Blockpage for https

Hello, everybody,

yes I know Block Page for HTTPS has been chewed through here many times and again and again you get the answer “it just won’t work”.
Mostly it fails because the Pi has no public certificate.
Now let’s take my test state: my pi is free to be accessed over the internet and has received a public certificate via Certbot and letsencrypt.
The admin panel can be reached via Https no matter if by IP or by domain.
BlockPage normal http works without any problems.
So is there any way to geht this working?

Any ideas or suggestions?

Greets from Germany

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver.

Please do not continue setting one up, or take it down if you’ve already done so.

dont get me wrong, the dns part is only accesible on the local network, just the gui is accesible over the internet.

The blockpage wont work for HTTPS unless you start spoofing the certificates of the original URL (otherwise known as a man-in-the-middle attack), and that’s not something we are going to be providing any guidance on.

E.g, say the blocked domain is https://advertisingsite.com

If you browse to that link without Pi-hole enabled, then you will get their website, with a valid certificate.

If you browse to that link with Pi-hole enabled, then you will be redirected to the block page. However, the URL in the browser will still show as https://advertisingsite.com, a certificate for your own domain in this case would be invalid.

okay, sounds plausible, is there a possibility to forward to an external page with https? So that the expected certificate is displayed?

You would have to either have the certificate for the domain https://advertisingsite.com (not possible really since you can’t get their private key that makes the certificate) or impersonate that site by creating your own Certificate Authority and changing all the clients to make your CA an accepted CA. A very non-trivial task and one that can break pretty spectacularly.

hm okay… i dont like that https/tls security stuff… :smiley: