mirror of
http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/selfhosting-blogposts.git
synced 2025-05-16 12:16:59 +00:00
254 lines
7.2 KiB
Markdown
254 lines
7.2 KiB
Markdown
---
|
|
search:
|
|
exclude: true
|
|
---
|
|
# pihole Setup
|
|
|
|
|
|
|
|
## **Initial Setup**
|
|
|
|
![]()
|
|
|
|
|
|
[ nowhere.yt ] [ /dev/pts/1 ] [~]
|
|
→ sudo apt-get install wget curl net-tools gamin lighttpd lighttpd-mod-deflate
|
|
|
|
[ nowhere.yt ] [ /dev/pts/1 ] [~]
|
|
→ curl -sSL https://install.pi-hole.net | PIHOLE_SKIP_OS_CHECK=true sudo -E bash
|
|
|
|
[ nowhere.yt ] [ /dev/pts/1 ] [~]
|
|
→ sudo pihole -a -p
|
|
Enter New Password (Blank for no password):
|
|
Confirm Password:
|
|
[✓] New password set
|
|
|
|
|
|
|
|
|
|
To forcefully block domains via regex you can do the following:
|
|
|
|
 
|
|
|
|
|
|
[ nowhere.yt ] [ /dev/pts/1 ] [~]
|
|
→ pihole -up
|
|
[✓] Update local cache of available packages
|
|
[i] Existing PHP installation detected : PHP version 7.4.28
|
|
[✓] Checking for git
|
|
[✓] Checking for iproute2
|
|
[✓] Checking for whiptail
|
|
[✓] Checking for ca-certificates
|
|
|
|
[i] Checking for updates...
|
|
[i] Pi-hole Core: up to date
|
|
[i] Web Interface: up to date
|
|
[i] FTL: up to date
|
|
|
|
[✓] Everything is up to date!
|
|
|
|
|
|
|
|
Now if we want to have a https interface we do the following;
|
|
|
|
![]()
|
|
|
|
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ systemctl disable lighttpd.service --now
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ apt install nginx php7.4-{fpm,cgi,xml,sqlite3,intl} apache2-utils socat -y
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ systemctl enable nginx php7.4-fpm --now
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ vim /etc/nginx/sites-available/default
|
|
|
|
|
|
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name ns1.void.yt;
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name ns1.void.yt;
|
|
|
|
ssl_certificate /root/.acme.sh/ns1.void.yt/fullchain.cer;
|
|
ssl_trusted_certificate /root/.acme.sh/ns1.void.yt/ns1.void.yt.cer;
|
|
ssl_certificate_key /root/.acme.sh/ns1.void.yt/ns1.void.yt.key;
|
|
|
|
ssl_protocols TLSv1.3 TLSv1.2;
|
|
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_tickets off;
|
|
ssl_ecdh_curve auto;
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
resolver 80.67.188.188 80.67.169.40 valid=300s;
|
|
resolver_timeout 10s;
|
|
|
|
add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
|
|
add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
|
|
add_header X-Content-Type-Options nosniff; #MIME-type sniffing
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
|
|
|
root /var/www/html;
|
|
server_name _;
|
|
autoindex off;
|
|
|
|
index pihole/index.php index.php index.html index.htm;
|
|
|
|
location / {
|
|
expires max;
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
|
|
location ~ \.php$ {
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
|
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
|
fastcgi_param FQDN true;
|
|
auth_basic "Restricted"; # For Basic Auth
|
|
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
|
|
}
|
|
|
|
location /*.js {
|
|
index pihole/index.js;
|
|
auth_basic "Restricted"; # For Basic Auth
|
|
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
|
|
}
|
|
|
|
location /admin {
|
|
root /var/www/html;
|
|
index index.php index.html index.htm;
|
|
auth_basic "Restricted"; # For Basic Auth
|
|
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
|
|
}
|
|
|
|
location ~ /\.ht {
|
|
deny all;
|
|
}
|
|
}
|
|
|
|
:wq
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ nginx -t
|
|
nginx: [emerg] cannot load certificate "/root/.acme.sh/ns1.void.yt/fullchain.cer": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/root/.acme.sh/ns1.void.yt/fullchain.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file)
|
|
nginx: configuration file /etc/nginx/nginx.conf test failed
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ wget -O - https://get.acme.sh | sh
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ zsh
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ acme.sh --set-default-ca --server letsencrypt
|
|
[Sun 03 Apr 2022 09:05:46 AM UTC] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
|
|
|
|
[ ns2.void.yt ] [ /dev/pts/0 ] [~]
|
|
→ systemctl stop nginx
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ acme.sh --issue --standalone -d ns1.void.yt -k 4096
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ nginx -t
|
|
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
|
|
nginx: configuration file /etc/nginx/nginx.conf test is successful
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ systemctl start nginx
|
|
|
|
[ nowhere.yt ] [ /dev/pts/2 ] [~]
|
|
→ htpasswd -c /etc/nginx/.htpasswd nothing
|
|
New password:
|
|
Re-type new password:
|
|
Adding password for user nothing
|
|
|
|
|
|
|
|
then we make pihole update automatically every day via cronjob and test it:
|
|
|
|
|
|
[ ns2.void.yt ] [ /dev/pts/0 ] [~]
|
|
→ crontab -e
|
|
|
|
0 0 * * * /usr/local/bin/pihole -up
|
|
0 0 * * * /usr/local/bin/pihole -g
|
|
:wq
|
|
|
|
[ ns2.void.yt ] [ /dev/pts/0 ] [~]
|
|
→ wget https://github.com/cronitorio/cronitor-cli/releases/download/28.8/linux_amd64.tar.gz -q
|
|
|
|
[ ns2.void.yt ] [ /dev/pts/0 ] [~]
|
|
→ sudo tar xvf linux_amd64.tar.gz -C /usr/bin/
|
|
cronitor
|
|
|
|
[ ns2.void.yt ] [ /dev/pts/0 ] [~]
|
|
→ sudo cronitor configure --api-key 1234567890
|
|
|
|
Configuration File:
|
|
/etc/cronitor/cronitor.json
|
|
|
|
Version:
|
|
28.8
|
|
|
|
API Key:
|
|
1234567890
|
|
|
|
Ping API Key:
|
|
Not Set
|
|
|
|
Environment:
|
|
Not Set
|
|
|
|
Hostname:
|
|
ns2
|
|
|
|
Timezone Location:
|
|
{Etc/UTC}
|
|
|
|
Debug Log:
|
|
Off
|
|
|
|
[ ns2.void.yt ] [ /dev/pts/0 ] [~]
|
|
→ cronitor select
|
|
|
|
✔ /usr/local/bin/pihole -up
|
|
----► Running command: /usr/local/bin/pihole -up
|
|
|
|
[✓] Update local cache of available packages
|
|
[i] Existing PHP installation detected : PHP version 7.4.28
|
|
[✓] Checking for git
|
|
[✓] Checking for iproute2
|
|
[✓] Checking for whiptail
|
|
[✓] Checking for ca-certificates
|
|
|
|
[i] Checking for updates...
|
|
[i] Pi-hole Core: up to date
|
|
[i] Web Interface: up to date
|
|
[i] FTL: up to date
|
|
|
|
[✓] Everything is up to date!
|
|
|
|
----► ✔ Command successful Elapsed time 3.345s
|
|
|
|
|
|
|
|
If you want to host a public pihole, then you need to tick the following option:
|
|
|
|
|
|
|