Settings not being saved in admin portal when using apache instead of lighttpd

I'm installing pihole on my server that already has apache running. I do not want pihole accessible on mydomain.com/admin and since I don't use /var/www/html as my web root I figured I would create a VirtualHost for that directory and put pihole on a subdomain. Here's the VH:

<VirtualHost *:80>
	ServerName pihole.mydomain.com
	DocumentRoot /var/www/html/admin
	RewriteEngine on
	RewriteCond %{SERVER_NAME} =pihole.mydomain.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
	ServerName pihole.mydomain.com
	DocumentRoot /var/www/html/admin
	<Directory /var/www/html/admin>
		Options -Indexes +FollowSymLinks +MultiViews
		AllowOverride All
		Require all granted
	</Directory>

	SSLCertificateFile /etc/letsencrypt/live/pihole.mydomain.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/pihole.mydomain.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

I changed the ownership recursively on /var/www/html to apache:apache

It would appear that I have all the required PHP modules for this admin panel as well. Although I'm not entirely sure how to check that

The admin panel comes up fine it's just that when I make a setting change they don't stick after refresh.

It seems to me there's a permission issue somewhere else that I don't know about. Probably on the database side of things. I believe this is running sqlite which means it should just be a file that needs it's permissions changed on but I don't know where else pihole might be storing files other than /var/www/html

The username under which apache2 runs also needs to be a member of the pihole group to allow writing settings in particular folders (eg. /etc/pihole):
For the lighttpd web daemon that comes default with Pi-hole, this would be the www-data user OOTB:

pi@ph5b:~ $ ps -o uid,user,gid,group,pid,command -C lighttpd
  UID USER       GID GROUP      PID COMMAND
   33 www-data    33 www-data   437 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
pi@ph5b:~ $ groups www-data
www-data : www-data pihole

If the apache2 daemon runs under the apache user (validate with the ps command), you would need to add the pihole group to the apache user with below:

sudo usermod -a -G pihole apache

And validate with below:

groups apache

Adding pihole to apache didn't fix it. I noticed every time I try to set something I get a security email from my server:

toph : Jul 26 09:16:15 : apache : user NOT in sudoers ; TTY=unknown ; PWD=/var/www/html/admin ; USER=root ; COMMAND=/usr/local/bin/pihole -a ratelimit 1000 60 false

Seems like a bad idea to put apache in the sudoers group. Is there another way around this?

Configure sudo for the apache user to allow only one command with elevated privileges:

pi@ph5b:~ $ sudo cat /etc/sudoers.d/pihole
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Allows the WebUI to use Pi-hole commands
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
#
www-data ALL=NOPASSWD: /usr/local/bin/pihole
1 Like

This works except you need to do
www-data ALL=NOPASSWD: /usr/local/bin/pihole *
(Add the asterisk)

Am not sure if a wildcard * is allowed as you already have the ALL definition.
Why would you use a wildcard, what in a sense is almost the same as full root access, which you previously condemned?
And why is the user still www-data?
Wouldn't you want to create a new file eg:

sudo nano /etc/sudoers.d/pihole-apache

Containing:

apache ALL=NOPASSWD: /usr/local/bin/pihole

Ow and set proper permissions with below:

sudo chmod 440 /etc/sudoers.d/pihole-apache