-1

我最近在我躺着的 pi 上设置了一个 pihole,这很棒。当一个域被阻止时,它会根据其默认配置 BLOCKINGMODE=NULL 返回 ip 地址 0.0.0.0。

我面临的问题是,当我从通过 nginx 托管多个子域的服务器浏览网页时,它会不断尝试连接到我的 nginx 站点,并用 404 填充其日志。

我相信解决方案是更新我的 nginx 配置以指向我的私有 ip 而不是 0.0.0.0。我认为它会像更新listen 443 ssl; 到一样简单listen 192.168.1.10:443 ssl;

不幸的是,在我进行了更改之后,我的所有子域都随机指向其中一个。前任。a.mysite.com、b.mysite.com、c.mysite.com 都指向 a.mysite.com

我的大多数站点都将 docker 实例转发到 443,还有一些只是提供本地文件。

我最初在 pihole 论坛上问过,他们为我指出了正确的方向,但我不确定如何使用我的私有 ip 而不是 0.0.0.0 让 nginx 工作。 https://discourse.pi-hole.net/t/blockingmode-null-vs-nodata/53016/7

简单的解决方案是不理会我的 nginx 配置并将 pihole 从 BLOCKINGMODE=NULL 更新为 BLOCKINGMODE=NXDOMAIN 或 BLOCKINGMODE=NODATA,但根据他们的帮助文档,“类似于 NULL 阻塞,但实验表明客户端可能会尝试解决阻塞域比 NULL 阻塞更常见。” https://docs.pi-hole.net/ftldns/blockingmode/

谢谢阅读!

mrplow@dan-server:~$ dig ads.facebook.com

; <<>> DiG 9.16.15-Ubuntu <<>> ads.facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ads.facebook.com.              IN      A

;; ANSWER SECTION:
ads.facebook.com.       2       IN      A       0.0.0.0

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jan 27 14:50:46 PST 2022
;; MSG SIZE  rcvd: 61

mrplow@dan-server:~$ date && curl ads.facebook.com && tail -n 1 /var/log/nginx/access.log
Thu 27 Jan 2022 03:00:19 PM PST
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
127.0.0.1 - - [27/Jan/2022:15:00:19 -0800] "GET / HTTP/1.1" 404 162 "-" "curl/7.74.0"

示例 nginx 配置文件

server {
  server_name a.mysite.com;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect   off;
    proxy_pass       http://127.0.0.1:9117;
  }
    ssl_dhparam /etc/ssl/certs/a.mysite.pem;


    listen 443 ssl; # managed by Certbot
#    listen 192.168.1.10:443 ssl;
    ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = a.mysite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  server_name a.mysite.com;


    listen 80;
#    listen 192.168.1.10:80;
    return 404; # managed by Certbot


}
4

1 回答 1

0

弄清楚了。

我在监听指令中包含私有 IP 是正确的。但是,我还需要更新我的所有 server_name 指令以包含私有 IP 地址。

在我更新了所有 nginx 配置后,它不再在 0.0.0.0 上监听,当我卷曲一个被阻止的站点时,它现在给出了正确的curl: (7) Failed to connect to ads.facebook.com port 80: Connection refused响应。

工作示例:

server {
  server_name a.mysite.com 192.168.1.10;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect   off;
    proxy_pass       http://127.0.0.1:9117;
  }
    ssl_dhparam /etc/ssl/certs/a.mysite.pem;


    listen 192.168.1.10:443 ssl;
    ssl_certificate /etc/letsencrypt/live/a.mysite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/a.mysite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = a.mysite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  server_name a.mysite.com 192.168.1.10;


    listen 192.168.1.10:80;
    return 404; # managed by Certbot


}
于 2022-01-28T04:10:53.363 回答