Pi-Hole instructions out of date?

I am looking at these instructions Using Caddy instead of lighttpd with Pi-Hole.

I believe they are out of date?

1. Output of caddy version:

v2.6.2

2. How I run Caddy:

:80 {
 root * /var/www/html
 php_fastcgi unix//run/php/php7.4-fpm.sock
 file_server 
}

Note: update to php7.4-fpm.sock (installed and running)

a. System environment:

Linux Mint 20.3

b. Command:

Using the caddy service.

sudo cp myCaddyfile /etc/caddy/Caddyfile
sudo systemctl reload caddy.service

c. Service/unit/compose file:

NA

d. My complete Caddy config:

192.168.1.111:80 {
 root * /var/www/html
 php_fastcgi unix//run/php/php7.3-fpm.sock
 file_server 
}

3. The problem I’m having:

getting http://192.168.1.111 does not do what I am expecting.

4. Error messages and/or full log output:

  1. curl http://192.168.1.111 returns an apache page
  2. curl -I http://192.168.1.111/admin returns 308
HTTP/1.1 308 Permanent Redirect
Location: /admin/
Server: Caddy
Date: Thu, 19 Jan 2023 22:32:52 GMT

but browser says 502

Request URL: http://192.168.1.111/admin/
Request Method: GET
Status Code: 502 Bad Gateway
Remote Address: 192.168.1.111:80
Referrer Policy: strict-origin-when-cross-origin

5. What I already tried:

6. Links to relevant resources:

Wanted to avoid running multiple servers on this machine, which is the solution described here

That implies that Apache is still running on that server. Make sure to turn it off. Check the caddy service’s status to make sure it’s actually running. It might have failed to start because Apache is still running.

Show us your Caddy logs.

Turns out I think the Apache references are expected. Here are the files at /var/www/html:

$ ls /var/www/html
admin  index.html

$ ls /var/www/html/admin/
api_db.php         composer.lock    dns_records.php     img           network.php        README.md
api_FTL.php        CONTRIBUTING.md  gravity.php         index.php     package.json       scripts
api.php            db_graph.php     groups-adlists.php  LICENSE       package-lock.json  settings.php
auditlog.php       db_lists.php     groups-clients.php  login.php     phpstan.neon.dist  style
cname_records.php  db_queries.php   groups-domains.php  logout.php    queries.php        taillog-FTL.php
composer.json      debug.php        groups.php          messages.php  queryads.php       taillog.php

index.html is the apache page.

/admin is where pihole lives.

Here was my problem:

I did this, as instructed:

I also needed to to this:

systemctl start php7.3-fpm

D’oh!

Note: substitute 7.4 for all instances of 7.3

Summary instructions:

sudo apt install php7.4-fpm   # change this to use the latest version
sudo systemctl enable php7.4-fpm
sudo systemctl start php7.4-fpm

Works like a charm!

2 Likes

@francislavoie @matt,

piHole is running fine, but I cannot access the web interface (e.g. http://localhost/admin/).

The website comes up, I can login. But many of the php urls fail with internal error 500, but the pihole logs look pretty clean. Any tips?

I looked at the lighttpd config file and nothing stands out:

15-pihole-admin.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Lighttpd config for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
###############################################################################

server.errorlog := "/var/log/lighttpd/error-pihole.log"

$HTTP["url"] =~ "^/admin/" {
    server.document-root = "/var/www/html"
    server.stream-response-body = 1
    accesslog.filename = "/var/log/lighttpd/access-pihole.log"
    accesslog.format = "%{%s}t|%h|%V|%r|%s|%b"

    fastcgi.server = (
        ".php" => (
            "localhost" => (
                "socket" => "/tmp/pihole-php-fastcgi.socket",
                "bin-path" => "/usr/bin/php-cgi",
                "min-procs" => 0,
                "max-procs" => 1,
                "bin-environment" => (
                "PHP_FCGI_CHILDREN" => "4",                                                                                                                                                                                                                  
                "PHP_FCGI_MAX_REQUESTS" => "10000",                                                                                                                                                                                                      ),                                                                                                                                                                                                                                           "bin-copy-environment" => (                                                                                                                                                                                                                      "PATH", "SHELL", "USER"                                                                                                                                                                                                                  ),                                                                                                                                                                                                                                           "broken-scriptfilename" => "enable",                                                                                                                                                                                                     )                                                                                                                                                                                                                                        )                                                                                                                                                                                                                                        )                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         # X-Pi-hole is a response header for debugging using curl -I                                                                                                                                                                                 # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.                                                                                      # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled)                                                                                                                                                                                                                           # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.                                                                                                                                                                                         # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).                                                                                                                                                                                                                                   # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.                            # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.                                                    setenv.add-response-header = (
        "X-Pi-hole" => "The Pi-hole Web interface is working!",
        "X-Frame-Options" => "DENY",
        "X-XSS-Protection" => "0",
        "X-Content-Type-Options" => "nosniff",
        "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
        "X-Permitted-Cross-Domain-Policies" => "none",
        "Referrer-Policy" => "same-origin"
    )
    # Block . files from being served, such as .git, .github, .gitignore
    $HTTP["url"] =~ "^/admin/\." {
        url.access-deny = ("")
    }

    # allow teleporter and API qr code iframe on settings page
    $HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
        $HTTP["referer"] =~ "/admin/settings\.php" {
            setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
        }
    }
}
else $HTTP["url"] == "/admin" {
    url.redirect = ("" => "/admin/")
}

$HTTP["host"] == "pi.hole" {
    $HTTP["url"] == "/" {
        url.redirect = ("" => "/admin/")
    }
}

# (keep this on one line for basic-install.sh filtering during install)

Maybe the piHole NGINX config has some clues?

Thanks

Hey, I figured it out. Nginx did have a clue.

Also, need this:

sudo apt install php7.4-sqlite3  # or php8.0 if your system supports it

So in summary:

# Ubuntu focal apt latest is php7.4
# change php to use the latest version your OS supports
sudo apt install php7.4-fpm php7.4-sqlite3 
sudo systemctl enable php7.4-fpm
sudo systemctl start php7.4-fpm

Also, I modified the header settings to match what lighttpd was setting:

:80 {
  redir /admin /admin/
  header {
    X-Pi-hole: "The Pi-hole Web interface is working!"
    X-XSS-Protection: "0"
    X-Content-Type-Options: "nosniff"
    Content-Security-Policy: "default-src 'self' 'unsafe-inline';"
    X-Permitted-Cross-Domain-Policies: "none"
    Referrer-Policy: "same-origin"
  }
  @isFrame {
    expression `{header.referer}.contains("/admin/settings.php?tab=dns") || {header.referer}.contains("/admin/settings.php?tab=teleporter")`
  }
  @notFrame {
    expression `!({header.referer}.contains("/admin/settings.php?tab=dns") || {header.referer}.contains("/admin/settings.php?tab=teleporter"))`
  }
  route @isFrame {
    header {
      X-Frame-Options: "SAMEORIGIN"
    }
  }
  route @notFrame {
    header {
      X-Frame-Options: "DENY"
    }
  }
  root * /var/www/html

  handle /*.js {
    try_files {path} {path}/index.js
  }

  handle  {
    try_files {path} {path}/index.php {path}/index.html {path}/index.htm
    php_fastcgi unix//run/php/php7.4-fpm.sock
  }

  file_server
  log
}

You can simplify these matchers a bit:

@isFrame  `{header.Referer}.contains("/admin/settings.php?tab=dns") || {header.Referer}.contains("/admin/settings.php?tab=teleporter")`
@notFrame `!({header.Referer}.contains("/admin/settings.php?tab=dns") || {header.Referer}.contains("/admin/settings.php?tab=teleporter"))`

You don’t need to wrap these in route. You can simplify it like this:

header @isFrame X-Frame-Options SAMEORIGIN
header @notFrame X-Frame-Options DENY