Skip to main content

Posts

Showing posts from January, 2020

Enable HTTPS with Let’s Encrypt SSL certificate on Pi-hole web interface

By default, the Pi-hole web interface runs on HTTP, including the web admin panel URL. I want to secure the Pi-hole password with HTTPS when entering in the web browser. To enable HTTPS, I need a SSL certificate. My options are creating a self-signed SSL certificate, buying a retail SSL certificate from a public CA, or using Let’s Encrypt free SSL certificate.For the home setup, the Let’s Encrypt SSL certificate is a perfect fit. The certificate works all the major web browsers, so no security warning in the browser; and it’s free. Just need to renew it every 90 days.Before proceeding the following instruction, make sure you meet these two perquisites.
1. You own a public domain name.
2. You have the access to modify the public DSN setting of your domain name. The instruction on how to do this varies from the DNS hosting vendor. Please consult with your DNS hosting vendor for the detail.1. Issue Let’s Encrypt SSL certificateLet’s Encrypt recommends the Certbot ACME client to automate th…

Match a string ending with a dollar sign ($) and containing a variable in PowerShell

In my previous post, I can match a string ending with a dollar sign ($) using the single quote with the expression ‘\$$’. Because the single quote protects the PowerShell automatic variable $$ from being evaluated. But it brings up my next question, how about the same expression also includes other variable that should be evaluated. Like this example.
PS C:\Temp> $name = 'smith'
PS C:\Temp>
PS C:\Temp> 'contoso\john.smith$' -match "$name"
True
PS C:\Temp> 'contoso\john.smith$' -match '$name'
False
Obviously, I have to use the double quote to evaluate the variable $name before sending the expression to the regex engine. But I also need the single quote for the variable $$.
PS C:\Temp> 'contoso\john.smith$' -match '$name\$$'
False
PS C:\Temp> 'contoso\john.smith$' -match "$name\$$"
False

Here is my solution - using double quote with both the regex escape character backslash(\) and PowerShell e…

Match a string ending with a dollar sign ($) in PowerShell

I want to match a string ending with a dollar sign ($) (e.g. ‘contoso\john.smith$’) in PowerShell. Using the regular expression (regex) should be simple, like \$$.
However, I run into some problem in PowerShell. I posted my question in Reddit for help. With the comments from the community, I think I finally understand how to handle this issue. This blog post is to summarize my understanding. -match operator uses the regular expression syntax.The scape character in regex is the backslash(\). Normally the regular PowerShell escape character, the backtick(`), should not use in the regex expression. See my next post on using both scape characters (\ and `) in one expression.To match a string ending with a dollar sign ($), the regex should be \$$. The first $ is for the literal $, so it is escaped by \. The second $ is an anchor which matches the end of a string, so it is not escaped by \.However $$ is an automatic variable in PowerShell.When the expression(\$$) is doubled-quoted, PowerShe…

My Pi-hole blocklists

After setting up the Pi-hole on the Raspberry Pi, I start looking for additional blocklists to block as much as unnecessary traffic on my home network. 
Searching on the Pi-hole Userspace, I found many discussions about the blocklists. I want to share my blocklists on this post, so you can save time. My goals are to use the blocklists that
Are from the reliable sourceAre updated regularlyProvide additional filter categories that are safe for familyAre free of charge As mentioned in my “Select Upstream DNS server for Pi-hole” post, I may be able to use OpenDNS or CleanBrowsing DNS as my upstream DNS server to achieve the same goals without using the blocklists. But these blocklists become necessary after I set up DoH with Cloudflare DNS because Cloudflare DNS doesn’t provide content filtering.

The following are the blocklists in my Pi-hole. You can copy and paste them under Pi-hole’s admin page, Settings, Blocklists, and click “Save and Update”.

At the time of this writing, these list…

Set up Cloudfared DoH for Pi-hole

I would prefer using DNS over HTTPS (DoH) to increase privacy and security. Mozilla Firefox is the first web browser implementing DoH, and many other browsers follow. But how can I utilize DoH for the non-browser DNS request or enable DoH on each device that connects to my home network?
Pi-hole has a document to configure DNS-Over-HTTPS. To automate the install and configure Cloudfared on a Raspberry Pi running Raspbian, I create a bash script. I also add the steps to lock down the cloudfared account.
Here are how set up Cloudfared DoH using the script. Make sure the Pi-hole is set up on your Raspberry Pi. See my post “Set up Pi-hole on a Raspberry Pi”.Download the script from my Github on your Raspberry Picurl -O https://raw.githubusercontent.com/sfitpro/pi-hole/master/setup.cloudflared.doh.for.pi-hole.shGrant the execution permission to the scriptchmod +x setup.cloudflared.doh.for.pi-hole.shRun the scriptsudo ./setup.cloudflared.doh.for.pi-hole.shConfigure the Pi-hole to use custom …

Select Upstream DNS server for Pi-hole

Once the Pi-hole is up and running, the first thing I want to configure is its upstream DNS servers. The upstream DNS servers can provide additional filters (e.g. adult-related sites, social networking sites, etc) that are not included in the Pi-hole default installation. I have been using OpenDNS as my home router's upstream DNS servers for a long time. I sign up an OpenDNS account so I can customize the kind of content to block or the sites to be whitelisted. It works great. On the Pi-hole admin page, under Settings —> DNS. It has a list of built-in upstream DNS servers, e.g. Google, OpenDNS, Quad9, Cloudflare, etc.
OpenDNS: OpenDNS is my original first choice since I have been using its filter for a long time as I mentioned above. My only concern with OpenDNS is that Cisco acquired OpenDNS in 2015; and not sure whether this free service will continue to be maintained. But I don’t have other good options at the time.Google DNS: Google DNS has a relatively fast response time. …

Set up Pi-hole on a Raspberry Pi

My first and main usage for a Raspberry Pi is to set up Pi-hole to block Ad for all devices on my home network.InstallationThe Pi-hole instalaltion is simple.curl -sSL https://install.pi-hole.net | bashBasic operation command
check statussudo pihole statuscheck versionsudo pihole -vupdate Pi-holesudo pihole -upchange Pi-hole admin passwordsudo pihole -a -pupdate Pi-hole filter list (gravity.list)sudo pihole -grestart Pi-holesudo pihole restartdnslist domains in whilelistsudo pihole -w -ladd a domain to whitelistsudo pihole -w <domain>remove a domain from whitelistsudo pihole -w -d <domain>list domains in blacklistsudo pihole -b -lOnce the pi-hole is up and running, we can change the the DNS setting of the router’s DHCP to the pi-hole IP address, or manaully set it to the devices with the static IP address.Pi-hole comes the default ad block list. I will discuss the selection of Upstream DNS servers and add additional filter in the next post.

Set up a Raspberry Pi

I’m going to write a series of posts about Raspberry Pi and how I use it to secure and optimize my home network. This first post covers the basic setup procedure. Please refer to the official setup guide if you need the step-by-step instruction.Hardware
Raspberry Pi 3 Model B. At the time of writing, the latest board is Raspberry Pi 4 Mode B, which is more powerful. But any version Raspberry Pi board should work.MicroSD card (minimum 4GB)Micro USB power supply (2.5A). For Raspberry Pi 4, you need the USB-C power supplyUSB keyboard and mouseFull-size HDMI cable to connect Raspberry Pi to a monitor or TV duing the initial setup. For Raspberry Pi 4, you need the Micro HDMI cableRaspberry Pi caseOperating system
Raspbian -  the offical Raspberry Pi operating system. I want to keep the OS footprint small and I don’t plan to connect to a monitor other than the initial setup, so I select Raspbian Lite image.Basic procedureDownload Raspbian Lite imageDownload balenaEtcherLaunch balenaEtcher and…