pi-hole
nginx config in documentatation does not work well
Versions
Pi-hole version is v5.17.2 (Latest: v5.17.2) web version is v5.21 (Latest: v5.21) FTL version is v5.23 (Latest: v5.23)
Platform
armbian banana-Pi
The nginx config from NGINX-Doku does not work well. E.g. no values are shown in the Dashboard.
So I'm using the following config which is based on Diet-Pi config Diet-Pi config
This works well for me :-)
listen 80 default_server;
root /var/www/html;
server_name _;
index index.php index.html;
location / {
expires max;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param HTTP_PROXY "";
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_param FQDN true;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
}
# Based on: https://github.com/pi-hole/pi-hole/blob/master/advanced/lighttpd.conf.debian
# Allow teleporter and API QR code iframes on settings page
location ~ ^(?:/html|)/admin/scripts/pi-hole/php/(?:teleporter|api_token)\.php$ {
# PHP handler block
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
include snippets/fastcgi-php.conf;
if ($http_referer !~ /admin/settings\.php) {
add_header X-Frame-Options "DENY";
}
if ($http_referer ~ /admin/settings\.php) {
add_header X-Frame-Options "SAMEORIGIN";
}
}
# Admin panel
location ~ ^(?:/html|)/admin(?:$|/) {
# Block public access to admin page, if enabled
# - To enable: cd /etc/nginx/sites-dietpi; mv dietpi-pihole-block_public_admin.off dietpi-pihole-block_public_admin.on
# - To disable: cd /etc/nginx/sites-dietpi; mv dietpi-pihole-block_public_admin.on dietpi-pihole-block_public_admin.off
include sites-dietpi/dietpi-pihole-block_public_admin.*on;
# Block . files from being served, such as .git, .github, .gitignore
location ~ ^(?:/html|)/admin/\. {
deny all;
}
# Create response header for Pi-hole debugger
add_header X-Pi-hole "The Pi-hole Web interface is working!";
add_header X-Frame-Options "DENY";
# Standard PHP handler block
try_files $uri $uri/ =404;
location ~ ^(?:/html|)/admin/.+\.php(?:$|/) {
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
include snippets/fastcgi-php.conf;
}
}
# 404 page
location ~ ^(?:/html|)/pihole(?:$|/) {
# Block public access
allow 127.0.0.0/8;
allow 192.168.0.0/16;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow ::1/128;
allow fe80::/10;
allow fc00::/7;
deny all;
# Standard PHP handler block
try_files $uri $uri/ =404;
location ~ ^(?:/html|)/pihole/.+\.php(?:$|/) {
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
include snippets/fastcgi-php.conf;
}
}
}
I did not know that there is an Nginx config in Pi-hole docs. We created ours based on the Lighttpd config shipped with Pi-hole. In the meantime it has been updated a little: https://github.com/MichaIng/DietPi/blob/master/.conf/dps_93/nginx.pihole.conf
The Nginx config in Pi-hole docs indeed looks a little incomplete:
- No security headers/CSP
- Direct (web) access to
.git/.githubdirectories is not denied. - If security headers were set in a dedicated drop-in config, teleporter and QR code iframes would be blocked.
But what might actually cause the issue is the added basic authentication. The Pi-hole admin panel has own authentication, so no dedicated webserver-based authentication is required, and I am quite sure it breaks internal requests.
@MichaIng: you are right with the basic authentication issue. I removed the basic authentication from the config, but I only got an empty Dashboard
With "empty" you mean a white page or is the page rendered, just the diagrams showing no values? If it is more a white page, the PHP processing block might just be wrong/incomplete. It is missing ~some parts~ one part at least:
snippets/fastcgi-php.conf on Debian contains:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
The fastcgi.conf is covered in the docs' config with fastcgi_params and SCRIPT_FILENAME, but PATH_INFO is missing. You also have this in your config, so this really seems to be the key difference between our working configs and the non-functional one.
yes, with "empty" I mean just the diagrams showing no values. Ok, good answer :-) Wouldn't it a good idea to put your answer directly into the nginx-docu?
yes, with "empty" I mean just the diagrams showing no values.
Hmm, but this is an indicator against my theory, since then the page is served by PHP. It could be tested adding
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
after
include fastcgi_params;
to the Nginx config from the docs. If this works, we should indeed add it there.
I took the config from the docu and changed it according to your suggestion:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name _;
autoindex off;
index pihole/index.php index.php index.html index.htm;
location / {
expires max;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
fastcgi_param FQDN true;
}
location /*.js {
index pihole/index.js;
}
location /admin {
root /var/www/html;
index index.php index.html index.htm;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
}
this works also :-)
Okay, then I think we can be sure this really is the missing part. I'd just add the split path part to the location ~ \.php$ { block, since it has no purpose for anything else than PHP scripts, but is common for all PHP scripts, not just Pi-hole.