Unable to access Pihole admin virtual host when using DHCP-Helper

TheRettom · June 1, 2024, 7:35pm

Let me preface with this: I don’t know if this is a Caddy issue or a Pihole/DHCP-Helper issue.

1. The problem I’m having:

I’m attempting to use Caddy for reverse proxy with HTTPS on my Pihole container. It works fine when I’m using Pihole without DHCP functionality, as I can access the admin control panel. When I restart the container with DHCP-helper, I can no longer access it and get an error.

DHCP-helper is set up with the link in section 5. I used the IP of the server in the DNSmasq config file instead of the external IP (public) since this is only going to be accessible on the local network.

2. Error messages and/or full log output:

{"level":"info","ts":1717268959.4707103,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1717268959.4760897,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"info","ts":1717268959.4782255,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000526080"}
{"level":"info","ts":1717268959.478618,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1717268959.4786983,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1717268959.485951,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1717268959.4865696,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1717268959.4869804,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1717268959.4874444,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1717268959.4905396,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["pihole-4rknm.duckdns.org","vw-4rknm.duckdns.org"]}
{"level":"info","ts":1717268959.4923618,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1717268959.4925056,"msg":"serving initial configuration"}
{"level":"warn","ts":1717268959.4937022,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"d3dd01f2-1d67-4b5f-9df9-874d1170c2d0","try_again":1717355359.4937005,"try_again_in":86399.999999606}
{"level":"info","ts":1717268959.493777,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"error","ts":1717268978.5501444,"logger":"http.log.error.log0","msg":"dial tcp: lookup pihole on 127.0.0.11:53: no such host","request":{"remote_ip":"192.168.1.63","remote_port":"59235","client_ip":"192.168.1.63","proto":"HTTP/3.0","method":"GET","host":"pihole-4rknm.duckdns.org","uri":"/admin/","headers":{"Dnt":["1"],"Alt-Used":["pihole-4rknm.duckdns.org"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Priority":["u=1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["none"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Cookie":[],"Sec-Gpc":["1"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-User":["?1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"pihole-4rknm.duckdns.org"}},"duration":0.034172848,"status":502,"err_id":"2zagfanux","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

Built Caddy with

xcaddy build --with github.com/caddy-dns/duckdns

Configured the compose.yaml file and Caddyfile per this guide and caddy.env from this guide.

a. System environment:

Arch Linux using Linux-LTS kernel, x86_64
Docker and Docker Compose

b. Command:

sudo docker compose up -d

c. Service/unit/compose file:

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    environment:
      DNSMASQ_LISTENING: all
      TZ: America/Boise
      VIRTUAL_HOST: pihole-4rknm.duckdns.org
      WEBPASSWORD: [redacted]
      FTLCONF_LOCAL_IPV4: 192.168.1.60
      DHCP_ACTIVE: true
      DHCP_START: 192.168.1.2
      DHCP_END: 192.168.1.254
      DHCP_ROUTER: 192.168.1.1
      WEBTHEME: default-dark
    volumes:
      - /srv/pihole/etc-pihole:/etc/pihole
      - /srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
    depends_on:
      - dhcphelper
      - caddy
    networks:
      backend:
          ipv4_address: '172.31.0.100'

  dhcphelper:
    build: /srv/dhcp-helper
    restart: unless-stopped
    network_mode: "host"
    command: -s 172.31.0.100
    cap_add:
      - NET_ADMIN

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      YUBICO_CLIENT_ID: "90318"
      YUBICO_SECRET_KEY: "bbBHnYXExqmGGMWS4C3ooi8nPxE="
    ports:
      - 8080:80
    volumes:
      - /srv/vaultwarden/vw-data:/data

 caddy:
    image: caddy:2
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 443:443/udp # Needed for HTTP/3.
    volumes:
      - /srv/caddy/caddy:/usr/bin/caddy  # Your custom build of Caddy.
      - /srv/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - /srv/caddy/caddy-config:/config
      - /srv/caddy/caddy-data:/data
    environment:
#      DOMAIN: "https://4rknm.duckdns.org"  # Your domain.
      EMAIL: "rileymotter@protonmail.com"                 # The email address to use for ACME registration.
      DUCKDNS_TOKEN: "efcc5ce9-dd5d-44d4-bb46-f06afdf27481"                   # Your Duck DNS token.
      LOG_FILE: "/data/access.log"

networks:
  backend:
    ipam:
      config:
        - subnet: 172.31.0.0/16

d. My complete Caddy config:

# PIHOLE
pihole-4rknm.duckdns.org {
        log {
                level INFO
                output file {$LOG_FILE} {
                        roll_size 10MB
                        roll_keep 10
                }
        }

        # Use the ACME DNS-01 challenge to get a cert for the configured domain.
        tls {
                dns duckdns {$DUCKDNS_TOKEN}
        }
        # This setting may have compatibility issues with some browsers
        # (e.g., attachment downloading on Firefox). Try disabling this
        # if you encounter issues.
        encode zstd gzip

        reverse_proxy pihole:80
}

# VAULTWARDEN
vw-4rknm.duckdns.org {
        log {
                level INFO
                output file {$LOG_FILE} {
                        roll_size 10MB
                        roll_keep 10
                }
        }

        # Use the ACME DNS-01 challenge to get a cert for the configured domain.
        tls {
                dns duckdns {$DUCKDNS_TOKEN}
        }
        # This setting may have compatibility issues with some browsers
        # (e.g., attachment downloading on Firefox). Try disabling this
        # if you encounter issues.
        encode zstd gzip

        reverse_proxy vaultwarden:80
}

5. Links to relevant resources:

Monviech · June 2, 2024, 8:21am

I would rather use the IP address instead of the hostname “pihole”.

Your logfile clearly states that this is the issue with “no such host”:

{"level":"error","ts":1717268978.5501444,"logger":"http.log.error.log0","msg":"dial tcp: lookup pihole on 127.0.0.11:53: no such host"

TheRettom · June 2, 2024, 10:27pm

The IP address, in this case, 172.31.0.100? It gives me:

"msg":"dial tcp 172.31.0.100:80: i/o timeout","request"

Edit: I think I figured it out. I needed to create a custom network so that Caddy and Pihole could communicate with each other. Since specifying ONLY network: backend, Caddy couldn’t see it anymore.

I changed my file to reflect the following:

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    environment:
      DNSMASQ_LISTENING: all
      TZ: America/Boise
      VIRTUAL_HOST: pihole-4rknm.duckdns.org
      WEBPASSWORD: [redacted]
      FTLCONF_LOCAL_IPV4: 192.168.1.60
      DHCP_ACTIVE: true
      DHCP_START: 192.168.1.2
      DHCP_END: 192.168.1.254
      DHCP_ROUTER: 192.168.1.1
      WEBTHEME: default-dark
    volumes:
      - /srv/pihole/etc-pihole:/etc/pihole
      - /srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
    depends_on:
      - dhcphelper
      - caddy
    networks:
      backend:
          ipv4_address: '172.31.0.100'
      caddy_net: {}

  dhcphelper:
    build: /srv/dhcp-helper
    restart: unless-stopped
    network_mode: "host"
    command: -s 172.31.0.100
    cap_add:
      - NET_ADMIN

networks:
  backend:
    ipam:
      config:
        - subnet: 172.31.0.0/16
  caddy_net:
    external: true

Apologies for forgetting a basic concept. Thanks for the assistance, Monviech.

system · July 2, 2024, 10:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.