Shut that pi-hole, dude

• Print

Details

Category: Slices of Pi

It took a while, but after having lost my previous Raspberry Pi to the Gods Of SD Card Failures, I finally got around to setting pi-hole up again on the new one (backups, dude, backups! Yes, I hear ya...)

First things first: what's a Pie Hole? It's a bit of software actually called pi-hole meant to keep network clients (and users, family members, pets, stray aliens, etc) from getting overwhelmed with the ads and trackers the Daemons of Internet try to bestow upon us on a continuous basis.

To do so it acts as DNS server in your network and compares each DNS-request to a list of known ad/spam/malicious sites. If the DNS address requested is on there it disappears into pi-hole's Black Hole of Doom. Furthermore, it includes a DHCP, so you can use pi-hole as your one-stop shop for your basic networking needs. 

It's easy to install. The project's home is at https://pi-hole.net and their GitHub at https://github.com/pi-hole/pi-hole/#one-step-automated-install tells you how to proceed. 

Then why, dear writer, are you writing this blog post? Glad you asked, esteemed reader...  Pi-Hole sets up its own webserver. Just like most other projects which sport a webinterface for easy administration. That's great - but it's yet another service running on my pi. I'd rather re-use what I have. Since my energy-use tracking system (DSMR, blog post to come!) uses Nginx that's what I want pi-hole to use, too. And it does - now.

Interested in getting Pi-Hole running with Nginx ? Read on.

If you're not entirely risk-averse (piping stuff to bash might not always be such a bright idea, after all), run 

curl -sSL https://install.pi-hole.net | bash

This downloads everything required and starts a wizard. Bright! Shiny! Pretty!

Follow the wizard down its yellow-brick red-on-blue path until you reach the question whether or not to install the web interface (yes, we want that) and the webserver (NO, we DO NOT want that).  Then just keep following again till it's done.

Now we need some PHP dependencies which weren't installed when opting out of the webserver install. I shamelessly copied the following list from another page (but they do the trick for me):

sudo apt install php7.3 php-fpm php7.3-bcmath php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-gd php7.3-json php7.3-mbstring php7.3-mysql php7.3-opcache php7.3-readline php7.3-sqlite3 php7.3-xml php7.3-zip

Then we edit Nginx' configuration. I opted to create an additional config file and run a new instance of Nginx rather than incorporating the changes into the existing configuration. This gives me more control, imho, but of course you can make your own decisions here.

sudo nano -w /etc/nginx/sites-enabled/pi-hole

I put the following into this file (you might need to fiddle with it if you've installed a different PHP version).  Why port 8053? Because DNS' port is 53 and that makes it easy for me to remember. No, I'm not a geek. Thank you.

 server {
listen 8053;
listen [::]:8053;
server_name [put all the names you'd like the webinterface to listen to here, separated by blank spaces];
root /var/www/html;
autoindex off;

index pihole/index.php index.php index.html index.htm;

location / {
expires max;
try_files $uri $uri/ =404;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
fastcgi_param FQDN true;
}

location /*.js {
index pihole/index.js;
}

location /admin {
root /var/www/html;
index index.php index.html index.htm;
}

location ~ /\.ht {
deny all;
}
}

Right, got that in there and saved it? Onwards, intrepid reader!

Pi-hole creates it's own user etc and assigns rights to the projects databases etc to it. Great - but Nginx runs under a different user, so when you try to update the blacklist with the webinterface running on Nginx you'll get an error "Attempt to write a readonly database".

Easy to work around this: add the right group memberships:

sudo usermod -a -G pihole www-data

All done? Yes! restart your Nginx with sudo service nginx restart and you should be ready to administer your server at http://<serverFQDN>:8045/admin

And Yes, I will make a backup of the new SD Card. Eventually. Preferably before it fails again...