The goal of this project was to set up a Raspberry Pi as a central DNS server for the home network using Pi-hole. The Pi-hole admin web interface should only be accessible via HTTPS through an Apache2 reverse proxy, while DNS requests are handled directly by Pi-hole. Encryption is provided by a self-signed ECC certificate.
sudo usermod -aG docker pihole-user to the docker groupservices:
pihole:
image: pihole/pihole:latest
container_name: pihole
network_mode: "host"
environment:
- TZ=${TZ}
- ServerIP=${SERVER_IP}
- DNSMASQ_LISTENING=${DNSMASQ_LISTENING}
- FTLCONF_dns_upstreams=192.168.178.1
- FTLCONF_webserver_port=${WEB_PORT}
- FTLCONF_webserver_bind=${FTLCONF_webserver_bind}
- FTLCONF_webserver_ssl_enabled=${FTLCONF_webserver_ssl_enabled}
- FTLCONF_webserver_api_password=${FTLCONF_webserver_api_password}
volumes:
- ./etc-pihole:/etc/pihole
- ./etc-dnsmasq.d:/etc/dnsmasq.d
cap_add:
- NET_ADMIN
restart: unless-stopped
docker compose up -dsudo mkdir -p /etc/ssl/pihole
sudo openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
-sha384 -days 825 -nodes \
-keyout /etc/ssl/pihole/pihole.key \
-out /etc/ssl/pihole/pihole.crt \
-subj "/CN=raspi4-8gb"
sudo chmod 600 /etc/ssl/pihole/pihole.key
Created a vHost:
<VirtualHost *:80>
ServerName raspi4-8gb
RewriteEngine On
RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</VirtualHost>
# HTTPS Reverse Proxy zu Pi-hole-FTL (läuft auf 127.0.0.1:8080)
<VirtualHost *:443>
ServerName raspi4-8gb
SSLEngine on
SSLCertificateFile /etc/ssl/pihole/pihole.crt
SSLCertificateKeyFile /etc/ssl/pihole/pihole.key
# HSTS erst aktivieren, wenn alles läuft:
# Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ErrorLog ${APACHE_LOG_DIR}/pihole_error.log
CustomLog ${APACHE_LOG_DIR}/pihole_access.log combined
</VirtualHost>
Enabled it:
sudo a2ensite pihole.conf
sudo systemctl reload apache2