Enabling HTTPS for your Pihole Web Interface

How to get started

  • Ensure you have a standard fully qualified domain name (e.g: domain.com, pihole.example.com, etc) that allows you to access your Pi-hole

  • Deploy an SSL certificate for your FQDN

  • Configure lighttpd to only enable the SSL engine for your FQDN

How to configure Pi-hole to use an SSL certificate

The lighttpd daemon will need a custom configuration to enable the SSL engine. Fortunately, you can configure all this from /etc/lighttpd/external.conf as this will not get overwritten when running a Pi-hole update.

To start, you will need to create a file called combined.pem as this is the ssl.pemfile that lighttpd expects to see. Run the following command (making sure to subsitute pihole.example.com for your FQDN):

sudo cat /etc/letsencrypt/live/pihole.example.com/privkey.pem \
           /etc/letsencrypt/live/pihole.example.com/cert.pem | \
sudo tee /etc/letsencrypt/live/pihole.example.com/combined.pem

Next, ensure the lighttpd user www-data can read the required certificates:

sudo chown www-data -R /etc/letsencrypt/live

Now, place the following into /etc/lighttpd/external.conf (again, making sure to subsitute pihole.example.com for your FQDN):

$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Finally, be sure to run sudo service lighttpd restart after this change has been made.

Self Signed Certificate:

Create DIR:

mkdir /etc/lighttpd/ssl/
cd /etc/lighttpd/ssl/

Create CSR

openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

Complete with Prompts:

Generating a 2048 bit RSA private key
....+++
...............+++
writing new private key to 'example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:Delhi
Organization Name (eg, company) [Default Company Ltd]:TecAdmin Inc.
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:user@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [Leave Blank]
An optional company name []: [Leave Blank]

Request Certificate from CA:

openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt

Create PEM file: KEY IS FIRST

cat example.com.key  example.com.crt > example.com.pem

Modify /etc/lighttpd/lighttpd.conf

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/ssl/tecadmin.net.pem"
      # ssl.ca-file = "/etc/lighttpd/ssl/CA_issuing.crt"
        server.name = "site1.tecadmin.net"
        server.document-root = "/sites/vhosts/site1.tecadmin.net/public"
        server.errorlog = "/var/log/lighttpd/site1.tecadmin.net.error.log"
        accesslog.filename = "/var/log/lighttpd/site1.tecadmin.net.access.log"
}

Check Syntax:

lighttpd -t -f /etc/lighttpd/lighttpd.conf
Syntax OK

Restart Service:

service lighttpd restart

Debian bullseye has an issue where you need to install the package required: https://dietpi.com/phpbb/viewtopic.php?t=8711

apt install lighttpd-mod-openssl

Last updated