2016-01-30 20:12:40 +00:00
# Pi-hole: A black hole for Internet advertisements
2017-02-22 17:55:20 +00:00
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
2017-10-03 11:05:06 +00:00
# Lighttpd config for Pi-hole
2016-01-30 20:12:40 +00:00
#
2017-02-22 17:55:20 +00:00
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
2017-02-09 15:46:55 +00:00
###############################################################################
# FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
2017-10-09 08:53:22 +00:00
# CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE: #
2017-02-09 15:46:55 +00:00
# /etc/lighttpd/external.conf #
###############################################################################
2015-06-07 04:27:43 +00:00
server.modules = (
2020-05-19 08:09:51 +00:00
"mod_access",
"mod_accesslog",
"mod_auth",
"mod_expire",
"mod_redirect",
"mod_setenv",
"mod_rewrite"
2015-06-07 04:27:43 +00:00
)
2015-10-17 17:04:49 +00:00
server.document-root = "/var/www/html"
2019-07-01 01:42:02 +00:00
server.error-handler-404 = "/pihole/index.php"
2015-06-07 04:27:43 +00:00
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
2022-05-29 19:04:18 +00:00
server.errorlog = "/var/log/lighttpd/error-pihole.log"
2020-04-03 17:05:59 +00:00
server.pid-file = "/run/lighttpd.pid"
2015-06-07 04:27:43 +00:00
server.username = "www-data"
server.groupname = "www-data"
2022-09-17 09:58:26 +00:00
# For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator
# e.g. server.port := 8000
2015-06-07 04:27:43 +00:00
server.port = 80
2022-05-29 19:04:18 +00:00
accesslog.filename = "/var/log/lighttpd/access-pihole.log"
2017-02-09 15:46:55 +00:00
accesslog.format = "%{%s}t|%V|%r|%s|%b"
2015-10-17 17:04:49 +00:00
2022-03-14 21:55:46 +00:00
# Allow streaming response
# reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails
server.stream-response-body = 1
#ssl.read-ahead = "disable"
2015-06-07 04:27:43 +00:00
index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
2017-09-21 21:47:37 +00:00
url.access-deny = ( "~", ".inc", ".md", ".yml", ".ini" )
2015-06-07 04:27:43 +00:00
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
2015-10-17 17:04:49 +00:00
2020-05-19 08:09:51 +00:00
mimetype.assign = (
".ico" => "image/x-icon",
".jpeg" => "image/jpeg",
".jpg" => "image/jpeg",
".png" => "image/png",
".svg" => "image/svg+xml",
".css" => "text/css; charset=utf-8",
".html" => "text/html; charset=utf-8",
".js" => "text/javascript; charset=utf-8",
".json" => "application/json; charset=utf-8",
".map" => "application/json; charset=utf-8",
".txt" => "text/plain; charset=utf-8",
".eot" => "application/vnd.ms-fontobject",
".otf" => "font/otf",
".ttc" => "font/collection",
".ttf" => "font/ttf",
".woff" => "font/woff",
".woff2" => "font/woff2"
)
2019-06-24 18:38:03 +00:00
2021-01-22 19:23:59 +00:00
# Add user chosen options held in external file
# This uses include_shell instead of an include wildcard for compatibility
include_shell "cat external.conf 2>/dev/null"
2015-06-07 04:27:43 +00:00
# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
2017-10-03 11:05:06 +00:00
# Prevent Lighttpd from enabling Let's Encrypt SSL for every blocked domain
2017-05-02 07:24:07 +00:00
#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
2017-05-02 07:28:51 +00:00
include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include \"%p\"\n' 2>/dev/null"
2015-10-17 17:04:49 +00:00
2015-10-17 17:11:03 +00:00
# If the URL starts with /admin, it is the Web interface
$HTTP["url"] =~ "^/admin/" {
2022-08-06 13:35:01 +00:00
# X-Pi-hole is a response header for debugging using curl -I
# X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
# X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input.
# X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
# Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’ s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
# X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
# Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
2016-05-03 15:58:13 +00:00
setenv.add-response-header = (
"X-Pi-hole" => "The Pi-hole Web interface is working!",
2022-08-06 13:35:01 +00:00
"X-Frame-Options" => "DENY",
2022-12-16 21:37:19 +00:00
"X-XSS-Protection" => "0",
2022-08-06 13:35:01 +00:00
"X-Content-Type-Options" => "nosniff",
"Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "same-origin"
2016-05-03 15:58:13 +00:00
)
2018-10-26 18:12:11 +00:00
}
2017-02-21 19:36:59 +00:00
2018-10-26 18:12:11 +00:00
# Block . files from being served, such as .git, .github, .gitignore
$HTTP["url"] =~ "^/admin/\.(.*)" {
2020-05-19 08:09:51 +00:00
url.access-deny = ("")
2017-09-21 21:47:37 +00:00
}
2021-12-17 09:08:16 +00:00
# allow teleporter and API qr code iframe on settings page
$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
2021-12-10 06:17:13 +00:00
$HTTP["referer"] =~ "/admin/settings\.php" {
setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
}
2021-12-10 06:09:42 +00:00
}
2020-05-19 08:09:51 +00:00
# Default expire header
expire.url = ( "" => "access plus 0 seconds" )