Pihole in docker together with nextlcoud and nginx

zomgomg · July 20, 2020, 7:23pm

I'm running nextcloud with a proxy, lets encrypt and nginx in docker. My compose file looks like this:

version: '3'

services:

  proxy:
    image: jwilder/nginx-proxy:alpine
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
    container_name: nextcloud-proxy
    networks:
      - nextcloud_network
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./proxy/conf.d:/etc/nginx/conf.d:rw
      - ./proxy/vhost.d:/etc/nginx/vhost.d:rw
      - ./proxy/html:/usr/share/nginx/html:rw
      - ./proxy/certs:/etc/nginx/certs:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    restart: unless-stopped

  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nextcloud-letsencrypt
    depends_on:
      - proxy
    networks:
      - nextcloud_network
    volumes:
      - ./proxy/certs:/etc/nginx/certs:rw
      - ./proxy/vhost.d:/etc/nginx/vhost.d:rw
      - ./proxy/html:/usr/share/nginx/html:rw
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped

  db:
    image: mariadb
    container_name: nextcloud-mariadb
    networks:
      - nextcloud_network
    volumes:
      - /srv/docker-persist/MariaDB/nextcloud-sql:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    environment:
      - MYSQL_ROOT_PASSWORD=ROOTPW
      - MYSQL_PASSWORD=PW
      - MYSQL_DATABASE=NCDB
      - MYSQL_USER=NCUSER
    restart: unless-stopped

  app:
    image: nextcloud:latest
    container_name: nextcloud-app
    networks:
      - nextcloud_network
    depends_on:
      - letsencrypt
      - proxy
      - db
    volumes:
      - nextcloud:/var/www/html
      - ./app/config:/var/www/html/config
      - ./app/custom_apps:/var/www/html/custom_apps
      - /mnt/NC:/var/www/html/data
      - ./app/themes:/var/www/html/themes
      - /etc/localtime:/etc/localtime:ro
    environment:
      - VIRTUAL_HOST=SERVER
      - LETSENCRYPT_HOST=SERVER
      - LETSENCRYPT_EMAIL=MAIL
    restart: unless-stopped

volumes:
  nextcloud:
  db:

networks:
  nextcloud_network:

Works perfectly. no i want to use pihole on the same system also in a docker container. This is only local, it should not be reachable from outside my network.

I thought about something like this:

version: "3"

# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
    environment:
      TZ: 'America/Chicago'
      WEBPASSWORD: PIHOLEPW
    # Volumes store your data between container upgrades
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
      # run `touch ./var-log/pihole.log` first unless you like errors
      # - './var-log/pihole.log:/var/log/pihole.log'
    dns:
      - 127.0.0.1
      - 1.1.1.1
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

This create a pihole docker container on port 53. But i cant reach pihole in my webbrowser with ipofmysystem/admin oder ipofmysystem:53.
I only get

503 Service Temporarily Unavailable

nginx/1.17.6

For example my homebridge instance works also perfect on ipofmysystem:8080. So i thought, ipofmysystem:53 shouldnt be a problem. Is there some problem with nginx? Id on't know much about docker, so... any help is appreciated.

Bucking_Horn · July 21, 2020, 7:23am

Port 53 is the DNS port.
It's neither meant to be changed nor to serve web pages for a browser.

Pi-hole's lighttpd webserver is serving port 80 (the standard HTTP port) by default.

Changing that port via the WEB_PORT Docker environment variable for your Docker Pi-hole should allow you to access Pi-hole's UI the way you intend to (you may also want to go through all the information available at that link in order to familiarise yourself with Pi-hole Docker).

Don't chose any well-known port, though, and try staying clear of official IANA ports above 1024 not meant for HTTP as well. You'd commonly pick something along the 808x pattern for alternative HTTP ports.

zomgomg · July 21, 2020, 2:08pm

Ok, i choosed WEB_PORT=8081 (8080 is reserved). Still the same problem. My docker-compose.yml looks like this:

version: '3.1'

services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: always
    volumes:
      - ./pihole/:/etc/pihole/
      - ./pihole/dnsmasq.d/:/etc/dnsmasq.d/
    ports:
      - '53:53/tcp'
      - '53:53/udp'
    environment:
      - ServerIP=192.168.178.28
      - PROXY_LOCATION=pihole
      - TZ=America/Chicago
      - WEB_PORT=8081
      - WEBPASSWORD=PIHOLEPW
    dns:
      - 127.0.0.1
      - 1.1.1.1
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

This is the docker log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing...
 ::: Starting docker specific checks & setup for docker pihole/pihole
WARNING Misconfigured DNS in /etc/resolv.conf: Two DNS servers are recommended, 127.0.0.1 and any backup server
WARNING Misconfigured DNS in /etc/resolv.conf: Primary DNS should be 127.0.0.1 (found 127.0.0.11)

search fritz.box
nameserver 127.0.0.11
options ndots:0
  [✓] Update local cache of available packages
  [i] Existing PHP installation detected : PHP version 7.0.33-0+deb9u8

  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [✓] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf
chown: cannot access '': No such file or directory
chmod: cannot access '': No such file or directory
chown: cannot access '/etc/pihole/dhcp.leases': No such file or directory
Custom WEB_PORT set to 8081
INFO: Without proper router DNAT forwarding to 192.168.178.28:8081, you may not get any blocked websites on ads
Setting password: PIHOLEPW
+ pihole -a -p 'PIHOLEPW' 'PIHOLEPW'
  [✓] New password set
Using default DNS servers: 8.8.8.8 & 8.8.4.4
DNSMasq binding to default interface: eth0
Added ENV to php:
                        "PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
                        "ServerIP" => "192.168.178.28",
                        "VIRTUAL_HOST" => "192.168.178.28",
Using IPv4 and IPv6
::: setup_blocklists now setting default blocklists up:
::: TIP: Use a docker volume for /etc/pihole/adlists.list if you want to customize for first boot
::: Blocklists (/etc/pihole/adlists.list) now set to:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
::: Testing pihole-FTL DNS: FTL started!
::: Testing lighttpd config: Syntax OK
::: All config checks passed, cleared for startup ...
 ::: Docker start setup complete
  [i] Creating new gravity database
  [i] Migrating content of /etc/pihole/adlists.list into new database
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database
  [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  [✓] Status: Retrieval successful
  [i] Received 57660 domains

  [i] Target: https://mirror1.malwaredomains.com/files/justdomains
  [✓] Status: Retrieval successful
  [i] Received 26853 domains

  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [i] Number of gravity domains: 84513 (84470 unique domains)
  [i] Number of exact blacklisted domains: 0
  [i] Number of regex blacklist filters: 0
  [i] Number of exact whitelisted domains: 0
  [i] Number of regex whitelist filters: 0
  [✓] Cleaning up stray matter

  [✓] DNS service is running
  [i] Pi-hole blocking will be enabled
  [i] Enabling blocking
  [✓] Pi-hole Enabled
  Pi-hole version is v5.1.1 (Latest: v5.1.1)
  AdminLTE version is v5.1 (Latest: v5.1)
  FTL version is v5.1 (Latest: v5.1)
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting pihole-FTL (no-daemon) as root
Starting lighttpd
Starting crond
[services.d] done.

Weird, i don't get this one:

WARNING Misconfigured DNS in /etc/resolv.conf: Two DNS servers are recommended, 127.0.0.1 and any backup server
WARNING Misconfigured DNS in /etc/resolv.conf: Primary DNS should be 127.0.0.1 (found 127.0.0.11)

Why 127.0.0.11? DNS is declared as 127.0.0.1. The rest looks okay to me.
I also tried my router ip 192.168.178.1. The output in the log is the same:

WARNING Misconfigured DNS in /etc/resolv.conf: Two DNS servers are recommended, 127.0.0.1 and any backup server
WARNING Misconfigured DNS in /etc/resolv.conf: Primary DNS should be 127.0.0.1 (found 127.0.0.11)

The pihole container is running (docker ps -a) but the port 8081 is not used:
sudo lsof -i -P -n | grep 8081
-> nothing. Docker is only using port 80 and 443 (nextcloud) and 53.

/var/log/lighthttpd/error.log just says:

2020-07-21 16:15:04: (log.c.217) server started

root@8b560484a12e:# cat /etc/resolv.conf
search fritz.box
nameserver 127.0.0.11
options ndots:0

Bucking_Horn · July 22, 2020, 9:30am

What Docker network mode are running your Pi-hole container in?

If you'd run it in host mode, setting WEB_PORT should have been sufficient, and port mappings wouldn't be necessary.

If you'd be using other network drivers like Docker's default bridge, then you haven't configured Docker to map that port yet.

Revisit my previous link to Docker Pi-hole docs, have a look at the sample Docker compose (scroll to the top), specifically check your port mappings and adjust as required, e.g. "8081:8081/tcp" for your current WEB_PORT choice.
In fact, specifiying the WEB_PORT environment variable would only be strictly necessary in host mode - with other network drivers, you may just map that port to lighttpd's (e.g. "8081:80/tcp").

zomgomg · July 22, 2020, 1:09pm

Adding "8081:8081/tcp" was the solution.

With this docker-compose.yml, i can reach pihole over 192.168.178.28:8081:

version: '3.1'

services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: always
    network_mode: host
    volumes:
      - ./pihole/:/etc/pihole/
      - ./pihole/dnsmasq.d/:/etc/dnsmasq.d/
    ports:
      - "8081:8081/tcp"
      - "53:53/tcp"
      - "53:53/udp"
    environment:
      - ServerIP=192.168.178.28
      - PROXY_LOCATION=pihole
      - TZ=Europe/Berlin
      - WEB_PORT=8081
      - WEBPASSWORD=PIHOLEPW
    dns:
      - 127.0.0.1
      - 1.1.1.1
    cap_add:
      - NET_ADMIN
    restart: unless-stopped