DEV Community

Cover image for Adding TLS to Pi-hole
hunttom
hunttom

Posted on

3 2

Adding TLS to Pi-hole

PiHole is a great tool for blocking ads across an entire network. However, the web-based administration panel defaults to connecting to HTTP over port 80. As a network engineer, it has always bothered me that I had to pass a password into the pi-hole I've always had it on my list to update Pi-hole to use HTTPS and I could not find any documentation.

Disclaimer: configure to meet your own baseline for security standards, the examples given are generic.

Prerequisites

  1. Raspberry Pi
  2. Pi-hole installed
  3. Backup of your configuration

Instructions

1. Create the SSL Cert:

a. Create the self signed certificate:

openssl req -new -x509 -keyout pihole.pem -out pihole.pem -days 365 -nodes
Enter fullscreen mode Exit fullscreen mode

b. Change permissions to read-only:

chmod 400 pihole.pem
Enter fullscreen mode Exit fullscreen mode

2. Configure Lighttpd

a. Create and move cert into Lighttpd:

sudo mkdir /etc/lighttpd/certs
mv pihole.pem /etc/lighttpd/certs/pihole.pem
Enter fullscreen mode Exit fullscreen mode

b. Configure Lighttpd to accept HTTPS requests: sudo vim /etc/lighttpd/external.conf

An example configuration would be for my Pi-hole DNS address at pihole.example.com:

$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/certs/pihole.pem" #Location of PEM file.
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

3. Restart Lighttpd

a. Run the command sudo systemctl restart lighttpd to restart Lighttpd.

4. Test the configuration

b. Log into your Pi-hole: https://pihole.example.com

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (1)

Collapse
 
sijday profile image
sijday •

To further enhance security you could issue the the certificate from a private PKI such as HashiCorp Vault developer.hashicorp.com/vault/tuto...
Vault is a tiny appliance which can be installed on many OSs or run as a container and is free for up to 25 secrets.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more