Search code examples
nginxpihole

nginx listen on private ip instead of 0.0.0.0 with multiple sites

I've recently setup a pihole on a pi I had lying around and it's great. When a domain is blocked it's returning ip address 0.0.0.0 as per its default config of BLOCKINGMODE=NULL.

The problem I'm facing is that when I'm browsing the web from my server, that hosts multiple subdomains via nginx, it's constantly trying to connect to my nginx sites and it filling up its logs with 404s.

I believe the solution is to update my nginx configs to point to my private ip instead of 0.0.0.0. I thought it would be as easy as updating listen 443 ssl; to listen 192.168.1.10:443 ssl;

Unfortunately, after I made that change all my subdomains are all pointing to one of them at random. Ex. a.mysite.com, b.mysite.com, c.mysite.com are all directing to a.mysite.com

Most of my sites are forwarding a docker instance to 443 and a few that simply serve up local files.

I originally asked on the pihole forums and they pointed me in the right direction, but I'm not sure how to get nginx working using my private ip instead of 0.0.0.0. https://discourse.pi-hole.net/t/blockingmode-null-vs-nodata/53016/7

The easy solution would be to leave my nginx configs alone and update pihole from BLOCKINGMODE=NULL to BLOCKINGMODE=NXDOMAIN or BLOCKINGMODE=NODATA, but as per their help docs, "Similar to NULL blocking, but experiments suggest that clients may try to resolve blocked domains more often compared to NULL blocking." https://docs.pi-hole.net/ftldns/blockingmode/

Thanks for reading!

mrplow@dan-server:~$ dig ads.facebook.com

; <<>> DiG 9.16.15-Ubuntu <<>> ads.facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ads.facebook.com.              IN      A

;; ANSWER SECTION:
ads.facebook.com.       2       IN      A       0.0.0.0

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jan 27 14:50:46 PST 2022
;; MSG SIZE  rcvd: 61

mrplow@dan-server:~$ date && curl ads.facebook.com && tail -n 1 /var/log/nginx/access.log
Thu 27 Jan 2022 03:00:19 PM PST
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
127.0.0.1 - - [27/Jan/2022:15:00:19 -0800] "GET / HTTP/1.1" 404 162 "-" "curl/7.74.0"

Sample nginx conf file

server {
  server_name a.mysite.com;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect   off;
    proxy_pass       http://127.0.0.1:9117;
  }
    ssl_dhparam /etc/ssl/certs/a.mysite.pem;


    listen 443 ssl; # managed by Certbot
#    listen 192.168.1.10:443 ssl;
    ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = a.mysite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  server_name a.mysite.com;


    listen 80;
#    listen 192.168.1.10:80;
    return 404; # managed by Certbot


}
Solution

  • Figured it out.

    I was correct with including the private ip in the listen directives. But, I also needed to update all my server_name directives to include the private ip address.

    After I updated all my nginx configurations it is no longer listening on 0.0.0.0 and when I curl a blocked site it now gives the proper curl: (7) Failed to connect to ads.facebook.com port 80: Connection refused response.

    Working example:

    server {
  server_name a.mysite.com 192.168.1.10;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect   off;
    proxy_pass       http://127.0.0.1:9117;
  }
    ssl_dhparam /etc/ssl/certs/a.mysite.pem;


    listen 192.168.1.10:443 ssl;
    ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = a.mysite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  server_name a.mysite.com 192.168.1.10;


    listen 192.168.1.10:80;
    return 404; # managed by Certbot


}