diff options
author | max.bra | 2023-02-06 17:13:42 +0100 |
---|---|---|
committer | max.bra | 2023-02-06 17:13:42 +0100 |
commit | a489504e74ef445caf6f3eacf262ee51ac8eeffe (patch) | |
tree | 439f9901eed5adb343d8f295ca1414f0cdd37619 | |
parent | 3edb9edcdbc39704d41a43549afaeaa78052104a (diff) | |
download | aur-a489504e74ef445caf6f3eacf262ee51ac8eeffe.tar.gz |
web servers config update
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | PKGBUILD | 6 | ||||
-rw-r--r-- | lighttpd.pi-hole.conf | 141 | ||||
-rw-r--r-- | nginx.pi-hole.conf | 10 |
4 files changed, 101 insertions, 66 deletions
@@ -1,7 +1,7 @@ pkgbase = pi-hole-server pkgdesc = The Pi-hole is an advertising-aware DNS/Web server. Arch adaptation for lan wide DNS server. pkgver = 5.15.3 - pkgrel = 2 + pkgrel = 3 url = https://github.com/pi-hole/pi-hole install = pi-hole-server.install arch = any @@ -31,8 +31,8 @@ pkgbase = pi-hole-server backup = etc/sudoers.d/pihole source = pi-hole-server-core-5.15.3.tar.gz::https://github.com/pi-hole/pi-hole/archive/v5.15.3.tar.gz source = pi-hole-server-admin-5.18.3.tar.gz::https://github.com/pi-hole/AdminLTE/archive/v5.18.3.tar.gz - source = arch-server-core-5.15.3-150768805.patch::https://raw.githubusercontent.com/max72bra/pi-hole-server-archlinux-customization/master/arch-server-core-5.15.3.patch - source = arch-server-admin-5.18.3-150768805.patch::https://raw.githubusercontent.com/max72bra/pi-hole-server-archlinux-customization/master/arch-server-admin-5.18.3.patch + source = arch-server-core-5.15.3-400705960.patch::https://raw.githubusercontent.com/max72bra/pi-hole-server-archlinux-customization/master/arch-server-core-5.15.3.patch + source = arch-server-admin-5.18.3-400705960.patch::https://raw.githubusercontent.com/max72bra/pi-hole-server-archlinux-customization/master/arch-server-admin-5.18.3.patch source = dnsmasq.include source = lighttpd.pi-hole.conf source = nginx.pi-hole.conf @@ -49,8 +49,8 @@ pkgbase = pi-hole-server sha256sums = 959e14310ebf9089c209e10fb5c4a1c622e7e306506351b674a0d29ba75547d6 sha256sums = 2e336c96b3c5b7887a031e854185920885404e5107e7acdba4dc133c5dcedab4 sha256sums = 96c1fb8b15e1d0e99c18dc768f5dc3d4991184fb2631af84c5e2111028bc5287 - sha256sums = f70964f8b176d9ffcf4f44140036f0cfc030cbbe836634a885da082cfee4d1f7 - sha256sums = 032770450ba4a1085bcb0bf3f944c436c5702f3a3faf984fbbba2d3dbc6accea + sha256sums = 3a3baa92a635d602824f184d901e947a0e14650c950e89325dda6f7d71b39db9 + sha256sums = 28bbc99230b961032eeaec515d3dd06778c99b21e3a9c2401e19992edd1af6c3 sha256sums = 6da6bba6cfac4e87a1f1e8e1488b71858ac6feb0a2e327470a58d8f1e9ad8cbf sha256sums = 9b72d7769036f8f4bb7121968d2ae4bdba427e4b16787ce340205a5f62b45c7c sha256sums = 5228b4f923eab7784952a0fd6da895e7bff2f80a7f91c4a7c6350491dfdbb2e8 @@ -4,7 +4,7 @@ pkgname=pi-hole-server _pkgname=pi-hole pkgver=5.15.3 -pkgrel=2 +pkgrel=3 _wwwpkgname=AdminLTE _wwwpkgver=5.18.3 _now=`date +%N` @@ -47,8 +47,8 @@ sha256sums=('961f9dc6c5b1e25f0f5cd6ca4c4c7390cc791a0005ade40da9d062b83b111bcc' '959e14310ebf9089c209e10fb5c4a1c622e7e306506351b674a0d29ba75547d6' '2e336c96b3c5b7887a031e854185920885404e5107e7acdba4dc133c5dcedab4' '96c1fb8b15e1d0e99c18dc768f5dc3d4991184fb2631af84c5e2111028bc5287' - 'f70964f8b176d9ffcf4f44140036f0cfc030cbbe836634a885da082cfee4d1f7' - '032770450ba4a1085bcb0bf3f944c436c5702f3a3faf984fbbba2d3dbc6accea' + '3a3baa92a635d602824f184d901e947a0e14650c950e89325dda6f7d71b39db9' + '28bbc99230b961032eeaec515d3dd06778c99b21e3a9c2401e19992edd1af6c3' '6da6bba6cfac4e87a1f1e8e1488b71858ac6feb0a2e327470a58d8f1e9ad8cbf' '9b72d7769036f8f4bb7121968d2ae4bdba427e4b16787ce340205a5f62b45c7c' '5228b4f923eab7784952a0fd6da895e7bff2f80a7f91c4a7c6350491dfdbb2e8' diff --git a/lighttpd.pi-hole.conf b/lighttpd.pi-hole.conf index 3fc88707249d..b4a01bd4cd72 100644 --- a/lighttpd.pi-hole.conf +++ b/lighttpd.pi-hole.conf @@ -16,75 +16,116 @@ ############################################################################### server.modules = ( - "mod_auth", - "mod_access", - "mod_accesslog", - "mod_expire", - "mod_deflate", - "mod_redirect", - "mod_setenv", - "mod_rewrite", - "mod_fastcgi" -) - -mimetype.assign = ( - ".html" => "text/html", - ".txt" => "text/plain", - ".css" => "text/css", - ".js" => "application/x-javascript", - ".jpg" => "image/jpeg", - ".jpeg" => "image/jpeg", - ".gif" => "image/gif", - ".png" => "image/png", - ".svg" => "image/svg+xml", # thanks to nikke - "" => "application/octet-stream" -) - -fastcgi.server = ( - ".php" => ( - "localhost" => ( - "bin-path" => "/usr/bin/php-cgi -d session.save_path=/run/pihole", - "socket" => "/tmp/php-fastcgi.sock", - "broken-scriptfilename" => "enable", - "max-procs" => 4, - "bin-environment" => ( - "PHP_FCGI_CHILDREN" => "1" # default value - ) - ) - ) + "mod_access", + "mod_auth", + "mod_expire", + "mod_redirect", + "mod_setenv", + "mod_rewrite" ) server.document-root = "/srv/http/pihole" -server.error-handler-404 = "/pihole/index.php" +server.upload-dirs = ( "/run/lighttpd" ) +server.errorlog = "/var/log/lighttpd/error-pihole.log" +server.pid-file = "/run/lighttpd.pid" server.username = "http" server.groupname = "http" +# For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator +# e.g. server.port := 8000 server.port = 80 +# Allow streaming response +# reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails +server.stream-response-body = 1 +#ssl.read-ahead = "disable" + index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) url.access-deny = ( "~", ".inc", ".md", ".yml", ".ini" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) -deflate.cache-dir = "/var/cache/lighttpd/compress/" -deflate.mimetypes = ( "application/javascript", "text/css", "text/html", "text/plain" ) +mimetype.assign = ( + ".ico" => "image/x-icon", + ".jpeg" => "image/jpeg", + ".jpg" => "image/jpeg", + ".png" => "image/png", + ".svg" => "image/svg+xml", + ".css" => "text/css; charset=utf-8", + ".html" => "text/html; charset=utf-8", + ".js" => "text/javascript; charset=utf-8", + ".json" => "application/json; charset=utf-8", + ".map" => "application/json; charset=utf-8", + ".txt" => "text/plain; charset=utf-8", + ".eot" => "application/vnd.ms-fontobject", + ".otf" => "font/otf", + ".ttc" => "font/collection", + ".ttf" => "font/ttf", + ".woff" => "font/woff", + ".woff2" => "font/woff2" +) -# If the URL starts with /admin, it is the Web interface $HTTP["url"] =~ "^/admin/" { - # Create a response header for debugging using curl -I + server.document-root = "/srv/http/pihole" + server.stream-response-body = 1 + accesslog.filename = "/var/log/lighttpd/access-pihole.log" + accesslog.format = "%{%s}t|%h|%V|%r|%s|%b" + + fastcgi.server = ( + ".php" => ( + "localhost" => ( + "socket" => "/run/lighttpd/pihole-php-fastcgi.socket", + "bin-path" => "/usr/bin/php-cgi", + "min-procs" => 1, + "max-procs" => 1, + "bin-environment" => ( + "PHP_FCGI_CHILDREN" => "4", + "PHP_FCGI_MAX_REQUESTS" => "10000", + ), + "bin-copy-environment" => ( + "PATH", "SHELL", "USER" + ), + "broken-scriptfilename" => "enable", + ) + ) + ) + + # X-Pi-hole is a response header for debugging using curl -I + # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >. + # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled) + # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code. + # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS). + # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. + # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all. setenv.add-response-header = ( "X-Pi-hole" => "The Pi-hole Web interface is working!", - "X-Frame-Options" => "DENY" + "X-Frame-Options" => "DENY", + "X-XSS-Protection" => "0", + "X-Content-Type-Options" => "nosniff", + "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';", + "X-Permitted-Cross-Domain-Policies" => "none", + "Referrer-Policy" => "same-origin" ) - $HTTP["url"] =~ ".ttf$" { - # Allow Block Page access to local fonts - setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" ) + # Block . files from being served, such as .git, .github, .gitignore + $HTTP["url"] =~ "^/admin/\." { + url.access-deny = ("") + } + + # allow teleporter and API qr code iframe on settings page + $HTTP["url"] =~ "/(teleporter|api_token)\.php$" { + $HTTP["referer"] =~ "/admin/settings\.php" { + setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" ) + } } } +else $HTTP["url"] == "/admin" { + url.redirect = ("" => "/admin/") +} -# Block . files from being served, such as .git, .github, .gitignore -$HTTP["url"] =~ "^/admin/\.(.*)" { - url.access-deny = ("") +$HTTP["host"] == "pi.hole" { + $HTTP["url"] == "/" { + url.redirect = ("" => "/admin/") + } } -# Add user chosen options held in external file -#include_shell "cat external.conf 2>/dev/null" +# (keep this on one line for basic-install.sh filtering during install) +server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" ) diff --git a/nginx.pi-hole.conf b/nginx.pi-hole.conf index b7cd87eac349..f826f95d58c0 100644 --- a/nginx.pi-hole.conf +++ b/nginx.pi-hole.conf @@ -13,14 +13,12 @@ server { autoindex off; proxy_intercept_errors on; - error_page 404 /pihole/index.php; - index pihole/index.php index.php index.html index.htm; + index index.php index.html index.htm; location / { expires max; - try_files $uri $uri/ =404; - add_header X-Pi-hole "A black hole for Internet advertisements"; + return 301 /admin/; } location ~ \.php$ { @@ -41,10 +39,6 @@ server { add_header Access-Control-Allow-Origin "*"; } - location ~ /admin/\. { - deny all; - } - location ~ /\.ht { deny all; } |