Ensure you have a standard fully qualified domain name (e.g: domain.com, pihole.example.com, etc) that allows you to access your Pi-hole
Deploy an SSL certificate for your FQDN
Configure lighttpd to only enable the SSL engine for your FQDN
How to configure Pi-hole to use an SSL certificate
The lighttpd daemon will need a custom configuration to enable the SSL engine. Fortunately, you can configure all this from /etc/lighttpd/external.conf as this will not get overwritten when running a Pi-hole update.
To start, you will need to create a file called combined.pem as this is the ssl.pemfile that lighttpd expects to see. Run the following command (making sure to subsitute pihole.example.com for your FQDN):
sudo cat /etc/letsencrypt/live/pihole.example.com/privkey.pem \
/etc/letsencrypt/live/pihole.example.com/cert.pem | \
sudo tee /etc/letsencrypt/live/pihole.example.com/combined.pem
Next, ensure the lighttpd user www-data can read the required certificates:
sudo chown www-data -R /etc/letsencrypt/live
Now, place the following into /etc/lighttpd/external.conf (again, making sure to subsitute pihole.example.com for your FQDN):
$HTTP["host"] == "pihole.example.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
Finally, be sure to run sudo service lighttpd restart after this change has been made.
Generating a 2048 bit RSA private key
....+++
...............+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:Delhi
Organization Name (eg, company) [Default Company Ltd]:TecAdmin Inc.
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:user@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [Leave Blank]
An optional company name []: [Leave Blank]