Pi-hole v4.3.2 and Nextcloud latest

Pi-hole®: A black hole for Internet advertisements


Following this guide you will be able to operate with Nextcloud and pi-hole on the same server whereby pi-hole acts as your local DNS-Server instead of your router. It is verified on Ubuntu 18.04.x LTS and nginx 1.17.5. Let’s start and prepare your server by running

sudo -s
apt install ppa-purge
ppa-purge ppa:ondrej/php

pi-hole does not allow packages outside the default Ubuntu repositories, so ppa-purge will remove the previous installed php-ppa from ondrej and install PHP 7.2. Ensure that all required php-binaries for either Nextcloud and pi-hole are installed and optimized properly.

apt autoremove && apt update && apt install php7.2-fpm php7.2-gd php7.2-mysql php7.2-curl php7.2-xml php7.2-zip php7.2-intl php7.2-mbstring php7.2-json php7.2-bz2 php7.2-ldap php-apcu imagemagick php-imagick php-smbclient -y

cp /etc/php/7.2/fpm/pool.d/www.conf /etc/php/7.2/fpm/pool.d/www.conf.bak
cp /etc/php/7.2/cli/php.ini /etc/php/7.2/cli/php.ini.bak
cp /etc/php/7.2/fpm/php.ini /etc/php/7.2/fpm/php.ini.bak
cp /etc/php/7.2/fpm/php-fpm.conf /etc/php/7.2/fpm/php-fpm.conf.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak

sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/7.2/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/7.2/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/7.2/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/7.2/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/7.2/fpm/pool.d/www.conf

sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/7.2/cli/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/7.2/cli/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/7.2/cli/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/7.2/cli/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/7.2/cli/php.ini
sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/7.2/cli/php.ini

sed -i "s/memory_limit = 128M/memory_limit = 512M/" /etc/php/7.2/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/7.2/fpm/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/7.2/fpm/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/7.2/fpm/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/7.2/fpm/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/7.2/fpm/php.ini
sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/7.2/fpm/php.ini
sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/7.2/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/7.2/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/7.2/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/7.2/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/7.2/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/7.2/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/7.2/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/7.2/fpm/php.ini

sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"EPI\"/rights=\"read|write\" pattern=\"EPI\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml

Install pi-hole by issuing

service nginx stop && curl -sSL https://install.pi-hole.net | bash

and follow the instructions:

Prepare your ufw (server firewall)

ufw allow in from 192.168.2.0/24 proto tcp to any port 53
ufw allow in from 192.168.2.0/24 proto udp to any port 53
ufw allow in from 192.168.2.0/24 proto tcp to any port 4711
ufw allow in from 192.168.2.0/24 proto udp to any port 4711

and then change the Pi-hole port from 80 to e.g. 86

cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.bak
sed -ie 's/= 80/= 86/g' /etc/lighttpd/lighttpd.conf

and restart lighthttpd and nginx

systemctl enable lighttpd.service && service lighttpd restart && service nginx restart

Now modify your nginx (reverse proxy) configuration (“/etc/nginx/conf.d/nextcloud.conf”) to mine but replace your.dedyn.io with your domain name:

nano /etc/nginx/conf.d/nextcloud.conf
server {
server_name your.dedyn.io;
listen 80 default_server;
listen [::]:80 default_server;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
### pi-hole ###
location ^~ /wpad {
proxy_pass http://127.0.0.1:86/wpad;
proxy_read_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
### end pi-hole 1/2 ###
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name your.dedyn.io;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 10240M;
location / {
rewrite ^ /index.php;
}
### pi-hole ###
location ^~ /pihole{
proxy_pass http://127.0.0.1:86/admin;
proxy_read_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
### end pi-hole 2/2 ###
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location = /uploads {
return 301 https://nc.c-rieger.de/s/T64qM3SX2bAtfD9;
}
location ~ \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
expires 360d;
}
}

Change the DNS setting in your router to the IP of your Pi-Hole (e.g. 192.168.2.100):

Add your domain as a hostrecord to pi-hole

pihole -a hostrecord your.dedyn.io 192.168.1.100

and add “address=/your.dedyn.io/192.168.2.100” at the end of the file as examplarily shown:

nano /etc/dnsmasq.d/01-pihole.conf

Open “/var/www/html/admin/scripts/pi-hole/php/auth.php” and comment the following row out

nano /var/www/html/admin/scripts/pi-hole/php/auth.php
...
(!in_array($server_origin, $AUTHORIZED_HOSTNAMES)) {
//log_and_die("Failed CORS: " . $server_origin .' vs '. join(', ', $AUTHORIZED_HOSTNAMES));
}
...

Add the following rows to the external.conf by issuing the following statements

cat <<EOF >/etc/lighttpd/external.conf
$HTTP["host"] =~ "wpad" {
server.document-root = "/var/www/wpad/"
mimetype.assign = (
".dat" => "application/x-ns-proxy-autoconfig",
".pac" => "application/x-ns-proxy-autoconfig"
)
}
EOF

Modify your server /etc/hosts by adding

nano /etc/hosts
192.168.2.100 wpad.fritz.box wpad.box wpad.com wpad.de wpad

create a new file

touch /etc/pihole/lan.list
cat <<EOF >/etc/pihole/lan.list
192.168.2.100 wpad.fritz.box wpad.box wpad.com wpad.de wpad
EOF

and finally create a new wpad file

mkdir -p /var/www/wpad/ && touch /var/www/wpad/wpad.dat
cat <<EOF >/var/www/wpad/wpad.dat
function FindProxyForURL(url, host) {
return "DIRECT";
}
EOF

Apply the proper permissions and restart pihole

chown -R www-data:www-data /var/www/
sed -ie 's/"DENY"/"ALLOW"/g' /etc/lighttpd/lighttpd.conf && service lighttpd restart && service nginx restart
pihole restartdns && service pihole-FTL restart

and call your Pi-hole in your preferred browser:

https://your.dedyn.io/pihole/

If you want to update your Pi-hole, just issue

sudo pihole -up

From now all clients will requests DNS from Pi-hole forwarded by your origin dhcp-router (e.g. fritz.box). Enjoy your Nextcloud and Pi-hole®: A black hole for Internet advertisements



Carsten Rieger

Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 15 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 7 years.