mirror of
https://github.com/pi-hole/pi-hole.git
synced 2024-12-27 07:12:27 +00:00
some more lighttpd refs (tests can come later)
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
This commit is contained in:
parent
31ee15200d
commit
c520b29326
4 changed files with 26 additions and 273 deletions
|
@ -64,8 +64,6 @@ PIHOLE_SCRIPTS_DIRECTORY="/opt/pihole"
|
||||||
BIN_DIRECTORY="/usr/local/bin"
|
BIN_DIRECTORY="/usr/local/bin"
|
||||||
RUN_DIRECTORY="/run"
|
RUN_DIRECTORY="/run"
|
||||||
LOG_DIRECTORY="/var/log/pihole"
|
LOG_DIRECTORY="/var/log/pihole"
|
||||||
#WEB_SERVER_LOG_DIRECTORY="/var/log/lighttpd" #TODO: FTL access log?
|
|
||||||
#WEB_SERVER_CONFIG_DIRECTORY="/etc/lighttpd" #TODO: FTL access log?
|
|
||||||
HTML_DIRECTORY="/var/www/html"
|
HTML_DIRECTORY="/var/www/html"
|
||||||
WEB_GIT_DIRECTORY="${HTML_DIRECTORY}/admin"
|
WEB_GIT_DIRECTORY="${HTML_DIRECTORY}/admin"
|
||||||
SHM_DIRECTORY="/dev/shm"
|
SHM_DIRECTORY="/dev/shm"
|
||||||
|
@ -75,9 +73,6 @@ ETC="/etc"
|
||||||
# https://discourse.pi-hole.net/t/what-files-does-pi-hole-use/1684
|
# https://discourse.pi-hole.net/t/what-files-does-pi-hole-use/1684
|
||||||
PIHOLE_CRON_FILE="${CRON_D_DIRECTORY}/pihole"
|
PIHOLE_CRON_FILE="${CRON_D_DIRECTORY}/pihole"
|
||||||
|
|
||||||
#WEB_SERVER_CONFIG_FILE="${WEB_SERVER_CONFIG_DIRECTORY}/lighttpd.conf"
|
|
||||||
#WEB_SERVER_CUSTOM_CONFIG_FILE="${WEB_SERVER_CONFIG_DIRECTORY}/external.conf"
|
|
||||||
|
|
||||||
PIHOLE_INSTALL_LOG_FILE="${PIHOLE_DIRECTORY}/install.log"
|
PIHOLE_INSTALL_LOG_FILE="${PIHOLE_DIRECTORY}/install.log"
|
||||||
PIHOLE_RAW_BLOCKLIST_FILES="${PIHOLE_DIRECTORY}/list.*"
|
PIHOLE_RAW_BLOCKLIST_FILES="${PIHOLE_DIRECTORY}/list.*"
|
||||||
PIHOLE_LOCAL_HOSTS_FILE="${PIHOLE_DIRECTORY}/local.list"
|
PIHOLE_LOCAL_HOSTS_FILE="${PIHOLE_DIRECTORY}/local.list"
|
||||||
|
@ -762,34 +757,34 @@ check_networking() {
|
||||||
[ -z "${DOCKER_VERSION}" ] && check_required_ports
|
[ -z "${DOCKER_VERSION}" ] && check_required_ports
|
||||||
}
|
}
|
||||||
|
|
||||||
check_x_headers() {
|
# check_x_headers() {
|
||||||
# The X-Headers allow us to determine from the command line if the Web
|
# # The X-Headers allow us to determine from the command line if the Web
|
||||||
# lighttpd.conf has a directive to show "X-Pi-hole: A black hole for Internet advertisements."
|
# # lighttpd.conf has a directive to show "X-Pi-hole: A black hole for Internet advertisements."
|
||||||
# in the header of any Pi-holed domain
|
# # in the header of any Pi-holed domain
|
||||||
# Similarly, it will show "X-Pi-hole: The Pi-hole Web interface is working!" if you view the header returned
|
# # Similarly, it will show "X-Pi-hole: The Pi-hole Web interface is working!" if you view the header returned
|
||||||
# when accessing the dashboard (i.e curl -I pi.hole/admin/)
|
# # when accessing the dashboard (i.e curl -I pi.hole/admin/)
|
||||||
# server is operating correctly
|
# # server is operating correctly
|
||||||
echo_current_diagnostic "Dashboard headers"
|
# echo_current_diagnostic "Dashboard headers"
|
||||||
# Use curl -I to get the header and parse out just the X-Pi-hole one
|
# # Use curl -I to get the header and parse out just the X-Pi-hole one
|
||||||
local full_curl_output_dashboard
|
# local full_curl_output_dashboard
|
||||||
local dashboard
|
# local dashboard
|
||||||
full_curl_output_dashboard="$(curl -Is localhost/admin/)"
|
# full_curl_output_dashboard="$(curl -Is localhost/admin/)"
|
||||||
dashboard=$(echo "${full_curl_output_dashboard}" | awk '/X-Pi-hole/' | tr -d '\r')
|
# dashboard=$(echo "${full_curl_output_dashboard}" | awk '/X-Pi-hole/' | tr -d '\r')
|
||||||
# Store what the X-Header should be in variables for comparison later
|
# # Store what the X-Header should be in variables for comparison later
|
||||||
local dashboard_working
|
# local dashboard_working
|
||||||
dashboard_working="X-Pi-hole: The Pi-hole Web interface is working!"
|
# dashboard_working="X-Pi-hole: The Pi-hole Web interface is working!"
|
||||||
|
|
||||||
# If the X-Header matches what a working system should have,
|
# # If the X-Header matches what a working system should have,
|
||||||
if [[ $dashboard == "$dashboard_working" ]]; then
|
# if [[ $dashboard == "$dashboard_working" ]]; then
|
||||||
# then we can show a success
|
# # then we can show a success
|
||||||
log_write "$TICK Web interface X-Header: ${COL_GREEN}${dashboard}${COL_NC}"
|
# log_write "$TICK Web interface X-Header: ${COL_GREEN}${dashboard}${COL_NC}"
|
||||||
else
|
# else
|
||||||
# Otherwise, it's a failure since the X-Headers either don't exist or have been modified in some way
|
# # Otherwise, it's a failure since the X-Headers either don't exist or have been modified in some way
|
||||||
log_write "$CROSS Web interface X-Header: ${COL_RED}X-Header does not match or could not be retrieved.${COL_NC}"
|
# log_write "$CROSS Web interface X-Header: ${COL_RED}X-Header does not match or could not be retrieved.${COL_NC}"
|
||||||
|
|
||||||
log_write "${COL_RED}${full_curl_output_dashboard}${COL_NC}"
|
# log_write "${COL_RED}${full_curl_output_dashboard}${COL_NC}"
|
||||||
fi
|
# fi
|
||||||
}
|
# }
|
||||||
|
|
||||||
dig_at() {
|
dig_at() {
|
||||||
# We need to test if Pi-hole can properly resolve domain names
|
# We need to test if Pi-hole can properly resolve domain names
|
||||||
|
|
|
@ -1,73 +0,0 @@
|
||||||
# Pi-hole: A black hole for Internet advertisements
|
|
||||||
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
|
|
||||||
# Network-wide ad blocking via your own hardware.
|
|
||||||
#
|
|
||||||
# Lighttpd config for Pi-hole
|
|
||||||
#
|
|
||||||
# This file is copyright under the latest version of the EUPL.
|
|
||||||
# Please see LICENSE file for your rights under this license.
|
|
||||||
|
|
||||||
###################################################################################################
|
|
||||||
# IF THIS HEADER EXISTS, THE FILE WILL BE OVERWRITTEN BY PI-HOLE'S UPDATE PROCEDURE. #
|
|
||||||
# ANY CHANGES MADE TO THIS FILE WILL BE LOST ON THE NEXT UPDATE UNLESS YOU REMOVE THIS HEADER #
|
|
||||||
# #
|
|
||||||
# ENSURE THAT YOU DO NOT REMOVE THE REQUIRED LINE: #
|
|
||||||
# #
|
|
||||||
# include "/etc/lighttpd/conf-enabled/*.conf" #
|
|
||||||
# #
|
|
||||||
###################################################################################################
|
|
||||||
|
|
||||||
server.modules = (
|
|
||||||
"mod_access",
|
|
||||||
"mod_auth",
|
|
||||||
"mod_expire",
|
|
||||||
"mod_redirect",
|
|
||||||
"mod_setenv",
|
|
||||||
"mod_rewrite"
|
|
||||||
)
|
|
||||||
|
|
||||||
server.document-root = "/var/www/html"
|
|
||||||
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
|
|
||||||
server.errorlog = "/var/log/lighttpd/error-pihole.log"
|
|
||||||
server.pid-file = "/run/lighttpd.pid"
|
|
||||||
server.username = "www-data"
|
|
||||||
server.groupname = "www-data"
|
|
||||||
# For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator
|
|
||||||
# e.g. server.port := 8000
|
|
||||||
server.port = 80
|
|
||||||
|
|
||||||
# Allow streaming response
|
|
||||||
# reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails
|
|
||||||
server.stream-response-body = 1
|
|
||||||
#ssl.read-ahead = "disable"
|
|
||||||
|
|
||||||
index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
|
|
||||||
url.access-deny = ( "~", ".inc", ".md", ".yml", ".ini" )
|
|
||||||
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
|
|
||||||
|
|
||||||
mimetype.assign = (
|
|
||||||
".ico" => "image/x-icon",
|
|
||||||
".jpeg" => "image/jpeg",
|
|
||||||
".jpg" => "image/jpeg",
|
|
||||||
".png" => "image/png",
|
|
||||||
".svg" => "image/svg+xml",
|
|
||||||
".css" => "text/css; charset=utf-8",
|
|
||||||
".html" => "text/html; charset=utf-8",
|
|
||||||
".js" => "text/javascript; charset=utf-8",
|
|
||||||
".json" => "application/json; charset=utf-8",
|
|
||||||
".map" => "application/json; charset=utf-8",
|
|
||||||
".txt" => "text/plain; charset=utf-8",
|
|
||||||
".eot" => "application/vnd.ms-fontobject",
|
|
||||||
".otf" => "font/otf",
|
|
||||||
".ttc" => "font/collection",
|
|
||||||
".ttf" => "font/ttf",
|
|
||||||
".woff" => "font/woff",
|
|
||||||
".woff2" => "font/woff2"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Add user chosen options held in (optional) external file
|
|
||||||
include "external*.conf"
|
|
||||||
|
|
||||||
# default listening port for IPv6 falls back to the IPv4 port
|
|
||||||
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
|
|
||||||
include "/etc/lighttpd/conf-enabled/*.conf"
|
|
|
@ -1,87 +0,0 @@
|
||||||
# Pi-hole: A black hole for Internet advertisements
|
|
||||||
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
|
|
||||||
# Network-wide ad blocking via your own hardware.
|
|
||||||
#
|
|
||||||
# Lighttpd config for Pi-hole
|
|
||||||
#
|
|
||||||
# This file is copyright under the latest version of the EUPL.
|
|
||||||
# Please see LICENSE file for your rights under this license.
|
|
||||||
|
|
||||||
###################################################################################################
|
|
||||||
# IF THIS HEADER EXISTS, THE FILE WILL BE OVERWRITTEN BY PI-HOLE'S UPDATE PROCEDURE. #
|
|
||||||
# ANY CHANGES MADE TO THIS FILE WILL BE LOST ON THE NEXT UPDATE UNLESS YOU REMOVE THIS HEADER #
|
|
||||||
# #
|
|
||||||
# ENSURE THAT YOU DO NOT REMOVE THE REQUIRED LINE: #
|
|
||||||
# #
|
|
||||||
# include "/etc/lighttpd/conf.d/pihole-admin.conf" #
|
|
||||||
# #
|
|
||||||
###################################################################################################
|
|
||||||
|
|
||||||
server.modules = (
|
|
||||||
"mod_access",
|
|
||||||
"mod_auth",
|
|
||||||
"mod_expire",
|
|
||||||
"mod_fastcgi",
|
|
||||||
"mod_accesslog",
|
|
||||||
"mod_redirect",
|
|
||||||
"mod_setenv",
|
|
||||||
"mod_rewrite"
|
|
||||||
)
|
|
||||||
|
|
||||||
server.document-root = "/var/www/html"
|
|
||||||
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
|
|
||||||
server.errorlog = "/var/log/lighttpd/error-pihole.log"
|
|
||||||
server.pid-file = "/run/lighttpd.pid"
|
|
||||||
server.username = "lighttpd"
|
|
||||||
server.groupname = "lighttpd"
|
|
||||||
# For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator
|
|
||||||
# e.g. server.port := 8000
|
|
||||||
server.port = 80
|
|
||||||
|
|
||||||
# Allow streaming response
|
|
||||||
# reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails
|
|
||||||
server.stream-response-body = 1
|
|
||||||
#ssl.read-ahead = "disable"
|
|
||||||
|
|
||||||
index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
|
|
||||||
url.access-deny = ( "~", ".inc", ".md", ".yml", ".ini" )
|
|
||||||
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
|
|
||||||
|
|
||||||
mimetype.assign = (
|
|
||||||
".ico" => "image/x-icon",
|
|
||||||
".jpeg" => "image/jpeg",
|
|
||||||
".jpg" => "image/jpeg",
|
|
||||||
".png" => "image/png",
|
|
||||||
".svg" => "image/svg+xml",
|
|
||||||
".css" => "text/css; charset=utf-8",
|
|
||||||
".html" => "text/html; charset=utf-8",
|
|
||||||
".js" => "text/javascript; charset=utf-8",
|
|
||||||
".json" => "application/json; charset=utf-8",
|
|
||||||
".map" => "application/json; charset=utf-8",
|
|
||||||
".txt" => "text/plain; charset=utf-8",
|
|
||||||
".eot" => "application/vnd.ms-fontobject",
|
|
||||||
".otf" => "font/otf",
|
|
||||||
".ttc" => "font/collection",
|
|
||||||
".ttf" => "font/ttf",
|
|
||||||
".woff" => "font/woff",
|
|
||||||
".woff2" => "font/woff2"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Add user chosen options held in (optional) external file
|
|
||||||
include "external*.conf"
|
|
||||||
|
|
||||||
# default listening port for IPv6 falls back to the IPv4 port
|
|
||||||
#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
|
|
||||||
#include_shell "/usr/share/lighttpd/create-mime.assign.pl"
|
|
||||||
#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
|
|
||||||
|
|
||||||
fastcgi.server = (
|
|
||||||
".php" => (
|
|
||||||
"localhost" => (
|
|
||||||
"socket" => "/tmp/php-fastcgi.socket",
|
|
||||||
"bin-path" => "/usr/bin/php-cgi"
|
|
||||||
)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
include "/etc/lighttpd/conf.d/pihole-admin.conf"
|
|
|
@ -1,82 +0,0 @@
|
||||||
# Pi-hole: A black hole for Internet advertisements
|
|
||||||
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
|
|
||||||
# Network-wide ad blocking via your own hardware.
|
|
||||||
#
|
|
||||||
# Lighttpd config for Pi-hole
|
|
||||||
#
|
|
||||||
# This file is copyright under the latest version of the EUPL.
|
|
||||||
# Please see LICENSE file for your rights under this license.
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
|
|
||||||
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
server.errorlog := "/var/log/lighttpd/error-pihole.log"
|
|
||||||
|
|
||||||
$HTTP["url"] =~ "^/admin/" {
|
|
||||||
server.document-root = "/var/www/html"
|
|
||||||
server.stream-response-body = 1
|
|
||||||
accesslog.filename = "/var/log/lighttpd/access-pihole.log"
|
|
||||||
accesslog.format = "%{%s}t|%h|%V|%r|%s|%b"
|
|
||||||
|
|
||||||
fastcgi.server = (
|
|
||||||
".php" => (
|
|
||||||
"localhost" => (
|
|
||||||
"socket" => "/run/lighttpd/pihole-php-fastcgi.socket",
|
|
||||||
"bin-path" => "/usr/bin/php-cgi",
|
|
||||||
"min-procs" => 1,
|
|
||||||
"max-procs" => 1,
|
|
||||||
"bin-environment" => (
|
|
||||||
"PHP_FCGI_CHILDREN" => "4",
|
|
||||||
"PHP_FCGI_MAX_REQUESTS" => "10000",
|
|
||||||
),
|
|
||||||
"bin-copy-environment" => (
|
|
||||||
"PATH", "SHELL", "USER"
|
|
||||||
),
|
|
||||||
"broken-scriptfilename" => "enable",
|
|
||||||
)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
# X-Pi-hole is a response header for debugging using curl -I
|
|
||||||
# X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
|
|
||||||
# X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled)
|
|
||||||
# X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
|
|
||||||
# Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
|
|
||||||
# X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
|
|
||||||
# Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
|
|
||||||
setenv.add-response-header = (
|
|
||||||
"X-Pi-hole" => "The Pi-hole Web interface is working!",
|
|
||||||
"X-Frame-Options" => "DENY",
|
|
||||||
"X-XSS-Protection" => "0",
|
|
||||||
"X-Content-Type-Options" => "nosniff",
|
|
||||||
"Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
|
|
||||||
"X-Permitted-Cross-Domain-Policies" => "none",
|
|
||||||
"Referrer-Policy" => "same-origin"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Block . files from being served, such as .git, .github, .gitignore
|
|
||||||
$HTTP["url"] =~ "^/admin/\." {
|
|
||||||
url.access-deny = ("")
|
|
||||||
}
|
|
||||||
|
|
||||||
# allow teleporter and API qr code iframe on settings page
|
|
||||||
$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
|
|
||||||
$HTTP["referer"] =~ "/admin/settings\.php" {
|
|
||||||
setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else $HTTP["url"] == "/admin" {
|
|
||||||
url.redirect = ("" => "/admin/")
|
|
||||||
}
|
|
||||||
|
|
||||||
$HTTP["host"] == "pi.hole" {
|
|
||||||
$HTTP["url"] == "/" {
|
|
||||||
url.redirect = ("" => "/admin/")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# (keep this on one line for basic-install.sh filtering during install)
|
|
||||||
server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" )
|
|
Loading…
Reference in a new issue