Using the API

Hi all,

I'm trying to get some info on using the API, but the only thing I can find is a basic paragraph that doesn't go into much detail.

I'm using Home Assistant (https://home-assistant.io/) to make a switch that disables / enables Pi-Hole, which maps to the Echo component so that I can say "Alexa, disable / enable ad blocking" and Pi-Hole responds. In the past I've done this by using a command-line switch - /usr/bin/curl -s http://[PI HOLE IP]/admin/?enable > /dev/null - but with the last update the enable / disable function has been moved behind the API and needs auth.

Has anybody got any idea how I might do this? I can't seem to find what endpoint I need to get the auth, and then what I need to do with whatever it returns to get the enable / disable working.

Home Assistant has a RESTful switch (https://home-assistant.io/components/switch.rest/) which I should be able to use, but I just need to figure out which URLs I need to stick into it!

Cheers!

The best/most secure way for you to enable/disable Pi-hole remotely is to have it use the command line tool pihole via ssh. For example (untested): ssh -t pi@pi.hole "pihole enable". We have added the authentication requirement to protect users from the possibility of an ad trying to disable Pi-hole or whitelist itself.
Some features, such as enabling/disabling Pi-hole via web interface also have another layer of security around them called a CSRF token requirement, where the only way to run those commands is if you actually open the web interface and click the button to run the command. So some other API methods might run if you only provide the hashed password (found via cat /etc/pihole/setupVars.conf), some special commands need more protection.
In the current version of Pi-hole, the API has grown kind of organically and is not RESTful, although we are working on a major rewrite of both core Pi-hole and the web interface which will make the API RESTful, among many other things.

That got it, works great thanks!

Quick question - the SSH and Pi-hole commands both needed passwords as default, which I don't think there's an easy way to provide via Home Assistant (especially when automating with Alexa). To get round this I set up an ssh key pair between my HA and Pi-hole VMs so I can ssh into pi-hole without a password, and added pi ALL=NOPASSWD: /usr/local/bin/pihole to the sudoers file so that I can run the pihole command without a password. Running /usr/bin/ssh pihole enable > /dev/null from HA then works fine.

I did make a couple of other tweaks: made a pihole alias in the ssh config file (hence the 'ssh pihole' command), and added "sudo pihole $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding to the authorized_keys file on the pi-hole VM (to restrict that key to just running pihole).

Question is, will doing any of this reverse some of the security added by moving things behind the API in the first place? I know it'll be a bit less secure anyway, but I don't want to completely mess things up!

I'm pretty new to all this, so thanks again for your help!

As long as your either have a very good password for your SSH (or completely disable password login because you have the keys) everything should be fine.

Great, thanks!

I've already disabled password logins because I use keys for everything, so should be good to go.

Cheers.

Enabling via the API is now possible again. You just have to provide the secure password token. See this PR for further details:

1 Like