Local SSL with SWAG and Pi-Hole

  • I found this thread where BernH mentions exactly what I want to accomplish:

    If you do want to use https in your network, the easiest way is you use a local DNS server like pihole, dnsmasq, or even some routers can do it. This way you can use the same web address and therefore the same certificate regardless of if you are home or not.

    I would like to get my PiHole DNS and SWAG reverse proxy setup so:

    1. A few select services are accessable via WAN (I already have this set up).
    2. All of the services from 1. are also available via the local DNS server (pi-hole) by their WAN addresses, but requests will be SSLed and local.
    3. All remaining services have a named local address (I'm not picky about what this looks like, but it would be nice if it fit with my service.mydomain.com standard) for local secured use, like in step 2.

    I assume all of these things are possible, but I'm struggling to find comprehensible documentation on steps 2 and 3. Is what I'm trying to achieve realistic? If so, could someone point me to low level explanations on how I can accomplish this?


    Edit: I hope mentioning someone and starting a new thread is appropriate, please let me know if I need to change anything on my post.

  • I can't help you much on SWAG, I don't use it. I prefer Nginx Proxy Manager.


    There are guides on the forum for setting up SWAG and Pihole.

    Guides


    I believe chente just updated the pihole guide.


    The simple trick to all of this is that you have to have a domain that you can use such as mydomain.duckdns.org, (or anything else that you may have) which as to be kept updated by a dns update client, you have to port forward your router to SWAG, configure your router to use Pihole has your DNS server or set all your devices to use pihole as the DNS server, and you have to set up all of your services in Pihole pointing to SWAG.


    For example, it your OMV system has an IP of 192.168.0.200, your router should port forward ports 80 and 443 to 192.168.0.200. This will send all traffic that tries to access your domain from the internet to your router, which in turn sends it to SWAG, which then sends it to your service. On your LAN, in pihole you need to set up every service so that service.mydomain.duckdns.org points to SWAG, but unknown addresses are forwarded to internet "upstream" servers.


    DNS queries from the internet are handled by google, cloudflare, quad9, etc, but dns queries on your lan get intercepted by pihole, and if it has an entry for a service, you are directed to swag, if it doesn't have an entry, it is directed to the internet.

  • Thanks for responding. Luckily I've already setup most of what you've written out. I noted that in step 1. "A few select services are accessable via WAN (I already have this set up)." I should have made that more obvious. I've also got unbound on my pihole, I should have mentioned that too.


    This is what I need help with:

    On your LAM, in lihole you need to set up every service so that service.mydomain.duckdns.org points to SWAG, but unknown addresses are forwarded to internet "upstream" servers.

    I've not seen anything about it in our local guides here, and I'm not understanding other documentation I've found on the subject.

  • some interesting post:




  • Thanks for responding. Luckily I've already setup most of what you've written out. I noted that in step 1. "A few select services are accessable via WAN (I already have this set up)." I should have made that more obvious. I've also got unbound on my pihole, I should have mentioned that too.


    This is what I need help with:

    I've not seen anything about it in our local guides here, and I'm not understanding other documentation I've found on the subject.

    I prefer the dnsmasq approach in Pihole, as it is much simpler to configure and does not try to provide full dns services like unbound, since it is just a dns interceptor and full dns is more than you really need.


    To configure that, you do exactly as I said. Make an entry for each of your services that points its full address/domain to swag. There are settings in Pihole where you choose what upstream dns servers to use. And there is a check box in there to “not forward local requests”. That’s it, you now have a lan local dns interceptor.

  • raulfg3 Thanks for providing those links. The first one doesn't load for me. Re: the second link, I use the swag homepage for my weather station. Re: the third link, I already use linuxserver/ddclient and a registered domain.

    I prefer the dnsmasq approach in Pihole, as it is much simpler to configure and does not try to provide full dns services like unbound, since it is just a dns interceptor and full dns is more than you really need.


    To configure that, you do exactly as I said. Make an entry for each of your services that points its full address/domain to swag. There are settings in Pihole where you choose what upstream dns servers to use. And there is a check box in there to “not forward local requests”. That’s it, you now have a lan local dns interceptor.

    While I know it's not necessary, I've already got the pihole and all dns is required to go through that, so I decided I might as well put unbound on it as well.

    I put the part I'm struggling with in bold above. I'm not familiar with how to point a service in my LAN. Reverse proxy is not something I've very familiar with, so that's why I'm looking to understand it to make sure I'm not exposing services I don't want public.

  • raulfg3 Thanks for providing those links. The first one doesn't load for me. Re: the second link, I use the swag homepage for my weather station. Re: the third link, I already use linuxserver/ddclient and a registered domain.

    While I know it's not necessary, I've already got the pihole and all dns is required to go through that, so I decided I might as well put unbound on it as well.

    I put the part I'm struggling with in bold above. I'm not familiar with how to point a service in my LAN. Reverse proxy is not something I've very familiar with, so that's why I'm looking to understand it to make sure I'm not exposing services I don't want public.

    I can't help you on unbound. I don't use it, so can't direct you on it's entries.

  • Finally at home to look at pihole's unbound component.


    There are 2 local dns sections, DNS Records and CNAME Records.


    The DNS Records section is dnsmasq, the CNAME section is unbound if I am not mistaken. I have no desire to try to run a full DNS server (unbound) on my LAN, since the convenience of it versus dnsmasq for local single server services is not really there based on the way I see pihole handling it, as you still need the dnsmasq entries anyway to specify the ip address of the server. The CNAME section is for binding one domain to another, and the DNS Records section is for binding a domain to an IP.


    If you had a cluster of machines that had a master system and several others as slaves the cname could associate the slave domains with the master domain, but the master would still need the dnsmasq entry.


    So in the dnsmasq section, if you enter:


    your_service.your_domain.com and 192.168.0.x


    fixing the domain entry to match your setup and the ip address to match the ip address of your server that is running swag, that is all you need.


    Then under Settings > DNS, you enter your upstream (internet) servers.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!