# Enabling HTTPS for your Pihole Web Interface ### How to get started * Ensure you have a standard fully qualified domain name (e.g: domain.com, pihole.example.com, etc) that allows you to access your Pi-hole * Deploy an SSL certificate for your FQDN * Configure lighttpd to only enable the SSL engine for your FQDN ### How to configure Pi-hole to use an SSL certificate The `lighttpd` daemon will need a custom configuration to enable the SSL engine. Fortunately, you can configure all this from `/etc/lighttpd/external.conf` as this will not get overwritten when running a Pi-hole update. To start, you will need to create a file called `combined.pem` as this is the `ssl.pemfile` that lighttpd expects to see. Run the following command (making sure to subsitute `pihole.example.com` for your `FQDN`): ```bash sudo cat /etc/letsencrypt/live/pihole.example.com/privkey.pem \ /etc/letsencrypt/live/pihole.example.com/cert.pem | \ sudo tee /etc/letsencrypt/live/pihole.example.com/combined.pem ``` Next, ensure the `lighttpd` user `www-data` can read the required certificates: ```bash sudo chown www-data -R /etc/letsencrypt/live ``` Now, place the following into `/etc/lighttpd/external.conf` (again, making sure to subsitute `pihole.example.com` for your `FQDN`): ```bash $HTTP["host"] == "pihole.example.com" { # Ensure the Pi-hole Block Page knows that this is not a blocked domain setenv.add-environment = ("fqdn" => "true") # Enable the SSL engine with a LE cert, only for this specific host $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem" ssl.ca-file = "/etc/letsencrypt/live/pihole.example.com/fullchain.pem" ssl.honor-cipher-order = "enable" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" } # Redirect HTTP to HTTPS $HTTP["scheme"] == "http" { $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } } } ``` Finally, be sure to run `sudo service lighttpd restart` after this change has been made. ### Self Signed Certificate: Create DIR: ```bash mkdir /etc/lighttpd/ssl/ cd /etc/lighttpd/ssl/ ``` Create CSR ```bash openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr ``` Complete with Prompts: ```bash Generating a 2048 bit RSA private key ....+++ ...............+++ writing new private key to 'example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Delhi Locality Name (eg, city) [Default City]:Delhi Organization Name (eg, company) [Default Company Ltd]:TecAdmin Inc. Organizational Unit Name (eg, section) []:web Common Name (eg, your name or your server's hostname) []:example.com Email Address []:user@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: [Leave Blank] An optional company name []: [Leave Blank] ``` Request Certificate from CA: ```bash openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt ``` Create PEM file: **KEY IS FIRST** ```bash cat example.com.key example.com.crt > example.com.pem ``` Modify `/etc/lighttpd/lighttpd.conf` ```php $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/ssl/tecadmin.net.pem" # ssl.ca-file = "/etc/lighttpd/ssl/CA_issuing.crt" server.name = "site1.tecadmin.net" server.document-root = "/sites/vhosts/site1.tecadmin.net/public" server.errorlog = "/var/log/lighttpd/site1.tecadmin.net.error.log" accesslog.filename = "/var/log/lighttpd/site1.tecadmin.net.access.log" } ``` Check Syntax: ```bash lighttpd -t -f /etc/lighttpd/lighttpd.conf Syntax OK ``` Restart Service: ```bash service lighttpd restart ``` Debian bullseye has an issue where you need to install the package required: ```bash apt install lighttpd-mod-openssl ```