ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    PiHole for Friends and Family

    Scheduled Pinned Locked Moved IT Discussion
    67 Posts 14 Posters 11.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alex Sage @Romo
      last edited by

      @romo thanks! 🙂

      1 Reply Last reply Reply Quote 0
      • A
        Alex Sage @NashBrydges
        last edited by

        @nashbrydges it is very nice indeed 🙂

        1 Reply Last reply Reply Quote 0
        • A
          Alex Sage @Romo
          last edited by

          @romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post 😕

          Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas 🙂

          RomoR 1 Reply Last reply Reply Quote 0
          • NashBrydgesN
            NashBrydges
            last edited by

            Now that I'll be testing Romo's script, I don't need to use VPN and I'd like to setup the admin page behind Nginx. Found a tutorial that allows admin page access using Nginx as a proxy but I can't get the HTTPS redirect to work right.

            https://github.com/pi-hole/pi-hole/wiki/Nginx-Configuration

            Anyone have a working Nginx config with HTTPS redirect for this?

            Found this that shows how to setup Let's Encrypt with lighttpd but don't know enough to set it up for other proper security headers.

            http://www.itzgeek.com/how-tos/linux/how-to-configure-lets-encrypt-ssl-in-lighttpd-server.html

            A black3dynamiteB 4 Replies Last reply Reply Quote 0
            • A
              Alex Sage @NashBrydges
              last edited by Alex Sage

              @nashbrydges said in PiHole for Friends and Family:

              Now that I'll be testing Romo's script, I don't need to use VPN and I'd like to setup the admin page behind Nginx. Found a tutorial that allows admin page access using Nginx as a proxy but I can't get the HTTPS redirect to work right.

              https://github.com/pi-hole/pi-hole/wiki/Nginx-Configuration

              Anyone have a working Nginx config with HTTPS redirect for this?

              Check out this 🙂

              https://mangolassi.it/topic/6905/setting-up-nginx-on-centos-7-as-a-reverse-proxy

              1 Reply Last reply Reply Quote 1
              • A
                Alex Sage @NashBrydges
                last edited by

                @nashbrydges Also, take a look at this for SSL 😉

                https://mangolassi.it/topic/7127/setting-up-letsencrypt-on-a-centos-7-nginx-proxy

                NashBrydgesN 1 Reply Last reply Reply Quote 1
                • A
                  Alex Sage @NashBrydges
                  last edited by

                  @nashbrydges this is a prefect case for containers. One container for PiHole, One container for NGINX, and one container for OpenVPN for Mobile Devices 🙂

                  1 Reply Last reply Reply Quote 0
                  • NashBrydgesN
                    NashBrydges @Alex Sage
                    last edited by

                    @aaronstuder Yeah, I've easily got Nginx running with standard sites on Apache for example but in this case, I think the complexity comes from the HTTPS redirect and the fact that lighttpd syntax is different and I've not used it.

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      Alex Sage @NashBrydges
                      last edited by

                      @nashbrydges Maybe I am confused? Why are you using lighttpd? Are you setting up NGINX as a reverse proxy?

                      NashBrydgesN 1 Reply Last reply Reply Quote 0
                      • NashBrydgesN
                        NashBrydges @Alex Sage
                        last edited by

                        @aaronstuder That's the web server installed by default with the Pi-hole script for the admin page. Nginx would serve as the proxy.

                        A 1 Reply Last reply Reply Quote 0
                        • A
                          Alex Sage @NashBrydges
                          last edited by Alex Sage

                          @nashbrydges Oh, are you trying to use NGINX on the same system as PiHole.

                          NashBrydgesN 1 Reply Last reply Reply Quote 0
                          • NashBrydgesN
                            NashBrydges @Alex Sage
                            last edited by

                            @aaronstuder I have a separate instance running Nginx but regardless, why would you not recommend on same server? I see no reason why that would be a problem.

                            1 Reply Last reply Reply Quote 0
                            • black3dynamiteB
                              black3dynamite @NashBrydges
                              last edited by black3dynamite

                              @nashbrydges said in PiHole for Friends and Family:

                              Now that I'll be testing Romo's script, I don't need to use VPN and I'd like to setup the admin page behind Nginx. Found a tutorial that allows admin page access using Nginx as a proxy but I can't get the HTTPS redirect to work right.

                              https://github.com/pi-hole/pi-hole/wiki/Nginx-Configuration

                              Anyone have a working Nginx config with HTTPS redirect for this?

                              Found this that shows how to setup Let's Encrypt with lighttpd but don't know enough to set it up for other proper security headers.

                              http://www.itzgeek.com/how-tos/linux/how-to-configure-lets-encrypt-ssl-in-lighttpd-server.html

                              I've only got it working with nginx http.

                              upstream adblock {
                                      server 10.0.0.3:80;
                              }
                              
                              server {
                                      client_max_body_size 40M;
                                      listen 80;
                              
                                      server_name adblock.domain.com;
                              
                                      location /admin {
                                              proxy_set_header X-Real-IP $remote_addr;
                                              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                              proxy_set_header Host $http_host;
                                              proxy_set_header X-NginX-Proxy true;
                                              proxy_pass http://adblock;
                                              proxy_redirect off;
                                              proxy_connect_timeout 600;
                                              proxy_send_timeout 600;
                                              proxy_read_timeout 600;
                                              send_timeout 600;
                                      }
                              }
                              
                              1 Reply Last reply Reply Quote 1
                              • RomoR
                                Romo @NashBrydges
                                last edited by

                                @nashbrydges Haven't set the script to run via cron yet. It is still is printing some strings to stdout while I fully complete it, plan to add a log file and redirect the output to it.

                                I'll focuse on finishing it properly for Ubuntu so you can properly test it.

                                1 Reply Last reply Reply Quote 1
                                • RomoR
                                  Romo
                                  last edited by Romo

                                  But if you want to test is manually, I think is is working properly.

                                  # Starting from empty firewall
                                  ~/scripts/python$ sudo ufw status
                                  Status: active
                                  
                                  #Running script for the first time
                                  ~/scripts/python$ sudo python dns-to-ip-firewall-rules.py 
                                  
                                  Adding to firewall
                                  mangolassi.it - 104.25.46.32
                                  
                                  Adding to firewall
                                  google.com - 172.217.12.78
                                  
                                  Adding to firewall
                                  theverge.com - 151.101.65.52
                                  
                                  # Checking to see if rules were created.
                                  ~/scripts/python$ sudo ufw status
                                  Status: active
                                  
                                  To                         Action      From
                                  --                         ------      ----
                                  53                         ALLOW       104.25.46.32              
                                  53                         ALLOW       172.217.12.78             
                                  53                         ALLOW       151.101.65.52  
                                  
                                  # Running script againg to check for ip changes.
                                  ~/scripts/python$ sudo python dns-to-ip-firewall-rules.py 
                                  
                                  Same ip address nothing to do
                                  mangolassi.it - 104.25.46.32
                                  
                                  Same ip address nothing to do
                                  google.com - 172.217.12.78
                                  
                                  Adding theverge.com ip 151.101.129.52 - removing 151.101.65.52
                                  theverge.com - 151.101.129.52
                                  
                                  # Verifying ip changes are added to the firewall, and old ip are removed.
                                  ~/scripts/python$ sudo ufw status
                                  Status: active
                                  
                                  To                         Action      From
                                  --                         ------      ----
                                  53                         ALLOW       104.25.46.32              
                                  53                         ALLOW       172.217.12.78             
                                  53                         ALLOW       151.101.129.52 
                                  
                                  

                                  At least for dns and Ubuntu I think it does want @aaronstuder asked for originally. The idea of custom ports could be done as well, probably just adding a list of ports you wish to open for each domain.

                                  1 Reply Last reply Reply Quote 0
                                  • RomoR
                                    Romo @Alex Sage
                                    last edited by

                                    @aaronstuder said in PiHole for Friends and Family:

                                    @romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post 😕

                                    Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas 🙂

                                    @aaronstuder Different ports per domain or just add a list of custom ports for all domains?

                                    A 1 Reply Last reply Reply Quote 0
                                    • A
                                      Alex Sage @Romo
                                      last edited by Alex Sage

                                      @romo said in PiHole for Friends and Family:

                                      @aaronstuder said in PiHole for Friends and Family:

                                      @romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post 😕

                                      Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas 🙂

                                      @aaronstuder Different ports per domain or just add a list of custom ports for all domains?

                                      @Romo Same ports all domains, but then then maybe allowing all ports since we are restricting by IP address already.

                                      Seems like:

                                      sudo ufw allow from 123.45.67.89
                                      

                                      Would work?

                                      RomoR 1 Reply Last reply Reply Quote 0
                                      • RomoR
                                        Romo @Alex Sage
                                        last edited by

                                        @aaronstuder said in PiHole for Friends and Family:

                                        @romo said in PiHole for Friends and Family:

                                        @aaronstuder said in PiHole for Friends and Family:

                                        @romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post 😕

                                        Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas 🙂

                                        @aaronstuder Different ports per domain or just add a list of custom ports for all domains?

                                        @Romo Same ports all domains, but then then maybe allowing all ports since we are restricting by IP address already.

                                        Seems like:

                                        sudo ufw allow from 123.45.67.89
                                        

                                        Would work?

                                        Well that's gonna be much easier.

                                        Just finished a custom-ports branch, that gives you the ability to specify ports and protocol (tcp/udp)

                                        # Starting from empty firewall
                                        ~/scripts/python$ sudo ufw status
                                        Status: active
                                        
                                        # Running script for the first time
                                        ~/scripts/python$ sudo python dns-to-ip-firewall-rules.py 
                                        
                                        Adding to firewall
                                        mangolassi.it - 104.25.47.32
                                        
                                        Adding to firewall
                                        google.com - 172.217.1.238
                                        
                                        Adding to firewall
                                        example.com - 93.184.216.34 
                                        
                                        # Verifying ips with ports and protocols are added
                                        ~/scripts/python$ sudo ufw status
                                        Status: active
                                        
                                        To                         Action      From
                                        --                         ------      ----
                                        53/udp                     ALLOW       93.184.216.34             
                                        22                         ALLOW       93.184.216.34             
                                        80/tcp                     ALLOW       93.184.216.34             
                                        53/udp                     ALLOW       172.217.1.238             
                                        22                         ALLOW       172.217.1.238             
                                        80/tcp                     ALLOW       172.217.1.238             
                                        53                         ALLOW       104.25.47.32              
                                        443/tcp                    ALLOW       104.25.47.32
                                        
                                        
                                        1 Reply Last reply Reply Quote 0
                                        • RomoR
                                          Romo
                                          last edited by

                                          Added the allow all ports for a domain, it is also in the custom-ports branch if you wanna test it and let me know if it works properly for you. I'll merge it to master if it works ok and start removing everything that prints to stdout.

                                          # DOMAINS TO ADD
                                          # ---
                                          # arstechnica - all ports
                                          # theverge - all ports
                                          # mangolassi.it -  53/(udp-tcp), 443/tcp
                                          # example.com - 53/udp, 22/(udp-tcp), 80/tcp
                                          # google.com - 53/udp, 22/(udp-tcp), 80/tcp
                                          # ---
                                          
                                          ~/scripts/python/dns_to_ip_firewall_rules$ sudo python dns-to-ip-firewall-rules.py 
                                          
                                          Adding to firewall
                                          theverge.com - 151.101.65.52
                                          
                                          Adding to firewall
                                          arstechnica.com - 50.31.169.131
                                          
                                          Adding to firewall
                                          google.com - 216.58.194.142
                                          
                                          Adding to firewall
                                          example.com - 93.184.216.34
                                          
                                          Adding to firewall
                                          mangolassi.it - 104.25.47.32
                                          
                                          # Checking firewall rules
                                          ~/scripts/python/dns_to_ip_firewall_rules$ sudo ufw status
                                          Status: active
                                          
                                          To                         Action      From
                                          --                         ------      ----
                                          Anywhere                   ALLOW       151.101.65.52             
                                          Anywhere                   ALLOW       50.31.169.131             
                                          53/udp                     ALLOW       216.58.194.142            
                                          22                         ALLOW       216.58.194.142            
                                          80/tcp                     ALLOW       216.58.194.142            
                                          53/udp                     ALLOW       93.184.216.34             
                                          22                         ALLOW       93.184.216.34             
                                          80/tcp                     ALLOW       93.184.216.34             
                                          53                         ALLOW       104.25.47.32              
                                          443/tcp                    ALLOW       104.25.47.32 
                                          
                                          # Re running script
                                          ~/scripts/python/dns_to_ip_firewall_rules$ sudo python dns-to-ip-firewall-rules.py 
                                          
                                          Adding theverge.com ip 151.101.129.52 - removing 151.101.65.52
                                          theverge.com - 151.101.129.52
                                          
                                          Same ip address nothing to do
                                          arstechnica.com - 50.31.169.131
                                          
                                          Adding google.com ip 172.217.2.238 - removing 216.58.194.142
                                          google.com - 172.217.2.238
                                          
                                          Same ip address nothing to do
                                          example.com - 93.184.216.34
                                          
                                          Adding mangolassi.it ip 104.25.46.32 - removing 104.25.47.32
                                          mangolassi.it - 104.25.46.32
                                          
                                          # Final Results
                                          ~/scripts/python/dns_to_ip_firewall_rules$ sudo ufw status
                                          Status: active
                                          
                                          To                         Action      From
                                          --                         ------      ----
                                          Anywhere                   ALLOW       151.101.65.52             
                                          Anywhere                   ALLOW       50.31.169.131             
                                          53/udp                     ALLOW       93.184.216.34             
                                          22                         ALLOW       93.184.216.34             
                                          80/tcp                     ALLOW       93.184.216.34             
                                          Anywhere                   ALLOW       151.101.129.52            
                                          53/udp                     ALLOW       172.217.2.238             
                                          22                         ALLOW       172.217.2.238             
                                          80/tcp                     ALLOW       172.217.2.238             
                                          53                         ALLOW       104.25.46.32              
                                          443/tcp                    ALLOW       104.25.46.32
                                          A 1 Reply Last reply Reply Quote 0
                                          • A
                                            Alex Sage @Romo
                                            last edited by

                                            @romo Thanks so much! Seems to be working to me 🙂

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 2 / 4
                                            • First post
                                              Last post