Enabling HTTPS for your Pi-hole Web Interface

Hi, I would like to ask about this topic, I already make HTTPS but when I access the ip address. My IP Address not redirect to My HTTPS FQDN. Is there any way to redirect from pihole Web Admin IP Address to FQDN? Thank you.

I couldn't do a week. My Domain address is available in Cloudflare. Works with Raspberry Apache2 at home. However, I couldn't integrate the pihole SSL as HTTPS. Cloudflare gave me the Origin Certificate, Private Key files. My file in the settings you are doing is like it doesn't sleep. CLOUDFLARE SSL files for any settings? My English is my apologies.

@DanSchaper , @WaLLy3K ,

Is it possible to do the same when we are using pi-hole in Docker ?

I’m unabie to find any documentation to do that when we use Docker pi-hole.

Is it possible to have the same FAQ for docker with Caddy for example ?

Thank you very much for your help.

Best regards,

With a docker image newer or equal to 2022.04.01 this setting doesn't work anymore.

See With latest docker-image (2022.04.01) Web-GUI (https) doesn't work anymore: ./run: line 32: Segmentation fault lighttpd -D -f /etc/lighttpd/lighttpd.conf · Issue #1046 · pi-hole/docker-pi-hole · GitHub for details.

TL;DR:

#Loading openssl
server.modules += ( "mod_openssl" )

setenv.add-environment = ("fqdn" => "true")
$SERVER["socket"] == ":443" {
	ssl.engine  = "enable"
	ssl.pemfile = "/etc/lighttpd/combined.pem"
	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
}

# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
        $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
        }
}

Thanks to Theliel · GitHub who found out how to fix this

6 posts were split to a new topic: SSL configuration not working for lighttpd

hello, I just went through this tutorial and I ran into an issue where I would get a SSL_ERROR_INTERNAL_ERROR_ALERT when I tried to access my pihole admin UI (lighttpd was up and running fine, though)

After doing some research into lighttpd docs, I found that in newer versions of lighttpd, the ssl.ca-file option is deprecated, and instead you need to be putting your full CA certificate chain + certificate + private key all in one file, which ssl-pemfile should point to. Once I did that and restarted lighttpd, https started working as expected.

My external.conf file now looks like

$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/PATH/TO/combined_fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Someone (@DanSchaper , @yubiuser, … ?) might want to update Remove 443 from example yaml/readme and scripts. · Issue #755 · pi-hole/docker-pi-hole · GitHub regarding how to use port 443 for a secure remote access without a VPN…!?

Or does anyone wants a PR for an example for this scenario?

I just went through the tutorial very carefully and it doesn't work. Always receive errors when restarting / attempting to start up lighttpd.

What I tried:

1. I gave access to the location where I placed the cert(s):
   sudo chown www-data -R /etc/lighttpd/ssl
2. I chained together my Private key and Cert File into one file with .pem extension.
   sudo cat privatekey.key certfile.crt | sudo tee combinedfiles.pem
3. I chained together all my intermediate certs into one file with a .pem extension.
   sudo cat intermediateCA1.crt intermediateCA2.crt | sudo tee combinedCAfiles.pem
4. I tried with and without the CA file within with lighttpd external.conf file (as that was stated to be deprecated by someone in the comments).

Any assistance would be welcomed.

What errors are you seeing?

Official lighttpd SSL documentation:

This doesn't work for me. The lighttpd daemon doesnt run after setting up ssl

Following the above instructions, I'm seeing the following when I restart lighttpd:

Warning: please add "mod_openssl" to server.modules list in lighttpd.conf. A future release of lighttpd 1.4.x will not automatically load mod_openssl and lighttpd will not use SSL/TLS where your lighttpd.conf contains ssl.* directives

Adding "mod_openssl" to my lighttpd.conf resolves the issue:

server.modules = (
"mod_access",
"mod_accesslog",
"mod_auth",
"mod_expire",
"mod_redirect",
"mod_setenv",
"mod_rewrite",
"mod_openssl" <<<
)

Do not edit this file.

Changes made to lighttpd.conf will be overwritten on the next update (or if you execute a repair).
You need to add the module using external.conf file.

Try to add this to external.conf:

server.modules += (
  "mod_openssl"
)

A post was split to a new topic: Sneak peaks for updates?

For anyone else trying to do this and getting errors after following this guide.

Just make sure you have the package "lighttpd-mod-openssl" installed. Once I installed this package then following the guide everything worked.

I followed this article Adding HTTP certificates to Pi-Hole with LEGO
I hope it will be helpful to others here, too

A post was split to a new topic: External.conf stopped working

I followed the instruction but the lighttpd service cannot restart after I had created the external.conf as described above.

In the scrept I replaced the red fqdn with my domain name.
As there is no combined.pem in /etc/lighttpd I copied the file from /etc/letsencrypt/live/pihole.example.com/

Is there anything else there has to be done before or after creating external.conf

I had achieved everything until creating privkey.pem, cert.pem and combined.pem in
/etc/letsencrypt/live/pihole.example.com/

Hi, I have been running Pi-hole on a Debian 10 mini-PC for the last couple of years and had SSL enabled for the last few months. A recent OS update caused Pi-hole to stop working and no matter what I did I could not get it back up and running. I bit the bullet and installed Debian 12 onto the PC as a clean install and then re-installed Pi-hole, and all was working again. Fortunately, I had a backup from my Pi-hole configuration via transporter from when I did the last update, and nothing had changed so it was running again quite quickly.

When I tried to enable SSL I hit problem. No matter what I did my old configuration would not work. I found that lighttpd on Debian 12 is now 1.4.69 and there have been some chanages to what is included and how it is configured. It is no longer possible to use external.conf in the /etc/lighttpd directory to load the SSL configuration. The configuration must be loaded from /etc/lighttpd/conf-enabled, however, to ensure that my configuration does not get overwritten at a later date I still created my configuration in /etc/lighttpd and then created a link to it in /etc/lighttpd/conf-enabled.

I have a local SSL configuration, not using LetsEncrypt so use a combined.pem file.
The configuration I ended up with is based on info found here and at:

• Adding HTTP certificates to Pi-Hole with LEGO
• https://www.cyberciti.biz/faq/how-to-configure-lighttpd-web-server-with-free-lets-encrypt-ssl-certificate-on-debian-or-ubuntu-linux/

Here are the steps I followed and my config which may help someone facing the same issue.

Install lighttpd's openssl module.

sudo apt-get install lighttpd-mod-openssl

Create a directory for the combined certificate.

mkdir /etc/cert

Upload combined.pem to /ect/cert.
Set permissions on the certificate file and directory

sudo chown root /etc/cert/combined.pem
sudo chown :root /etc/cert/combined.pem
sudo chown www-data -R /etc/cert

Create the lighttpd SSL configuration file. Named so that it is loaded in the correct order by lighttpd

sudo touch /etc/lighttpd/10-ssl.conf

Edit 10-ssl.conf and add the following:

# turn on ssl #
server.modules += (
  "mod_openssl"
)

$HTTP["host"] == "<your-server-fqdn>" {
    # Ensure the Pi-hole Block Page knows that this is not a blocked domain
    setenv.add-environment = ("fqdn" => "true")
	
	$SERVER["socket"] == "0.0.0.0:443" {
		ssl.engine = "enable"
		ssl.disable-client-renegotiation = "enable"
		ssl.pemfile = "/etc/cert/combined.pem"

		# ECDH/ECDHE ciphers curve strength 
		ssl.ec-curve = "secp384r1"

		ssl.use-compression = "disable"

		# Environment flag for HTTPS enabled
		setenv.add-environment = (
			"HTTPS" => "on"
		)
		
		ssl.use-sslv2 = "disable"
		ssl.use-sslv3 = "disable"
		ssl.honor-cipher-order = "enable"
		ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"

		# HSTS(15768000 seconds = 6 months)
		setenv.add-response-header = (
			"Strict-Transport-Security" => "max-age=15768000;"
		)
	}
	
	# Redirect all HTTP traffic to HTTPS
    $HTTP["scheme"] == "http" {
        $HTTP["host"] =~ ".*" {
            url.redirect = (".*" => "https://%0$0")
        }
    }
    # Auto redirect to admin panel when hitting base URL
    url.redirect = ("^/$" => "/admin" )
}

Set permissions on the SSL configuration file (may not be needed but want to be sure)

sudo chown 644 /etc/lighttpd/10-ssl.conf
sudo chown root /etc/lighttpd/10-ssl.conf
sudo chown :root /etc/lighttpd/10-ssl.conf

Create a link to the configuration file in /etc/lighttpd/conf-enabled and restart the lighttpd service.

sudo ln -s /etc/lighttpd/10-ssl.conf /etc/lighttpd/conf-enabled/10-ssl.conf
sudo service lighttpd restart