nginx config in documentatation does not work well

[AlfredoCubitos]

Versions

Pi-hole version is v5.17.2 (Latest: v5.17.2)
web version is v5.21 (Latest: v5.21)
FTL version is v5.23 (Latest: v5.23)

Platform

armbian
banana-Pi

The nginx config from NGINX-Doku does not work well.
E.g. no values are shown in the Dashboard.

So I'm using the following config which is based on Diet-Pi config Diet-Pi config

This works well for me :-)

    listen 80 default_server;

    root /var/www/html;
    server_name _;

    index index.php index.html;

    location / {
        expires max;
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	fastcgi_param HTTP_PROXY "";
        include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
	fastcgi_param FQDN true;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
	fastcgi_index index.php;
    }
   
   # Based on: https://github.com/pi-hole/pi-hole/blob/master/advanced/lighttpd.conf.debian

# Allow teleporter and API QR code iframes on settings page
location ~ ^(?:/html|)/admin/scripts/pi-hole/php/(?:teleporter|api_token)\.php$ {
	# PHP handler block
	fastcgi_pass unix:/run/php/php8.2-fpm.sock;
	include snippets/fastcgi-php.conf;

	if ($http_referer !~ /admin/settings\.php) {
		add_header X-Frame-Options "DENY";
	}
	if ($http_referer ~ /admin/settings\.php) {
		add_header X-Frame-Options "SAMEORIGIN";
	}
}


# Admin panel
location ~ ^(?:/html|)/admin(?:$|/) {
	# Block public access to admin page, if enabled
	# - To enable: cd /etc/nginx/sites-dietpi; mv dietpi-pihole-block_public_admin.off dietpi-pihole-block_public_admin.on
	# - To disable: cd /etc/nginx/sites-dietpi; mv dietpi-pihole-block_public_admin.on dietpi-pihole-block_public_admin.off
	include sites-dietpi/dietpi-pihole-block_public_admin.*on;

	# Block . files from being served, such as .git, .github, .gitignore
	location ~ ^(?:/html|)/admin/\. {
		deny all;
	}

	# Create response header for Pi-hole debugger
	add_header X-Pi-hole "The Pi-hole Web interface is working!";
	add_header X-Frame-Options "DENY";

	# Standard PHP handler block
	try_files $uri $uri/ =404;
	location ~ ^(?:/html|)/admin/.+\.php(?:$|/) {
		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
		include snippets/fastcgi-php.conf;
	}
}

# 404 page
location ~ ^(?:/html|)/pihole(?:$|/) {
	# Block public access
	allow 127.0.0.0/8;
	allow 192.168.0.0/16;
	allow 10.0.0.0/8;
	allow 172.16.0.0/12;
	allow ::1/128;
	allow fe80::/10;
	allow fc00::/7;
	deny all;

	# Standard PHP handler block
	try_files $uri $uri/ =404;
	location ~ ^(?:/html|)/pihole/.+\.php(?:$|/) {
		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
		include snippets/fastcgi-php.conf;
	}
}

}

[dschaper]

@MichaIng Is this accurate?

[MichaIng]

I did not know that there is an Nginx config in Pi-hole docs. We created ours based on the Lighttpd config shipped with Pi-hole. In the meantime it has been updated a little: https://github.com/MichaIng/DietPi/blob/master/.conf/dps_93/nginx.pihole.conf

The Nginx config in Pi-hole docs indeed looks a little incomplete:

• No security headers/CSP
• Direct (web) access to .git/.github directories is not denied.
• If security headers were set in a dedicated drop-in config, teleporter and QR code iframes would be blocked.

But what might actually cause the issue is the added basic authentication. The Pi-hole admin panel has own authentication, so no dedicated webserver-based authentication is required, and I am quite sure it breaks internal requests.

[AlfredoCubitos]

@MichaIng: you are right with the basic authentication issue.
I removed the basic authentication from the config, but I only got an empty Dashboard

[MichaIng]

With "empty" you mean a white page or is the page rendered, just the diagrams showing no values? If it is more a white page, the PHP processing block might just be wrong/incomplete. It is missing some parts one part at least:

snippets/fastcgi-php.conf on Debian contains:

# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

The fastcgi.conf is covered in the docs' config with fastcgi_params and SCRIPT_FILENAME, but PATH_INFO is missing. You also have this in your config, so this really seems to be the key difference between our working configs and the non-functional one.

[AlfredoCubitos]

yes, with "empty" I mean just the diagrams showing no values.
Ok, good answer :-)
Wouldn't it a good idea to put your answer directly into the nginx-docu?

[MichaIng]

yes, with "empty" I mean just the diagrams showing no values.

Hmm, but this is an indicator against my theory, since then the page is served by PHP. It could be tested adding

fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;

after

include fastcgi_params;

to the Nginx config from the docs. If this works, we should indeed add it there.

[AlfredoCubitos]

I took the config from the docu and changed it according to your suggestion:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
    server_name _;
    autoindex off;

    index pihole/index.php index.php index.html index.htm;

    location / {
        expires max;
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_param FQDN true;
    }

    location /*.js {
        index pihole/index.js;
    }

    location /admin {
        root /var/www/html;
        index index.php index.html index.htm;
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location ~ /\.ht {
        deny all;
    }
}

this works also :-)

[MichaIng]

Okay, then I think we can be sure this really is the missing part. I'd just add the split path part to the location ~ \.php$ { block, since it has no purpose for anything else than PHP scripts, but is common for all PHP scripts, not just Pi-hole.