redhat:other-redhat:pi-hole-redhat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
redhat:other-redhat:pi-hole-redhat [2020/02/15 11:32] – created michaelredhat:other-redhat:pi-hole-redhat [2020/02/24 15:47] (current) – [Installation eines gehärteten Unbound DNS-Servers] michael
Line 1: Line 1:
 ====== Pi-hole DNS Ad-blocking Server ====== ====== Pi-hole DNS Ad-blocking Server ======
-Networkwide ad blocking via your own Linux hardware. No client-side software required+ 
 +Network-wide ad blocking via own Linux hardware. No client-side software required
  
 {{:icons:pi-hole.png?nolink&150|}} {{:icons:pi-hole.png?nolink&150|}}
  
   * [[https://pi-hole.net/|pi-hole Homepage]]   * [[https://pi-hole.net/|pi-hole Homepage]]
-  * ''**[[debian:other-debian:pi-hole-debian-arm|Installation Pi-hole DNS Ad-blocking Server auf ARM - (Depricated)]]**'' 
  
 +FIXME
  
-===== Installation von Docker und Docker-Compose =====+===== Installation von Podman =====
  
 <WRAP center box 100%> <WRAP center box 100%>
-''**Step 1** - Update the System and install Docker:''<code> +''**Step 1** - Update the System and install Podman:''<code> 
-apt-get update +yum update -y
-# apt-get upgrade+
  
 # apt-get install docker-ce # apt-get install docker-ce
-</code> 
- 
-''**Step 2** - Install docker-compose binary:'' 
- 
-Neuste Version auf GitHub nachschauen: [[https://github.com/docker/compose/releases|docker-compose]] 
- 
-<code># curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose 
- 
-# chmod +x /usr/local/bin/docker-compose 
-# curl -L https://raw.githubusercontent.com/docker/compose/$(docker-compose version --short)/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose 
- 
 # docker-compose version # docker-compose version
 </code> </code>
Line 36: Line 25:
  
 <WRAP center box 100%> <WRAP center box 100%>
-<code># apt-get install unbound+<code># yum install unbound
  
-# cd /var/lib/unbound/+# cd /etc/unbound/
 # wget -O root.hints https://www.internic.net/domain/named.root # wget -O root.hints https://www.internic.net/domain/named.root
-# chown unbound:unbound /var/lib/unbound/root.hints+# chown unbound:unbound /etc/unbound/root.hints 
 + 
 +# rm /etc/unbound/conf.d/example.com.conf 
 +# echo "" > /etc/unbound/unbound.conf
  
-# vim /etc/unbound/unbound.conf.d/blackNET.conf+# vim /etc/unbound/unbound.conf
 </code> </code>
  
Line 57: Line 49:
  
     # Use this only when you downloaded the list of primary root servers!     # Use this only when you downloaded the list of primary root servers!
-    root-hints: "/var/lib/unbound/root.hints"+    root-hints: "root.hints"
  
     # Trust glue only if it is within the servers authority     # Trust glue only if it is within the servers authority
Line 89: Line 81:
     # Ensure privacy of local IP ranges     # Ensure privacy of local IP ranges
     private-address: 192.168.0.0/16     private-address: 192.168.0.0/16
-    private-address: 172.16.0.0/12 
     private-address: 10.0.0.0/8     private-address: 10.0.0.0/8
 </sxh> </sxh>
  
 <code> <code>
 +# systemctl restart unbound
 +# systemctl status unbound
 +
 +# sealert -a /var/log/audit/audit.log
 +# ausearch -c 'unbound' --raw | audit2allow -M my-unbound
 +# semodule -X 300 -i my-unbound.pp
 +
 # systemctl restart unbound # systemctl restart unbound
 # systemctl status unbound # systemctl status unbound
Line 103: Line 101:
 # dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353 # dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
 # dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353 # dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
 +
 +# systemctl enable unbound
 </code> </code>
 </WRAP> </WRAP>
  
----- 
  
-===== Installation / Deployment von pi-hole =====+===== Einrichten und Deployment von pi-hole =====
  
 <WRAP center box 100%> <WRAP center box 100%>
 ==== Erstellen der benötigten Files und Verzeichnisse ==== ==== Erstellen der benötigten Files und Verzeichnisse ====
  
-<code># mkdir /opt/docker-pihole</code>+<code> 
 +# mkdir /opt/podman-pihole 
 +# mkdir /opt/podman-pihole/pihole 
 +# mkdir /opt/podman-pihole/dnsmasq.d 
 +</code>
  
 ---- ----
Line 119: Line 122:
 ''<wrap em>Optional:</wrap> blackGATE custom design!'' <wrap hi>**Achtung:** falls das custom-design nicht gewünscht wird, die ERSTE markierte Zeile im docker_compose.yml WEGLASSEN sowie auch nachfolgende File und den Ordner nicht erstellen.</wrap> ''<wrap em>Optional:</wrap> blackGATE custom design!'' <wrap hi>**Achtung:** falls das custom-design nicht gewünscht wird, die ERSTE markierte Zeile im docker_compose.yml WEGLASSEN sowie auch nachfolgende File und den Ordner nicht erstellen.</wrap>
  
-<code># mkdir /opt/docker-pihole/adminCMS+<code> 
 +# mkdir /opt/docker-pihole/adminCMS
 # vim /opt/docker-pihole/adminCMS/pi-hole.css # vim /opt/docker-pihole/adminCMS/pi-hole.css
 </code> </code>
Line 200: Line 204:
 </sxh> </sxh>
 ''<wrap em>END of Optional</wrap>'' ''<wrap em>END of Optional</wrap>''
 +
 +----
 +
 +''<wrap em>Optional 2:</wrap>Set Local-Services (FQDN) to Server via DNS!'' 
 +
 +<code>
 +# vim /opt/podman-pihole/dnsmasq.d/localNET.conf
 +</code>
 +
 +<sxh bash>
 +address=/MYMAINPAGE.ch/192.168.99.11
 +address=/www.MYMAINPAGE.ch/192.168.99.11
 +address=/analytics.MYMAINPAGE.ch/192.168.99.11
 +address=/test.MYMAINPAGE.ch/192.168.99.11
 +</sxh>
 +
 +''<wrap em>END of Optional 2</wrap>''
 </WRAP> </WRAP>
  
Line 206: Line 227:
 ==== Anlegen des docker-compose file für pi-hole ==== ==== Anlegen des docker-compose file für pi-hole ====
  
-Das verwendete Image ist ausschlisslich für x86_x64 Systeme geeignet. Soll Pi-hole auf einem ARM basierten System dokerisiert installiert werden, kann [[debian:other-debian:pi-hole-debian-arm|HIER]] geschaut werden. +Das verwendete Image ist ausschlisslich für x86_x64 Systeme geeignet. Soll Pi-hole auf einem ARM basierten System dokerisiert installiert werden, so kann für das richtige Image [[debian:other-debian:pi-hole-debian-arm|HIER]] geschaut werden. 
  
-''<wrap em>Wichtig:</wrap> Alle im **docker_compose.yml** File markierten Stellen sind zu kontrollieren oder bei einer Nichtübereinstimmung anzupassen!''+''<wrap em>Wichtig:</wrap> Alle im **pi-hole-container.service** File markierten Stellen sind zu kontrollieren oder bei Nichtübereinstimmung mit dem eigenen System anzupassen!''
  
-<code># vim /opt/docker-pihole/docker_compose.yml</code>+<code># vim /etc/systemd/system/pi-hole-container.service</code>
  
 <sxh xml; gutter: true; highlight: [11,14,15,19,20,21]> <sxh xml; gutter: true; highlight: [11,14,15,19,20,21]>
-version: "3.2"+[Unit] 
 +Description=Pi-Hole-Container 
 +After=network.target
  
-services: +[Service] 
-  # ---------------------------------------------------------------------------- +Type=simple 
-  pihole: +TimeoutStartSec=60s
-    image: pihole/pihole:latest +
-    container_name: "pihole-main" +
-    volumes: +
-      - /opt/docker-pihole/pihole/:/etc/pihole/ +
-      - /opt/docker-pihole/dnsmasq.d/:/etc/dnsmasq.d/ +
-      - /opt/docker-pihole/adminCMS/pi-hole.css:/var/www/html/admin/style/pi-hole.css +
-      - /etc/localtime:/etc/localtime:ro +
-    environment: +
-      - VIRTUAL_HOST=www.blackgate.org +
-      - ServerIP=192.168.1.2 +
-      - DNS1=127.0.0.1#5353 +
-      - DNS2=no +
-      - TZ=Europe/Zurich +
-      - WEBPASSWORD=MY_LOGIN_PASSWORD +
-      - WEB_PORT=81 +
-      - INTERFACE=enp1s0 +
-    #ports: +
-    #  - 53:53/tcp +
-    #  - 53:53/udp +
-    #  - 67:67/udp +
-    #  - 81:80 +
-    #networks: +
-    #  - local +
-    restart: always +
-    network_mode: "host"+
  
-# ------------------------------------------------------------------------------ +ExecStartPre=-/usr/bin/podman rm "pihole-server" 
-#networks: +ExecStart=/usr/bin/podman run --name pihole-server --net=host -e VIRTUAL_HOST=www.cibolini.ch -e ServerIP=192.168.99.11 -e DNS1=127.0.0.1#5353 -e DNS2=no -e TZ=Europe/Zurich -e WEBPASSWORD=MYPASSWORT1234 -e WEB_PORT=82 -e INTERFACE=eno5 -v /opt/podman-pihole/pihole/:/etc/pihole/:-v /opt/podman-pihole/dnsmasq.d/:/etc/dnsmasq.d/:-v /etc/localtime:/etc/localtime:ro  pihole/pihole:latest 
-#  local: + 
-#    driver: bridge+ExecReload=-/usr/bin/podman stop "pihole-server" 
 +ExecReload=-/usr/bin/podman rm "pihole-server" 
 + 
 +ExecStop=-/usr/bin/podman stop "pihole-server" 
 +Restart=always 
 +RestartSec=30 
 + 
 +[Install] 
 +WantedBy=multi-user.target
 </sxh> </sxh>
  
Line 424: Line 430:
  
 <code> <code>
-# vim /etc/apache2/sites-available/blackgate.org.conf+# vim /etc/httpd/conf.d/proxy_https.conf
 </code> </code>
  
-<sxh bash; gutter: true;>+<sxh bash; gutter: true; highlight: [30-31];> 
 +define serveradmin "michael.r467@gmail.com" 
 +define ssl_path "/etc/letsencrypt/live/analytics.cibolini.ch" 
 + 
 +Protocols h2 h2c http/1.1 
 + 
 +SSLProtocol -All +TLSv1.2 +TLSv1.3 
 +SSLCipherSuite      ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM 
 +SSLCipherSuite      TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384 
 <VirtualHost *:443> <VirtualHost *:443>
- ServerName www.blackgate.org+ ServerName www.MYMAINPAGE.ch
  #  #
-     ServerAdmin ${blackgate_serveradmin} +     ServerAdmin ${serveradmin}
-     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"+
      SSLEngine on      SSLEngine on
-     SSLCertificateFile ${blackgate_ssl_path}/cert.pem +     SSLCertificateFile ${ssl_path}/cert.pem 
-     SSLCertificateKeyFile ${blackgate_ssl_path}/privkey.pem +     SSLCertificateKeyFile ${ssl_path}/privkey.pem 
-     SSLCertificateChainFile ${blackgate_ssl_path}/chain.pem +     SSLCertificateChainFile ${ssl_path}/chain.pem 
- + 
-     ProxyPass /error_docs ! +
-     ErrorDocument 503 /error_docs/ServiceUnavailable.html +
      RewriteEngine on      RewriteEngine on
      RewriteRule ^/pi-hole$ /pi-hole/ [R]      RewriteRule ^/pi-hole$ /pi-hole/ [R]
- +  
-     ProxyPass          /pi-holehttp://127.0.0.1:81/admin/ +     DocumentRoot /var/www/html/MYMAINPAGE 
-     ProxyPassReverse   /pi-holehttp://127.0.0.1:81/admin+  
- +     <Directory "/var/www/html/MYMAINPAGE"> 
-     ProxyPass          / http://192.168.1.21+             Options -Indexes +FollowSymLinks 
-     ProxyPassReverse   / http://192.168.1.21/ +             AllowOverride None 
- +             Require all granted 
-     <Proxy http://127.0.0.1:81/admin/+     </Directory> 
-             Order deny,allow +      
-             Allow from all +     ProxyPass          /pi-hole/ http://localhost:82/admin
-             Authtype Basic +     ProxyPassReverse   /pi-hole/ http://localhost:82/admin/
-             Authname "Password Required" +
-             AuthUserFile /etc/apache2/.htpasswd +
-             Require valid-user +
-     </Proxy>+
 </VirtualHost> </VirtualHost>
 </sxh> </sxh>
 </WRAP> </WRAP>
  
  • redhat/other-redhat/pi-hole-redhat.1581762733.txt.gz
  • Last modified: 2020/02/15 11:32
  • by michael