HTTPS: Enforce TLS1.3 / High Ciphers on Pi-Hole

With reference to :

Enabling HTTPS for your Pi-hole Web Interface - FAQs / Community How-to's - Pi-hole Userspace

It is possible to upgrade config and enforce the highest security possible when using https and certificate, ie
TLS 1.3 and High Sec Cyphers as per lighttpd doc [https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL]

First check on SSH to your pi.hole that lightpd version is 1.4.55 at minima
xxx@xxx:~$ lighttpd -v
lighttpd/1.4.55 (ssl) - a light and fast webserver

then replace your /etc/lighttpd/external.conf file by this one.
make sure your hostname + certs path are correct below:

server.modules += ( "mod_openssl" )

$HTTP["host"] == "[put your hostname here]" {

#Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")

#Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/[my domain]/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/[my domain]/fullchain.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3",
"Options" => "ServerPreference,
-SessionTicket", #(lighttpd 1.4.55 and earlier)
"CipherString" => "HIGH")
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000")
}

#Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ "." {
url.redirect = (".
" => "https://%0$0")
}
}
}

For those who are using older browsers, you can still relax security with TLS 1.2 and up, just change "MinProtocol" => "TLSv1.3" to "MinProtocol" => "TLSv1.2"

external.conf file will survive a pi-hole update

Restart the service: sudo service lighttpd restart
Check Status: sudo service lighttpd status

Et voila (tested with MS Edge Version 97.0.1072.69 (Official build) (64-bit) )
image

1 Like

This seems like it should be a feature request to have it natively available in the software.