PiHole for Friends and Family

brandon220

Fedora 26 here too. No issues at all.

Romo

@scottalanmiller said in PiHole for Friends and Family:

@romo use Ubuntu

Script updated, automatic rule creation and deletion in Ubuntu working properly. Working on Fedora and firewalld next.

NashBrydges

@romo This is f'ing brilliant! The downside is that now I HAVE to try this on Vultr. Anyone have a script to add more hours in the day?

Btw, what's your frequency for running this in cron? Every 5 mins? 15mins?

Alex Sage

@romo thanks!

Alex Sage

@nashbrydges it is very nice indeed

Alex Sage

@romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post

Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas

NashBrydges

Now that I'll be testing Romo's script, I don't need to use VPN and I'd like to setup the admin page behind Nginx. Found a tutorial that allows admin page access using Nginx as a proxy but I can't get the HTTPS redirect to work right.

https://github.com/pi-hole/pi-hole/wiki/Nginx-Configuration

Anyone have a working Nginx config with HTTPS redirect for this?

Found this that shows how to setup Let's Encrypt with lighttpd but don't know enough to set it up for other proper security headers.

http://www.itzgeek.com/how-tos/linux/how-to-configure-lets-encrypt-ssl-in-lighttpd-server.html

Alex Sage

@nashbrydges said in PiHole for Friends and Family:

Now that I'll be testing Romo's script, I don't need to use VPN and I'd like to setup the admin page behind Nginx. Found a tutorial that allows admin page access using Nginx as a proxy but I can't get the HTTPS redirect to work right.

https://github.com/pi-hole/pi-hole/wiki/Nginx-Configuration

Anyone have a working Nginx config with HTTPS redirect for this?

Check out this

https://mangolassi.it/topic/6905/setting-up-nginx-on-centos-7-as-a-reverse-proxy

Alex Sage

@nashbrydges Also, take a look at this for SSL

https://mangolassi.it/topic/7127/setting-up-letsencrypt-on-a-centos-7-nginx-proxy

Alex Sage

@nashbrydges this is a prefect case for containers. One container for PiHole, One container for NGINX, and one container for OpenVPN for Mobile Devices

NashBrydges

@aaronstuder Yeah, I've easily got Nginx running with standard sites on Apache for example but in this case, I think the complexity comes from the HTTPS redirect and the fact that lighttpd syntax is different and I've not used it.

Alex Sage

@nashbrydges Maybe I am confused? Why are you using lighttpd? Are you setting up NGINX as a reverse proxy?

NashBrydges

@aaronstuder That's the web server installed by default with the Pi-hole script for the admin page. Nginx would serve as the proxy.

Alex Sage

@nashbrydges Oh, are you trying to use NGINX on the same system as PiHole.

NashBrydges

@aaronstuder I have a separate instance running Nginx but regardless, why would you not recommend on same server? I see no reason why that would be a problem.

black3dynamite

@nashbrydges said in PiHole for Friends and Family:

Now that I'll be testing Romo's script, I don't need to use VPN and I'd like to setup the admin page behind Nginx. Found a tutorial that allows admin page access using Nginx as a proxy but I can't get the HTTPS redirect to work right.

https://github.com/pi-hole/pi-hole/wiki/Nginx-Configuration

Anyone have a working Nginx config with HTTPS redirect for this?

Found this that shows how to setup Let's Encrypt with lighttpd but don't know enough to set it up for other proper security headers.

http://www.itzgeek.com/how-tos/linux/how-to-configure-lets-encrypt-ssl-in-lighttpd-server.html

I've only got it working with nginx http.

upstream adblock {
        server 10.0.0.3:80;
}

server {
        client_max_body_size 40M;
        listen 80;

        server_name adblock.domain.com;

        location /admin {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://adblock;
                proxy_redirect off;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
                send_timeout 600;
        }
}

Romo

@nashbrydges Haven't set the script to run via cron yet. It is still is printing some strings to stdout while I fully complete it, plan to add a log file and redirect the output to it.

I'll focuse on finishing it properly for Ubuntu so you can properly test it.

Romo

But if you want to test is manually, I think is is working properly.

# Starting from empty firewall
~/scripts/python$ sudo ufw status
Status: active

#Running script for the first time
~/scripts/python$ sudo python dns-to-ip-firewall-rules.py 

Adding to firewall
mangolassi.it - 104.25.46.32

Adding to firewall
google.com - 172.217.12.78

Adding to firewall
theverge.com - 151.101.65.52

# Checking to see if rules were created.
~/scripts/python$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
53                         ALLOW       104.25.46.32              
53                         ALLOW       172.217.12.78             
53                         ALLOW       151.101.65.52  

# Running script againg to check for ip changes.
~/scripts/python$ sudo python dns-to-ip-firewall-rules.py 

Same ip address nothing to do
mangolassi.it - 104.25.46.32

Same ip address nothing to do
google.com - 172.217.12.78

Adding theverge.com ip 151.101.129.52 - removing 151.101.65.52
theverge.com - 151.101.129.52

# Verifying ip changes are added to the firewall, and old ip are removed.
~/scripts/python$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
53                         ALLOW       104.25.46.32              
53                         ALLOW       172.217.12.78             
53                         ALLOW       151.101.129.52 

At least for dns and Ubuntu I think it does want @aaronstuder asked for originally. The idea of custom ports could be done as well, probably just adding a list of ports you wish to open for each domain.

Romo

@aaronstuder said in PiHole for Friends and Family:

@romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post

Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas

@aaronstuder Different ports per domain or just add a list of custom ports for all domains?

Alex Sage

@romo said in PiHole for Friends and Family:

@aaronstuder said in PiHole for Friends and Family:

@romo I love your script! Thank you so much! Sorry I didn’t reply before somehow I missed your post

Can you make this so I can set whatever ports I want? In the example I gave before I just wanted to do DNS but now my mind is spinning with other ideas

@aaronstuder Different ports per domain or just add a list of custom ports for all domains?

@Romo Same ports all domains, but then then maybe allowing all ports since we are restricting by IP address already.

Seems like:

sudo ufw allow from 123.45.67.89

Would work?