Pi-hole behind your nginx reverse proxy


Pi-hole®: A black hole for Internet advertisements


March 26th, 2018:
– added some troubleshooting hints


Install Pi-hole by running

sudo -s
curl -sSL https://install.pi-hole.net | bash

and follow the instructions:

Then change the Pi-hole port from 80 to e.g. 86:

vi /etc/lighttpd/lighttpd.conf
server.port = 86

and restart lighthttpd

systemctl enable lighttpd.service && service lighttpd restart

Now modify your nginx (reverse proxy) configuration (either “/etc/nginx/conf.d/gateway.conf” or “/etc/nginx/conf.d/nextcloud.conf”) and add:

location ^~ /pihole {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#auth_basic "Restricted Area";
#auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://127.0.0.1:86/admin;
proxy_read_timeout 90;
}

Find more information on: Nextcloud 13, Roundcube, WordPress, Shellinabox and Pi-hole behind a NGINX reverse proxy.

Change the DNS setting in your router to the IP of your Pi-Hole (192.168.2.108) and e.g. open-dns (208.67.222.222) as an alternative DNS:

Then restart nginx as well

service nginx restart

and call your Pi-hole in your preferred browser:

https://your.dedyn.io/pihole/

From now all clients will requests DNS from Pi-hole forwarded by your origin dhcp-router (e.g. fritz.box). If you want to modify your clients in particular just configure the DNS manually in the network interfaces:

primary DNS: 192.168.2.108 (your Pi-hole)
secondary DNS: 208.67.222.222 (openDNS)

Enjoy your Nextcloud and Pi-hole®: A black hole for Internet advertisements


Troubleshooting:

– for debugging purposes you may issue “pihole -r”. Unfortunately the changed server port will be set to :80. Don’t forget to set this port back to :86

– if your network won’t be identified correctly, please set it manually: “vi /etc/pihole/setupVars.conf”



Carsten Rieger

19 Responses

  1. Garrett says:

    Comprehensive lists can be found at:

    https://tspprs.com/

  2. Renate says:

    Hi Carsten,

    Awesome work regarding the Nextcloud manuals. I’m running Nextcloud behind NAT with Talk and some other apps thanks to your work. So I was ready for the next challenge. Getting the reverse proxy and adding Pi-Hole and perhaps Roundcube to the collection. Unfortunately after doing all the above on a standard installation setup as per your Nextcloud 13 guides and the above Nginx came back with the following:

    Apr 23 17:29:53 ubuntu systemd[1]: Starting nginx – high performance web server…
    Apr 23 17:29:53 ubuntu nginx[15830]: nginx: [emerg] “fastcgi_cache” zone “NEXTCLOUD” is unknown in /etc/nginx/nginx.conf:43
    Apr 23 17:29:53 ubuntu systemd[1]: nginx.service: Control process exited, code=exited status=1
    Apr 23 17:29:53 ubuntu systemd[1]: Failed to start nginx – high performance web server.
    Apr 23 17:29:53 ubuntu systemd[1]: nginx.service: Unit entered failed state.
    Apr 23 17:29:53 ubuntu systemd[1]: nginx.service: Failed with result ‘exit-code’.

    Trying to temporarily resolve and understand this issue I commented out the following lines in nextcloud.conf:
    #fastcgi_cache_bypass $skip_cache;
    #fastcgi_no_cache $skip_cache;
    #fastcgi_cache NEXTCLOUD;
    When I only comment out the last line, it complains about unknown variable $skip_cache.

    With the above commented out I got NGINX starting. However this is not what should be happening.
    Does it perhaps have something to do with the order of includes from conf.d in nginx.conf?

    Looks like it is missing things like:
    fastcgi_cache_path
    fastcgi_cache_key
    or?

    Any clues what is happening or what I could do to get it to work would be welcome?

    • Hi Renate, did you compile NGINX with NGX_CACHE_PURGE? Please issue:
      nginx -V 2>&1 | grep ngx_cache_purge -o

      • Renate says:

        Apparently not, nothing returns.
        So compile NGINX from start again and then adding: –add-module=../ngx_cache_purge-2.3 or something?

        • Renate says:

          Just wondered how I could miss that, but I followed the standard setup (https://www.c-rieger.de/nextcloud-installation-guide-advanced/) when I started, so I never compiled it.

          Just found your instructions in the -advanced’ instructions as part of the compilation process
          You will need to modify two lines in the rules file. Search for “with-ld-opt=”$(LDFLAGS)” and immediately after the first occurrence add the following:

          –add-module=”$(CURDIR)/debian/modules/ngx_cache_purge-2.3″

          Thanks for the hint. Will give it a go later.

        • Renate says:

          Went ahead and compiled NGINX 1.14 .0 with NGX_Cache_purge added in this time:

          root@ubuntu:/usr/local/src# nginx -v
          nginx version: nginx/1.14.0
          root@ubuntu:/usr/local/src# nginx -V 2>&1 | grep ngx_cache_purge -o
          ngx_cache_purge

          Still the same error though.

  3. Andreas says:

    Hallo Carsten,

    vielen Dank für Deine Anleitungen an der Stelle! Ich habe bislang noch nichts Vergleichbares gefunden, das so weit gedacht ist.

    Es gibt leider zwei Probleme mit dem pihole auf meinem Odroid C2, nach Deinem Advanced Nextcloud-Guide eingerichtet:
    – “No IP addresses found! Please run ‘pihole -r’ to reconfigure” am Ende der pihole-Konfiguration und
    – der Aufruf von https://…/pihole für immer auf https://…/login der Nextcloud, ich kann also nginx nicht die neue Location beibringen (ich verwende /etc/nginx/conf.d/nextcloud.conf als config.

    Stört die fehlende statische IP-Zuweisung? Ich denke, hier wird etwas nicht korrekt geparst.
    Wo genau gehört die Location eingebaut (/netdata ist auch schon dabei)?

    Vielen Dank und LG, Andreas.

    • Bitte sende mir mal Deine Konfigurationsdatei…sonst ist Unterstützung leider nicht möglich.

    • Ich habe Dir eine vhost-Datei (nextcloud.conf) zukommen lassen.

      • Andreas says:

        Fehlerbehebung-Kurzfassung:
        – bei jedem “pihole -r” (zum Debuggen) wird auch der Serverport auf 80 zurückgestellt – nicht vergessen, wieder auf 86 zu setzen vor den weiteren Tests
        – bei meinem Odroid C2 wurde die IP-Adresse vom pihole-Assistenten nicht gefunden -> in /etc/pihole/setupVars.conf manuell eingeben

        Vielen Dank, Carsten!

  4. Manfred says:

    Hallo Carsten,
    wieder eine super Anleitung.
    Hat alles super geklappt.

  5. Ingolf says:

    Hello Carsten,
    I have tried your variant in a very similar form, but the admin interface opens with the note “Javascript is disabled”. Unfortunately, in this way, the admin interface is not really usable.
    My configuration is as follows:
    pi-hole runs on a separate machine in the standard configuration. In my internal network, I cann access the admin interface normally.
    On my reverse proxy I set the following:

    location ^~ /pihole {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    auth_basic “Restricted Area”;
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://192.168.168.100/admin;
    proxy_read_timeout 90;
    }

    Do you know what I have to do to make it work over the proxy correctly?

    • Hi Ingolf, It seems the port wasn’t set properly?
      Did you apply port e. g. 86 @ vi /etc/lighttpd/lighttpd.conf server.port = 86
      Then replace proxy_pass http://192.168.168.100:86/admin;.
      Cheers Carsten

      • Ingolf says:

        No, this I didn’t have tried, but I think this will not change the behaviour of missing JavaScript. What’s the reason, that you changed the port? And why do you think, that changing the port would bring up JavaScript?
        Nevertheless, I will test it.