Leebra selfhosted
login register

Pihole behind Nginx sudden routing issue

2 days ago by AbsolutelyClawless to c/selfhosted

save

share

report

I've been racking my brain the whole afternoon trying to figure out why when I try to access my Pihole over Web GUI suddenly I'm met with SEC_ERROR_UNKNOWN_ISSUER error.

My setup:

  • Nginx (SWAG) runs on my server and routes all apps on the server, plus two separate devices (Unifi and Pihole)
  • Pihole runs on a Raspi with a fixed IP
  • Nginx conf points to Pihole's IP on port 80 over http protocol.

This worked perfectly fine until several days ago (well, that's when I noticed the issue). Now whenever I try to access Pihole over its FQDN (https://pihole.my.domain/), I get the above error. The reason is mismatched certs, i.e. my browser fetches Pihole's self-signed cert and doesn't see my domain's cert at all. However, this shouldn't be happening at all. Nginx conf points to Pihole's port 80, not port 443. To further confirm this, I temporarily disabled port 443 on the Pihole and only served on port 80, which made Pihole web inaccessible over Nginx. I thought maybe Unifi is the culprit, but I can still reach the Web GUI over http://pihole.my.domain/ and http://pihole-ip/ through my browser. I have several other apps on the server that use port 80, and Nginx has no issue routing them.

Anyone has any idea what might be happening here?

folekaule 3 points 2 days ago

Can you confirm that the DNS actually resolves to the NGINX IP address (and only that address) when you use PiHole's FQDN? It sounds like it's bypassing the proxy because it stopped working when you turned 443 off.

save

path: 0 24365835, hotness: undefined, score: 3, children: 6
AbsolutelyClawless 3 points 2 days ago

Hm, looks like you're right. For some reason it's completely bypassing Nginx. Traceroute to all my other proxied services points to nginx.my.domain, except pihole, which points to pihole.my.domain. There have been no changes to my configuration, this is odd.

Edit: Local DNS Record for pihole.my.domain still points to nginx.my.domain.

save

path: 0 24365835 24366170, hotness: undefined, score: 3, children: 4
folekaule 2 points 2 days ago

What is your DNA setup like? A lot of dhcp clients are set up to register their name in DNS (if allowed). It could be your pihole server is hijacking it.

If you have multiple DNS servers (eg your home router and your lab) them you may not be getting the full picture.

save

path: 0 24365835 24366170 24366282, hotness: undefined, score: 2, children: 3
AbsolutelyClawless 2 points 2 days ago

Pihole is my DNS server (Unbound + Local).

I fixed it? After the issue appeared I changed Raspi's hostname to FQDN, i.e. pihole.my.domain. So it sort of makes sense that it bypassed Nginx. I changed it back to how it was before (just "pihole" and instead of my.domain I added "home.arpa" as local domain). And now it's back to normal. Which makes about zero sense to me, because I basically just changed it back how it was both before and after the issue started.

Thanks for the help! It didn't even occur to me to look if Nginx was being bypassed.

save

path: 0 24365835 24366170 24366282 24366444, hotness: undefined, score: 2, children: 2
folekaule 2 points 2 days ago

Glad you got it working!

My hypothesis is that it was DNS (channeling Jeff Geerling here). Since Pihole is your DNS (makes sense), it may have recognized that address as its own and given you its IP. By resolving the naming collision, you fixed the problem because the name is now unambiguous.

These problems can happen very easily when you're using DHCP and sharing a network and domain name between your clients and upstreams, so I think using home.arpa for one and your other domain for the other was a good idea.

save

path: 0 24365835 24366170 24366282 24366444 24367200, hotness: undefined, score: 2, children: 1
AbsolutelyClawless 1 point 2 days ago

The FQDN resolves fine. I can still reach Pihole over https://pihole.my.domain/ and click on "Proceed to pihole.my.domain (Risky)", but the browser fetches Pihole's self-signed certificate instead of my.domain and throws a warning about certificate validity. Which it absolutely shouldn't, because Nginx conf for Pihole points to port 80, not port 443.

save

path: 0 24365835 24366082, hotness: undefined, score: 1, children: 0
selfhosted
selfhosted

@lemmy.world

login for more options
60075
6388
7716

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

go to feed...