Traefik Reverse Proxy and Pihole

#1

Expected Behaviour:

The reverse proxy should work

Actual Behaviour:

It complains about invalid domain

I have setup pihole on a raspbian image on an RPi2 and added VIRTUAL_HOST=pihole.domain.com to /etc/environment.

The traefik server is on a different machine and is set up to just do ssl termination and reverse-proxy to the ip of the rpi2 at port 80. Either pihole does not get the environment variable or something else is broken here.

Thanks in advance
Keridos

0 Likes

#2

Pi-hole is merely a webserver appearing at port 80 of the device hosting the service. this is an externalk config issue and seemingly not one caused by pi-hole. @Mcat12 is our web expert and may have a better answer though

0 Likes

#3

The error actually is caused by the pihole php script auth.php not having the reverse proxies domain in its whitelisted domains for itself to host although the environment variable ‘should’ be set.

0 Likes

#4

I’m going to be quite frank here. This is not a Pi-hole error. if you completely remove the reverse proxy form the equation pi-hole will function as intended.

That being said if the solution is to merely whitelist the domain within pi-hole why have you not done that using one of the many methods of whitelisting a domain. We have hundreds of users with zero issues running their Pi-hole behind a reverse proxy having 0 issues.

the reverse proxy domain will change with every installation so its not something we can set globally and have work every time. Advanced configs such as this are fully on the user and we expect users who wish to use them to know how they work.

0 Likes

#5

I have not found any documentation about the whitelisting methods for the domain of the pihole server at all. I spent about 2 hours worth of googling and trial and error and still have not found anything.

Please note the difference between those two things: Whitelisting a domain within pihole usually means remove it from the blacklist of the dns server. What I mean by that has nothing to do with that, it is what pi hole wants to a accessed from. When I set a host header I get a page that does not really work because everything links to http://pi.hole/(path) (all the css and javascript files). When I do not set a host header it complains about the domain not being allowed. According to the auth.php file setting the VIRTUAL_HOST environment variable should fix that.

/edit: Specifically see here: https://github.com/pi-hole/AdminLTE/blob/master/scripts/pi-hole/php/auth.php#L40-L42

0 Likes

#6
1 Like

#7

This does not exactly fit my setup, I have the reverse proxy on a different machine and tls termination is already done elsewhere. I just need pihole to accept the external FQDN, not serve SSL itself. I read that article in my search and acknowledged it. Also my ssl certificates are being done on the reverse proxy since that is the only machine in my network that has port 80 and 443 forwarded from my external ip.

0 Likes

#8

My intention there was to show the lighttpd configuration files and the settings required for the override. You will need to create a new lighttpd configuration setup that accepts the hostname that you are in need of, setting the environment variables in that file, not in /etc/environment.

0 Likes

#9

I have added a snippet from another thread in my external.conf from lighthttps which sets the environment variable for lighthttpd and confirmed it is loading. It was from this thread: Default website not showing when using domain name

The error I get is the following " [ERROR]: Unable to parse results from queryads.php : Unhandled error message (Invalid domain! )"

0 Likes

#10

What URL are you loading when that error is displayed?

0 Likes

#11

just https://pihole.domain.com

Also the snippet I added to the external.conf looks like this: “setenv.add-environment = ( “VIRTUAL_HOST” => “pihole.domain.tld” )”

0 Likes

#12

Any relation to this: https://github.com/pi-hole/pi-hole/issues/2195

0 Likes

#13

And that bare URL would display a blockpage and not the admin page. What is displayed with https://pihole.domain.com/admin/?

0 Likes

#14

Well the admin link forwards me to the internal ip of the client, so it works, but not as intended (it breaks tls reverse proxy). the issue you linked seems to describe a similar problem to mine, so I guess there might be a relation. But tbh I am not too familiar with PiHole yet, so I cannot answer that reliably. Thanks for the help so far, I think we are narrowing down the cause.

Is there any more detailed logfile mentioning the exact errors thrown by the php scripts?

0 Likes

#15

You could try /var/log/lighttpd/error.log and see if that gives you some more information.

0 Likes

#16

the error log does not show anything. The access log though shows this one line when I access it over the domain: “|127.0.0.1|GET /admin/scripts/pi-hole/php/queryads.php?domain=10.2.1.24:80&bp HTTP/1.0|200|23”

Another weird thing is that when I change my reverse proxy to not proxy to “http://pihole-ip:80” to “http://pi.hole” it forwards me to http://pi.hole. Which is similar to the issue from above where it cancels the ssl session by forwarding to the pihole setups internal ip. I am fairly sure that this would cause issues when being accessed from outside of my network, but I am currently blocking outside access anyway.

What I would like to see is that the session is always being routed through the reverse proxy.

0 Likes

#17

You may need to revisit that Let’sEncrypt guide and look at the configuration. There’s a URL redirect in there and you may need to adapt the URL redirect for your particular configuration.

0 Likes

#18

No luck here with fiddling with the external.conf. no matter what I insert there, the error message with invalid domain seems to persist.

0 Likes

#19

On the admin page or on the bare URL? The bare URL is the blockpage and most likely will never be seen. You should work on https://domain/admin/ for the admin page.

0 Likes

#20

The admin link still seems to forward to pi.hole/admin. So it displays from my internal network, but still disables the reverse proxy access.

0 Likes