How can I enable HTTPS (SSL/TLS) for my Pi-hole Web Interface?
Many users run their Pi-hole on Virtual Private Servers and such, meaning that they would need to access the Web Interface via insecure HTTP. Now, you are able to configure Pi-hole so you can securely access your Web Interface, and not cause issues with blocked HTTPS content.What has changed to allow this?
With the release of v3.2, we have made changes to our defaultlighttpd config to not automatically enable the SSL engine if /etc/lighttpd/conf-enabled/letsencrypt.conf was detected, as your certificate of pihole.example.com will not match advertiser.com.Blindly enabling HTTPS for your Pi-hole Web Interface via Let’s Encrypt or a Self-Signed certificate causes issues such as:
- Browsing slowdowns on any site visited, as blocked content needed to time out (or load infinitely)
- Web Browser errors, such as mismatched certificates
- Operating system popups on macOS/iOS devices on every site containing blocked content
With the instructions below, you will be able to selectively enable HTTPS for your Fully Qualified Domain Name (FQDN), and have it not conflict with blocked HTTPS enabled domains.
How to get started
- Ensure you have a standard fully qualified domain name (e.g:
domain.com,pihole.example.com, etc) that allows you to access your Pi-hole - Deploy an SSL certificate for your FQDN
- Configure
lighttpdto only enable the SSL engine for your FQDN
How to configure Pi-hole to use an SSL certificate
Thelighttpd daemon will need a custom configuration to enable the SSL engine. Fortunately, you can configure all this from /etc/lighttpd/external.conf as this will not get overwritten when running a Pi-hole update.To start, you will need to create a file called
combined.pem as this is the ssl.pemfile that lighttpd expects to see. Run the following command (making sure to subsitute pihole.example.com for your FQDN): sudo cat /etc/letsencrypt/live/pihole.example.com/privkey.pem \
/etc/letsencrypt/live/pihole.example.com/cert.pem | \
sudo tee /etc/letsencrypt/live/pihole.example.com/combined.pem
lighttpd user www-data can read the required certificates:sudo chown www-data -R /etc/letsencrypt/liveNow, place the following into
/etc/lighttpd/external.conf (again, making sure to subsitute pihole.example.com for your FQDN):$HTTP["host"] == "pihole.example.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
sudo service lighttpd restart after this change has been made.Postscript
You can now take advantage of a HTTPS-secured Web Interface! If you wish, you can also host content on your Pi-hole by using/var/www/html/landing.php as your /var/www/html/index.php equivalent.16/07/18 Edit:
Removed
ssl.use-compression = “disable” as per @person51’s post.Fonte: https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771
