Pi-hole behind Nginx but it's not redirecting with target port.

Santanu_Das · February 28, 2025, 12:41am

Hello everyone!
A very new users of pi-hole and the very first post here.

I have pihole v6, running on port 8008 and it's working fine using http://my-ip:8008/admin without any issue and now trying to running it behind Nginx (installed on the same machine) reverse proxy to have centralized access for few other services. This is my Nginx host configuration for pihole:

upstream pihole {
    server 127.0.0.1:8008;
}

server {
    listen          80;
    server_name     cnrpi5.example.net;

    ## Server Logs
    access_log      /var/log/nginx/pihole_access.log;
    error_log       /var/log/nginx/pihole_error.log error;

    location /pihole {
        proxy_pass         http://pihole/admin/;
	    #proxy_redirect     off;

	    proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}

If I try http://cnrpi5.example.net/pihole/ on the browser, it simply redirects to ~~cnrpi5.example.net/admin/~~ http://cnrpi5.example.net/pihole/ i.e. without the port number, resulting a 404 Not found.

Is there anything else I need to do in pi-hole configuration to make it work, as the very simialr Nginx configuration is working for other apps or I have missed something in reserve proxy that specifically required for pi-hole? Any pointer/help would be really appreciated!

Edit Corrected the typo in the endpoint

-S

Bucking_Horn · February 28, 2025, 9:12am

Other users have shared their nginx reverse proxy configs, see e.g. Can't get v6 webinterface behind nginx reverse proxy to work - #4 by stefan.

stefan · February 28, 2025, 9:40am

I am a bit confused by your config - do you want to offer Pi-hole on cnrpi5.example.net/pihole as your config suggests, or do you want to redirect to http://cnrpi5.example.net:8008/admin as your text says?

I would offer Pi-hole through your nginx, so there just needs one port to be open.
So bind Pi-hole to 127.0.0.1:8008, do two reverse-proxy location entries for /pihole/admin and pihole/api and maybe a redirect from pihole to pihole/admin and you are done.

See my example config that Bucking_Horn already linked.

Santanu_Das · February 28, 2025, 12:16pm

good catch, that's a typo; sorry about that.
As you said, the endpoint shoud be: http://cnrpi5.example.net/pihole/ not /admin. I copied the URL after it redirected hance, the typo.

I'll have a look at config that you referenced and report back. ty!

Santanu_Das · February 28, 2025, 2:58pm

Okay, I have made some progress, following the config from stefan

With this config:

upstream local {
    server 127.0.0.1:8008;
}

server {
    listen          80;
    server_name     cnrpi5.example.net;

    ## Server Logs
    access_log      /var/log/nginx/pihole_access.log;
    error_log       /var/log/nginx/pihole_error.log error;

    location /admin/ {
        proxy_pass         http://local/admin/;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }

now if I do http://cnrpi5.example.net/admin it perfectly forwarding to http://cnrpi5.example.net/admin/login and working just fine.
But I want to type http://cnrpi5.example.net/pihole/ in the browser (as UniFi Controller also running on the same machine and I like to have http://cnrpi5.example.net/unifi for that) and then redirect wherever it needs to be to get the GUI . Simply changing the location to location /pihole/ {...} not working. What ectra bit do I need to make it work?

BTW, what is that /api for - required for pi-hole to work?

-S

stefan · March 1, 2025, 1:25pm

Are you sure? Did you really test this? I guess not...

Yes it is. That's where (since v6) the functionality comes from.

Not even a login works without that endpoint. You really shouldn't skip this in your config.

That's a bit more difficult as internal redirects seem to use absolute and not relative paths. Just simply changing the config will result in a redirect loop:

I don't want to debug that more - just as a hint: See influxDB2.0 alpha - http custom base path · Issue #15721 · influxdata/influxdb · GitHub for a similar problem when putting influxDB to a subpath. There are options in nginx that can rewrite that, but be prepared for some debugging.

I would rather suggest putting pi-hole to a subdomain like http://pi-hole.cnrpi5.example.net/ which would be a no-brainer using my configuration.

stefan · March 1, 2025, 1:39pm

PS: There's a setting for the webserver path:

This might help - but I don't know if that will change /api path too.

rdwebdesign · March 1, 2025, 9:10pm

Please don't use this setting (at least until we can fix it).

It won't work because there are still a few hard-coded paths in Pi-hole code and changing this will break Pi-hole.

Santanu_Das · March 1, 2025, 11:52pm

yes, it is working and still working. Why you think it didn't it?
With a configuration exactly like the above, it's working absolutely fine using endpoint http://cnrpi5.example.net/admin but I wanted to use http://cnrpi5.example.net/pihole instead.

What am I missing here?

Santanu_Das · March 2, 2025, 12:10am

re. about using http://cnrpi5.example.net/pihole - I think have spent/wasted enough time on that and simply moved to https://pihole.example.net/ instead and I'm okay with that atm. This is the config I'm currently using, if anyone interested:

upstream local {
    server 127.0.0.1:8008;
}

## Redirect to HTTPS
server {
    listen          80;
    listen          [::]:80;
    server_name     pihole.example.net;
    return          301 https://$server_name$request_uri;
}

server {
    listen          443 ssl http2;
    server_name     pihole.example.net;

    ## Server Logs
    access_log      /var/log/nginx/pihole_access.log;
    error_log       /var/log/nginx/pihole_error.log error;

    ## TLS Configuration
    ssl_certificate            /etc/nginx/ssl/fullcrt.pem;
    ssl_certificate_key        /etc/nginx/ssl/privkey.pem;
    ssl_protocols              TLSv1.2 TLSv1.3;
    ssl_session_cache          shared:SSL:20m;
    ssl_session_timeout        60m;

    ## Extra Security
    add_header                 Strict-Transport-Security max-age=31536000;
    ssl_ciphers                ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_dhparam                /etc/nginx/ssl/dhparam.pem;
    ssl_prefer_server_ciphers  on;

    ## Auto-redirect to /admin
    location = / {
        return 301 /admin;
    }

    location /admin/ {
        proxy_pass         http://local/admin/;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }

    location /api/ {
        proxy_pass         http://local/api/;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}

with this, I can just simply type: https://pihole.example.net to get the redirected Pi-hole login page.

Santanu_Das · March 2, 2025, 1:47pm

also, I strongly think, Pi-hole should really redirect to /admin automatically. it's really troublesome behind a multi-homed Nginx. If it's already not asked for, how do I do a feature request?

stefan · March 2, 2025, 5:49pm

Thanks, good to know! I'd suggest including this warning in the setting description until it is fixed.
I know you only get it in "All settings", but even as an expert user, I somehow expect them to work

In the config above, you are missing the /api endpoint. If it's working, you most probably had it in your config, but didn't paste that part. That makes discussing more difficult

Great! Yes, that's the easier setup.

There's a subforum for it: Feature Requests
It was the case for v5 and there still seems to be a bug in v6 with redirects: Pi-hole 6.x: Links redirect to admin panel instead of being blocked

rdwebdesign · March 2, 2025, 6:00pm

We noticed this was broken only after v6 release (We would have disabled the option if we had noticed it earlier).

To add this to the settings page, we will need to release a new Pi-hole version anyway. I think it will be better if we just fix the issue and release a fixed version. Just be a patient for a little longer.

Santanu_Das · March 2, 2025, 6:03pm

I see, the login page still comes up without /api/ but probably I was so over the moon to see the login page again, I didn't even bother trying to login before putting /api in

Santanu_Das · March 2, 2025, 11:44pm

FYi..........
I found this in Feature Requests but the status says already Implemented, so I requested a new one here (for v6):

-S

system · March 23, 2025, 11:45pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.