Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nginx config in documentatation does not work well #962

Open
AlfredoCubitos opened this issue Dec 3, 2023 · 8 comments
Open

nginx config in documentatation does not work well #962

AlfredoCubitos opened this issue Dec 3, 2023 · 8 comments

Comments

@AlfredoCubitos
Copy link

Versions

Pi-hole version is v5.17.2 (Latest: v5.17.2)
web version is v5.21 (Latest: v5.21)
FTL version is v5.23 (Latest: v5.23)

Platform

armbian
banana-Pi

The nginx config from NGINX-Doku does not work well.
E.g. no values are shown in the Dashboard.

So I'm using the following config which is based on Diet-Pi config Diet-Pi config

This works well for me :-)

    listen 80 default_server;

    root /var/www/html;
    server_name _;

    index index.php index.html;

    location / {
        expires max;
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	fastcgi_param HTTP_PROXY "";
        include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
	fastcgi_param FQDN true;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
	fastcgi_index index.php;
    }
   
   # Based on: https://github.com/pi-hole/pi-hole/blob/master/advanced/lighttpd.conf.debian

# Allow teleporter and API QR code iframes on settings page
location ~ ^(?:/html|)/admin/scripts/pi-hole/php/(?:teleporter|api_token)\.php$ {
	# PHP handler block
	fastcgi_pass unix:/run/php/php8.2-fpm.sock;
	include snippets/fastcgi-php.conf;

	if ($http_referer !~ /admin/settings\.php) {
		add_header X-Frame-Options "DENY";
	}
	if ($http_referer ~ /admin/settings\.php) {
		add_header X-Frame-Options "SAMEORIGIN";
	}
}


# Admin panel
location ~ ^(?:/html|)/admin(?:$|/) {
	# Block public access to admin page, if enabled
	# - To enable: cd /etc/nginx/sites-dietpi; mv dietpi-pihole-block_public_admin.off dietpi-pihole-block_public_admin.on
	# - To disable: cd /etc/nginx/sites-dietpi; mv dietpi-pihole-block_public_admin.on dietpi-pihole-block_public_admin.off
	include sites-dietpi/dietpi-pihole-block_public_admin.*on;

	# Block . files from being served, such as .git, .github, .gitignore
	location ~ ^(?:/html|)/admin/\. {
		deny all;
	}

	# Create response header for Pi-hole debugger
	add_header X-Pi-hole "The Pi-hole Web interface is working!";
	add_header X-Frame-Options "DENY";

	# Standard PHP handler block
	try_files $uri $uri/ =404;
	location ~ ^(?:/html|)/admin/.+\.php(?:$|/) {
		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
		include snippets/fastcgi-php.conf;
	}
}

# 404 page
location ~ ^(?:/html|)/pihole(?:$|/) {
	# Block public access
	allow 127.0.0.0/8;
	allow 192.168.0.0/16;
	allow 10.0.0.0/8;
	allow 172.16.0.0/12;
	allow ::1/128;
	allow fe80::/10;
	allow fc00::/7;
	deny all;

	# Standard PHP handler block
	try_files $uri $uri/ =404;
	location ~ ^(?:/html|)/pihole/.+\.php(?:$|/) {
		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
		include snippets/fastcgi-php.conf;
	}
}

}


@yubiuser yubiuser transferred this issue from pi-hole/pi-hole Dec 3, 2023
@dschaper
Copy link
Member

dschaper commented Dec 4, 2023

@MichaIng Is this accurate?

@MichaIng
Copy link
Contributor

MichaIng commented Dec 4, 2023

I did not know that there is an Nginx config in Pi-hole docs. We created ours based on the Lighttpd config shipped with Pi-hole. In the meantime it has been updated a little: https://github.com/MichaIng/DietPi/blob/master/.conf/dps_93/nginx.pihole.conf

The Nginx config in Pi-hole docs indeed looks a little incomplete:

  • No security headers/CSP
  • Direct (web) access to .git/.github directories is not denied.
  • If security headers were set in a dedicated drop-in config, teleporter and QR code iframes would be blocked.

But what might actually cause the issue is the added basic authentication. The Pi-hole admin panel has own authentication, so no dedicated webserver-based authentication is required, and I am quite sure it breaks internal requests.

@AlfredoCubitos
Copy link
Author

@MichaIng: you are right with the basic authentication issue.
I removed the basic authentication from the config, but I only got an empty Dashboard

@MichaIng
Copy link
Contributor

MichaIng commented Dec 4, 2023

With "empty" you mean a white page or is the page rendered, just the diagrams showing no values? If it is more a white page, the PHP processing block might just be wrong/incomplete. It is missing some parts one part at least:

snippets/fastcgi-php.conf on Debian contains:

# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

The fastcgi.conf is covered in the docs' config with fastcgi_params and SCRIPT_FILENAME, but PATH_INFO is missing. You also have this in your config, so this really seems to be the key difference between our working configs and the non-functional one.

@AlfredoCubitos
Copy link
Author

yes, with "empty" I mean just the diagrams showing no values.
Ok, good answer :-)
Wouldn't it a good idea to put your answer directly into the nginx-docu?

@MichaIng
Copy link
Contributor

yes, with "empty" I mean just the diagrams showing no values.

Hmm, but this is an indicator against my theory, since then the page is served by PHP. It could be tested adding

fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;

after

include fastcgi_params;

to the Nginx config from the docs. If this works, we should indeed add it there.

@AlfredoCubitos
Copy link
Author

I took the config from the docu and changed it according to your suggestion:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
    server_name _;
    autoindex off;

    index pihole/index.php index.php index.html index.htm;

    location / {
        expires max;
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_param FQDN true;
    }

    location /*.js {
        index pihole/index.js;
    }

    location /admin {
        root /var/www/html;
        index index.php index.html index.htm;
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location ~ /\.ht {
        deny all;
    }
}

this works also :-)

@MichaIng
Copy link
Contributor

Okay, then I think we can be sure this really is the missing part. I'd just add the split path part to the location ~ \.php$ { block, since it has no purpose for anything else than PHP scripts, but is common for all PHP scripts, not just Pi-hole.

clayoster added a commit to clayoster/docs that referenced this issue Nov 19, 2024
- The PHP version included with Raspbian 12 is 8.2. Update version numbers accordingly
- Consistently use systemctl for service management
- Include fastcgi settings discussed in issue pi-hole#962
- Remove basic auth configuration since Pi-hole webpage has authentication
- Remove autoindex setting as this is already the NGINX default
- Remove permission steps that are already handled by the Pi-hole install

Signed-off-by: Clay Oster <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants