PiHole is a great tool for blocking ads across an entire network. However, the web-based administration panel defaults to connecting to HTTP over port 80. As a network engineer, it has always bothered me that I had to pass a password into the pi-hole I've always had it on my list to update Pi-hole to use HTTPS and I could not find any documentation.
Disclaimer: configure to meet your own baseline for security standards, the examples given are generic.
Prerequisites
- Raspberry Pi
- Pi-hole installed
- Backup of your configuration
Instructions
1. Create the SSL Cert:
a. Create the self signed certificate:
openssl req -new -x509 -keyout pihole.pem -out pihole.pem -days 365 -nodes
b. Change permissions to read-only:
chmod 400 pihole.pem
2. Configure Lighttpd
a. Create and move cert into Lighttpd:
sudo mkdir /etc/lighttpd/certs
mv pihole.pem /etc/lighttpd/certs/pihole.pem
b. Configure Lighttpd to accept HTTPS requests: sudo vim /etc/lighttpd/external.conf
An example configuration would be for my Pi-hole DNS address at pihole.example.com:
$HTTP["host"] == "pihole.example.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/pihole.pem" #Location of PEM file.
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
3. Restart Lighttpd
a. Run the command sudo systemctl restart lighttpd to restart Lighttpd.
4. Test the configuration
b. Log into your Pi-hole: https://pihole.example.com
Top comments (1)
To further enhance security you could issue the the certificate from a private PKI such as HashiCorp Vault developer.hashicorp.com/vault/tuto...
Vault is a tiny appliance which can be installed on many OSs or run as a container and is free for up to 25 secrets.