pi-hole / docker-pi-hole

Pi-hole in a docker container
https://pi-hole.net
Other
8.51k stars 1.13k forks source link

How to use HTTPS? Problem running "docker-compose-nginx-proxy.yml" ... #926

Closed xanoni closed 2 years ago

xanoni commented 3 years ago

This is a: Run Issue

Details

I'm trying to expose the web interface via HTTPS by running "docker-compose-nginx-proxy.yml" instead of the "docker-compose.yml.example".

$ curl -vk https://127.0.0.1:443
*   Trying 127.0.0.1:443...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:443

Unfortunately that doesn't work, I can only connect to Port 80. Is any extra configuration required beyond what's mentioned in the .yml?

Related Issues

How to reproduce the issue

  1. Environment data

    • Operating System: Bullseye
    • Hardware: RPi4B
    • Kernel Architecture: arm64
    • Docker Install Info and version:
    • Software source: official docker-ce,
    • Supplimentary Software:
    • Hardware architecture: arm64
  2. docker-compose.yml contents, docker run shell command, or paste a screenshot of any UI based configuration of containers here

docker-compose up -d
version: "3"
services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
    ports:
      - '80:80'
    environment:
      DEFAULT_HOST: servername.lan
    volumes:
      - '/var/run/docker.sock:/tmp/docker.sock'
    restart: always

  pihole:
    image: pihole/pihole:2021.10
    ports:
      - '53:53/tcp'
      - '53:53/udp'
      - '67:67/udp'
      - '8053:80/tcp'
      - "443:443/tcp"
    environment:
      TZ: 'Europe/Lisbon'
      WEBPASSWORD: 'xyz'
      ServerIP: 192.168.13.37
      ADMIN_EMAIL: 'foo@bar.com'
      PIHOLE_DOMAIN: 'lan'
      DNSSEC: 'true'
      DHCP_ACTIVE: 'false'
      ServerIPv6: fe80::xxxx:xxxx:xxxx:xxx
      PROXY_LOCATION: pihole
      VIRTUAL_HOST: servername.lan
      VIRTUAL_PORT: 80
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
      - './var-log/pihole.log:/var/log/pihole.log'
    cap_add:
      - NET_ADMIN
    restart: always
  1. any additional info to help reproduce

These common fixes didn't work for my issue

If the above debugging / fixes revealed any new information note it here. Add any other debugging steps you've taken or theories on root cause that may help.

PromoFaux commented 3 years ago

I actually have no idea how that config is supposed to work - I've never used it myself - but there is nothing inside the pihole/pihole container listening for https requests.

I think we're probably better off deleting this file - unless someone can explain to me how it works.

xanoni commented 3 years ago

there is nothing inside the pihole/pihole container listening for https requests.

Ha I noticed that too but assumed docker-compose was doing some magic to have it connect anyway ....

What is the least painful way to make it work with HTTPS? I run one in a WiFi network that I don't fully trust.

xanoni commented 3 years ago

I've just found this statement here from @PromoFaux

https://github.com/pi-hole/docker-pi-hole/issues/755#issuecomment-835774149

Official stance:

There is no need to expose the Pi-hole web interface to the public internet.

If you do need to access it remotely - use a VPN.

However, this assumes that the local network can be fully trusted. That's an assumption that I don't want to make, thus HTTPS would be useful.

PromoFaux commented 3 years ago

Setting up a reverse proxy is probably your best bet. I guess that is what this example is trying to do, but I don't really understand how it is set up.

You can use something like traefik or Caddy to achieve this

xanoni commented 3 years ago

Why not make it the default? Too much overhead?

xanoni commented 3 years ago

For what it's worth, I just set the Pi-hole up as a Tor hidden service and that was super painless... just had to add the 2 lines (+ client auth) to torrc and change the VIRTUAL_HOST and VIRTUAL_PORT variables in docker_compose.yml to the .onion domain.

It's obviously not super performant, but probably the safest way to access it remotely. Doesn't solve my local network concerns, though, unless I want to use Tor also locally (which is a possibility ... it's not THAT bad).

Is it possible to define more than one VIRTUAL_HOST / VIRTUAL_PORT?

PromoFaux commented 3 years ago

You could try this, obviously you'll need to do some volume/file mounting for /var/lighttpd/external.conf

https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771

Keep in mind this isn't an "official" guide, and we can't guarantee it will always be compatible (e.g version 6.0 will remove lighttpd as the web server)

xanoni commented 3 years ago

Thank you @PromoFaux ... I haven't gotten to it yet but it's on the TODO list ... will report back once I get to it.

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.