Enabling HTTPS for your Pihole Web Interface
How to get started
Ensure you have a standard fully qualified domain name (e.g: domain.com, pihole.example.com, etc) that allows you to access your Pi-hole
Deploy an SSL certificate for your FQDN
Configure lighttpd to only enable the SSL engine for your FQDN
How to configure Pi-hole to use an SSL certificate
The lighttpd
daemon will need a custom configuration to enable the SSL engine. Fortunately, you can configure all this from /etc/lighttpd/external.conf
as this will not get overwritten when running a Pi-hole update.
To start, you will need to create a file called combined.pem
as this is the ssl.pemfile
that lighttpd expects to see. Run the following command (making sure to subsitute pihole.example.com
for your FQDN
):
sudo cat /etc/letsencrypt/live/pihole.example.com/privkey.pem \
/etc/letsencrypt/live/pihole.example.com/cert.pem | \
sudo tee /etc/letsencrypt/live/pihole.example.com/combined.pem
Next, ensure the lighttpd
user www-data
can read the required certificates:
sudo chown www-data -R /etc/letsencrypt/live
Now, place the following into /etc/lighttpd/external.conf
(again, making sure to subsitute pihole.example.com
for your FQDN
):
$HTTP["host"] == "pihole.example.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
Finally, be sure to run sudo service lighttpd restart
after this change has been made.
Self Signed Certificate:
Create DIR:
mkdir /etc/lighttpd/ssl/
cd /etc/lighttpd/ssl/
Create CSR
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
Complete with Prompts:
Generating a 2048 bit RSA private key
....+++
...............+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:Delhi
Organization Name (eg, company) [Default Company Ltd]:TecAdmin Inc.
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [Leave Blank]
An optional company name []: [Leave Blank]
Request Certificate from CA:
openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt
Create PEM file: KEY IS FIRST
cat example.com.key example.com.crt > example.com.pem
Modify /etc/lighttpd/lighttpd.conf
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/tecadmin.net.pem"
# ssl.ca-file = "/etc/lighttpd/ssl/CA_issuing.crt"
server.name = "site1.tecadmin.net"
server.document-root = "/sites/vhosts/site1.tecadmin.net/public"
server.errorlog = "/var/log/lighttpd/site1.tecadmin.net.error.log"
accesslog.filename = "/var/log/lighttpd/site1.tecadmin.net.access.log"
}
Check Syntax:
lighttpd -t -f /etc/lighttpd/lighttpd.conf
Syntax OK
Restart Service:
service lighttpd restart
Debian bullseye has an issue where you need to install the package required: https://dietpi.com/phpbb/viewtopic.php?t=8711
apt install lighttpd-mod-openssl
Last updated