# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Lighttpd config for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#              CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE:              #
#                         /etc/lighttpd/external.conf                         #
###############################################################################

server.modules = (
    "mod_access",
    "mod_auth",
    "mod_expire",
    "mod_redirect",
    "mod_setenv",
    "mod_rewrite"
)

server.document-root        = "/srv/http/pihole"
server.upload-dirs          = ( "/run/lighttpd" )
server.errorlog             = "/var/log/lighttpd/error-pihole.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "http"
server.groupname            = "http"
# For lighttpd version 1.4.46 or above, the port can be overwritten in `/etc/lighttpd/external.conf` using the := operator
# e.g. server.port := 8000
server.port                 = 80

# Allow streaming response
# reference: https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_stream-response-bodyDetails
server.stream-response-body = 1
#ssl.read-ahead              = "disable"

index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc", ".md", ".yml", ".ini" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

mimetype.assign = (
    ".ico"   => "image/x-icon",
    ".jpeg"  => "image/jpeg",
    ".jpg"   => "image/jpeg",
    ".png"   => "image/png",
    ".svg"   => "image/svg+xml",
    ".css"   => "text/css; charset=utf-8",
    ".html"  => "text/html; charset=utf-8",
    ".js"    => "text/javascript; charset=utf-8",
    ".json"  => "application/json; charset=utf-8",
    ".map"   => "application/json; charset=utf-8",
    ".txt"   => "text/plain; charset=utf-8",
    ".eot"   => "application/vnd.ms-fontobject",
    ".otf"   => "font/otf",
    ".ttc"   => "font/collection",
    ".ttf"   => "font/ttf",
    ".woff"  => "font/woff",
    ".woff2" => "font/woff2"
)

$HTTP["url"] =~ "^/admin/" {
    server.document-root = "/srv/http/pihole"
    server.stream-response-body = 1
    accesslog.filename = "/var/log/lighttpd/access-pihole.log"
    accesslog.format = "%{%s}t|%h|%V|%r|%s|%b"

    fastcgi.server = (
        ".php" => (
            "localhost" => (
                "socket" => "/run/lighttpd/pihole-php-fastcgi.socket",
                "bin-path" => "/usr/bin/php-cgi",
                "min-procs" => 1,
                "max-procs" => 1,
                "bin-environment" => (
                    "PHP_FCGI_CHILDREN" => "4",
                    "PHP_FCGI_MAX_REQUESTS" => "10000",
                ),
                "bin-copy-environment" => (
                    "PATH", "SHELL", "USER"
                ),
                "broken-scriptfilename" => "enable",
            )
        )
    )

    # X-Pi-hole is a response header for debugging using curl -I
    # X-Frame-Options prevents clickjacking attacks and helps ensure your content is not embedded into other sites via < frame >, < iframe > or < object >.
    # X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. This is important because it tells the browser to block the response if a malicious script has been inserted from a user input. (deprecated; disabled)
    # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This is important because the browser will only load external resources if their content-type matches what is expected, and not malicious hidden code.
    # Content-Security-Policy tells the browser where resources are allowed to be loaded and if it’s allowed to parse/run inline styles or Javascript. This is important because it prevents content injection attacks, such as Cross Site Scripting (XSS).
    # X-Permitted-Cross-Domain-Policies is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains.
    # Referrer-Policy allows control/restriction of the amount of information present in the referral header for links away from your page—the URL path or even if the header is sent at all.
    setenv.add-response-header = (
        "X-Pi-hole" => "The Pi-hole Web interface is working!",
        "X-Frame-Options" => "DENY",
        "X-XSS-Protection" => "0",
        "X-Content-Type-Options" => "nosniff",
        "Content-Security-Policy" => "default-src 'self' 'unsafe-inline';",
        "X-Permitted-Cross-Domain-Policies" => "none",
        "Referrer-Policy" => "same-origin"
    )

    # Block . files from being served, such as .git, .github, .gitignore
    $HTTP["url"] =~ "^/admin/\." {
        url.access-deny = ("")
    }

    # allow teleporter and API qr code iframe on settings page
    $HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
        $HTTP["referer"] =~ "/admin/settings\.php" {
            setenv.set-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
        }
    }
}
else $HTTP["url"] == "/admin" {
    url.redirect = ("" => "/admin/")
}

$HTTP["host"] == "pi.hole" {
    $HTTP["url"] == "/" {
        url.redirect = ("" => "/admin/")
    }
}

# (keep this on one line for basic-install.sh filtering during install)
server.modules += ( "mod_access", "mod_accesslog", "mod_redirect", "mod_fastcgi", "mod_setenv" )