-
Notifications
You must be signed in to change notification settings - Fork 23
[PI‑HOLE] Setup pixelserv‑tls for Pi‑Hole
Make pixelserv-tls work for Pi-Hole is a question that has been asked multiple times on SNBforum in the past year. It seems either few Pi-Hole users there or perhaps no one seriously looked at the problem before. I hope this guide could help Pi-Hole users get started. The content will be continuously updated with feedback from users on the ground.
With Pi-Hole release 4.0, a new config variable, named BLOCKINGMODE has been added to Pi-Hole's FTLDNS, /etc/pihole/pihole-FTL.conf. First, you have to set this config variable to IP-NODATA-AAAA. This will enable all blocked domains only resolve to your "Pi-Hole IPv4" address - the address where Pi-Hole's Dashboard is accessed i.e. http://<pi hole ip>/admin.
Pi-Hole uses lighttpd to serve its Dashboard as well as empty HTTP ads (when BLOCKINGMODE is IP-NODATA-AAAA). Users can switch to use nginx instead of lighttpd. Natively Pi-Hole does not provide a config to specify a IPv4 address that blocked domains will resolve to that is different from the "Pi-Hole IPv4" address. More on this later.
Luckily Pi-Hole only uses port 80 for HTTP. This implies that lighttpd (or nginx) will listen on port 80 while port 443 is free. Note that pixelserv-tls will require both port 80 and 443 for optimal performance. It outperforms lighttpd and nginx for adblock purpose.
Not recommended.
Simply run pixelserv-tls on the same network interface (and hence IPv4) as Pi-Hole but only listens on port 443. This will complete your loop of HTTPS ads. HTTP ads are served by Pi-Hole's lighttpd/nginx. HTTPS ads by pixelserv-tls.
Recommended for users who need Pi-Hole's GUI/Dashboard.
Change Pi-Hole's lighttpd (or nginx) to listen on a port other than 80 for HTTP e.g. use 8080. This implies you'll be accessing Pi-Hole's Dashboard with a slightly modified URL like http://<pihole IP>:8080/admin. The lighttpd config is at /etc/lighttpd/lighttpd.conf and the line requiring change is similar to below:
server.port = 8080
For nginx users, the config is located at /etc/nginx/conf.d/pihole.conf. The line requiring change will look similar to below:
listen 8080 default_server;
In option 2, both port 80 and 443 are now available to pixelserv-tls. Recommended option.
NOTE: Upgrade to a newer Pi-Hole release may overwrite/wipe out any user change to one of the two files [need to confirm with Pi-Hole users?]. Hence, you need to make the change again accordingly. Perhaps someone could come up with a simple script to automatically update the port in config after upgrade [need to confirm with Pi-Hole users?].
Make a feature request to Pi-Hole. Allow users to customise the HTTP port where Dashboard will be served. And/or additionally allow users to customise the IPv4 address where blocked domains will resolve to when BLOCKINGMODE is NO-IPDATA-AAAA.
Recommended for users who do not need Pi-Hole GUI/Dashboard and are comfortable with Pi-Hole CLI.
SNBforum member JimbobJay figured out that he could disable Pi-Hole's GUI and Dashboard as he solely uses Pi-Hole CLI. This frees up port 80 on "Pi-Hole IPv4" address/interface for any other purpose. Hence, successfully run pixelserv-tls there to serve both HTTP and HTTPS ads.
Turns out only a few simple changes are need to run pixelserv-tls alongside Pi-Hole. For users who require Pi-Hole's GUI and Dashboard, option 2 is recommended. For users who do not care GUI/Dashboard and are comfortable with solely using Pi-Hole CLI, option 4 is a set-it-and-forget-it choice and preferred because need not worry upgrade to a newer Pi-Hole release overwriting your change to lighttpd (or nginx) config file.