pi-hole/advanced/pihole-admin.conf

# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Lighttpd config for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
###############################################################################

server.errorlog := "/var/log/lighttpd/error-pihole.log"

$HTTP["url"] =~ "^/admin/" {
    server.document-root = "/var/www/html"
    server.stream-response-body = 1
    accesslog.filename = "/var/log/lighttpd/access-pihole.log"
    accesslog.format = "%{%s}t|%h|%V|%r|%s|%b"

    fastcgi.server = (
        ".php" => (
            "localhost" => (
                "socket" => "/run/lighttpd/pihole-php-fastcgi.socket",
                "bin-path" => "/usr/bin/php-cgi",
                "min-procs" => 1,
                "max-procs" => 1,
                "bin-environment" => (
                    "PHP_FCGI_CHILDREN" => "4",
                    "PHP_FCGI_MAX_REQUESTS" => "10000",
                ),
                "bin-copy-environment" => (
                    "PATH", "SHELL", "USER"
                ),
                "broken-scriptfilename" => "enable",
            )
        )
    )

    # X-Pi-hole is a response header for debugging using curl -I
    # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
    # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled)
    # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
    # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
    # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
    # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
    setenv.add-response-header = (
        "X-Pi-hole" => "The Pi-hole Web interface is working!",
        "X-Frame-Options" => "DENY",
        "X-XSS-Protection" => "0",
        "X-Content-Type-Options" => "nosniff",
        "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
        "X-Permitted-Cross-Domain-Policies" => "none",
        "Referrer-Policy" => "same-origin"
    )

    # Block . files from being served, such as .git, .github, .gitignore
    $HTTP["url"] =~ "^/admin/\." {
        url.access-deny = ("")
    }

    # allow teleporter and API qr code iframe on settings page
    $HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
        $HTTP["referer"] =~ "/admin/settings\.php" {
            setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
        }
    }
}
else $HTTP["url"] == "/admin" {
    url.redirect = ("" => "/admin/")
}

$HTTP["host"] == "pi.hole" {
    $HTTP["url"] == "/" {
        url.redirect = ("" => "/admin/")
    }
}

# (keep this on one line for basic-install.sh filtering during install)
server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" )
-												lighttpd pihole-admin.conf for admin interface

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

											
										
										
											2022-12-15 03:18:04 +01:00
+								# Pi-hole: A black hole for Internet advertisements
 								# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
 								# Network-wide ad blocking via your own hardware.
 								#
 								# Lighttpd config for Pi-hole
 								#
 								# This file is copyright under the latest version of the EUPL.
 								# Please see LICENSE file for your rights under this license.
 								###############################################################################
 								#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
 								# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
 								###############################################################################
-												Adding errorlog and accesslog options

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>

											
										
										
											2023-01-10 19:57:20 +01:00
+								server.errorlog := "/var/log/lighttpd/error-pihole.log"
-												lighttpd pihole-admin.conf for admin interface

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

											
										
										
											2022-12-15 03:18:04 +01:00
+								$HTTP["url"] =~ "^/admin/" {
 								    server.document-root = "/var/www/html"
 								    server.stream-response-body = 1
-												Adding errorlog and accesslog options

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>

											
										
										
											2023-01-10 19:57:20 +01:00
+								    accesslog.filename = "/var/log/lighttpd/access-pihole.log"
 								    accesslog.format = "%{%s}t|%h|%V|%r|%s|%b"
-												Remove duplicated `fastcgi.server` config

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>

											
										
										
											2023-01-03 21:07:34 +01:00
-												lighttpd pihole-admin.conf for admin interface

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

											
										
										
											2022-12-15 03:18:04 +01:00
+								    fastcgi.server = (
 								        ".php" => (
 								            "localhost" => (
-												change socket path back to /run/lighttpd/* - possibly causing issues https://github.com/pi-hole/pi-hole/issues/5131

Signed-off-by: Adam Warner <me@adamwarner.co.uk>

											
										
										
											2023-01-21 18:42:32 +01:00
+								                "socket" => "/run/lighttpd/pihole-php-fastcgi.socket",
-												lighttpd pihole-admin.conf for admin interface

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

											
										
										
											2022-12-15 03:18:04 +01:00
+								                "bin-path" => "/usr/bin/php-cgi",
-												Change `min_procs` value to `1`

The original configuration used the default `min_procs=<max_procs_value>`.
A recent change set this value to zero, but a lot of systems started to
receive error messages about the socket file and in some systems lighttpd
wasn't able to restart the PHP process, returning HTTP error 503.
Setting this to 1 fixed those errors.

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>

											
										
										
											2023-01-25 18:35:57 +01:00
+								                "min-procs" => 1,
-												lighttpd pihole-admin.conf for admin interface

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

											
										
										
											2022-12-15 03:18:04 +01:00
+								                "max-procs" => 1,
-												Remove duplicated `fastcgi.server` config

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>

											
										
										
											2023-01-03 21:07:34 +01:00
+								                "bin-environment" => (
 								                    "PHP_FCGI_CHILDREN" => "4",
 								                    "PHP_FCGI_MAX_REQUESTS" => "10000",
 								                ),
 								                "bin-copy-environment" => (
 								                    "PATH", "SHELL", "USER"
 								                ),
 								                "broken-scriptfilename" => "enable",
-												lighttpd pihole-admin.conf for admin interface

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

											
										
										
											2022-12-15 03:18:04 +01:00
+								            )
 								        )
 								    )
 								    # X-Pi-hole is a response header for debugging using curl -I
 								    # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
 								    # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled)
 								    # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
 								    # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
 								    # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
 								    # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
 								    setenv.add-response-header = (
 								        "X-Pi-hole" => "The Pi-hole Web interface is working!",
 								        "X-Frame-Options" => "DENY",
 								        "X-XSS-Protection" => "0",
 								        "X-Content-Type-Options" => "nosniff",
 								        "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
 								        "X-Permitted-Cross-Domain-Policies" => "none",
 								        "Referrer-Policy" => "same-origin"
 								    )
 								    # Block . files from being served, such as .git, .github, .gitignore
 								    $HTTP["url"] =~ "^/admin/\." {
 								        url.access-deny = ("")
 								    }
 								    # allow teleporter and API qr code iframe on settings page
 								    $HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
 								        $HTTP["referer"] =~ "/admin/settings\.php" {
 								            setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
 								        }
 								    }
 								}
 								else $HTTP["url"] == "/admin" {
 								    url.redirect = ("" => "/admin/")
 								}
 								$HTTP["host"] == "pi.hole" {
 								    $HTTP["url"] == "/" {
 								        url.redirect = ("" => "/admin/")
 								    }
 								}
-												lighttpd: do not overwrite /etc/lighttpd/lighttpd.conf

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

											
										
										
											2022-12-19 08:52:29 +01:00
+								# (keep this on one line for basic-install.sh filtering during install)
-												mod_accesslog was ommited from the list of server modules, which causes a warning to be flashed up in the error log. Enabling this

Signed-off-by: Adam Warner <me@adamwarner.co.uk>

											
										
										
											2023-01-16 12:03:21 +01:00
+								server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" )