:a6:7f:e3:df:01:a7:bb:e3:6a:a9:08:7e:1d:72:a7:
         c5:96:78:10

If I add a few alternative names I can get it to work but as soon as I add all 100k of domains:

$ echo | openssl s_client -connect pi.hole:443 2>/dev/null | openssl x509 -text -noout
unable to load certificate
1995384224:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE

And a browser gives me "SSL_ERROR_RX_MALFORMED_HANDSHAKE".

The pem is a bulky 3.4MB:

 $ ll -h pi.hole.*
-rw-r--r-- 1 pi       pi 3.4M Jan 10 20:32 pi.hole.crt
-rw-r--r-- 1 pi       pi 3.4M Jan 10 20:31 pi.hole.csr
-rw------- 1 pi       pi 1.7K Jan 10 20:31 pi.hole.key
-rw-r--r-- 1 www-data pi 3.4M Jan 10 20:32 pi.hole.pem

With only a few alternative names, I got the cert presented but of course a browser warning because it isnt trusted :wink: