# Enabling HTTPS for your Pihole Web Interface

### How to get started

* Ensure you have a standard fully qualified domain name (e.g: domain.com, pihole.example.com, etc) that allows you to access your Pi-hole
* Deploy an SSL certificate for your FQDN
* Configure lighttpd to only enable the SSL engine for your FQDN

### How to configure Pi-hole to use an SSL certificate

The `lighttpd` daemon will need a custom configuration to enable the SSL engine. Fortunately, you can configure all this from `/etc/lighttpd/external.conf` as this will not get overwritten when running a Pi-hole update.

To start, you will need to create a file called `combined.pem` as this is the `ssl.pemfile` that lighttpd expects to see. Run the following command (making sure to subsitute `pihole.example.com` for your `FQDN`):

```bash
sudo cat /etc/letsencrypt/live/pihole.example.com/privkey.pem \
           /etc/letsencrypt/live/pihole.example.com/cert.pem | \
sudo tee /etc/letsencrypt/live/pihole.example.com/combined.pem
```

Next, ensure the `lighttpd` user `www-data` can read the required certificates:

```bash
sudo chown www-data -R /etc/letsencrypt/live
```

Now, place the following into `/etc/lighttpd/external.conf` (again, making sure to subsitute `pihole.example.com` for your `FQDN`):

```bash
$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}
```

Finally, be sure to run `sudo service lighttpd restart` after this change has been made.

### Self Signed Certificate:

Create DIR:

```bash
mkdir /etc/lighttpd/ssl/
cd /etc/lighttpd/ssl/
```

Create CSR

```bash
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
```

Complete with Prompts:

```bash
Generating a 2048 bit RSA private key
....+++
...............+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:Delhi
Organization Name (eg, company) [Default Company Ltd]:TecAdmin Inc.
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:user@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [Leave Blank]
An optional company name []: [Leave Blank]
```

Request Certificate from CA:

```bash
openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt
```

Create PEM file: **KEY IS FIRST**

```bash
cat example.com.key  example.com.crt > example.com.pem
```

Modify `/etc/lighttpd/lighttpd.conf`

```php
$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/ssl/tecadmin.net.pem"
      # ssl.ca-file = "/etc/lighttpd/ssl/CA_issuing.crt"
        server.name = "site1.tecadmin.net"
        server.document-root = "/sites/vhosts/site1.tecadmin.net/public"
        server.errorlog = "/var/log/lighttpd/site1.tecadmin.net.error.log"
        accesslog.filename = "/var/log/lighttpd/site1.tecadmin.net.access.log"
}
```

Check Syntax:

```bash
lighttpd -t -f /etc/lighttpd/lighttpd.conf
Syntax OK
```

Restart Service:

```bash
service lighttpd restart
```

Debian bullseye has an issue where you need to install the package required: <https://dietpi.com/phpbb/viewtopic.php?t=8711>

```bash
apt install lighttpd-mod-openssl
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.arkannis.net/networking/pihole/enabling-https-for-your-pihole-web-interface.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.