With reference to :
Enabling HTTPS for your Pi-hole Web Interface - FAQs / Community How-to's - Pi-hole Userspace
It is possible to upgrade config and enforce the highest security possible when using https and certificate, ie
TLS 1.3 and High Sec Cyphers as per lighttpd doc [Docs SSL - Lighttpd - lighty labs]
First check on SSH to your pi.hole that lightpd version is 1.4.55 at minima
xxx@xxx:~$ lighttpd -v
lighttpd/1.4.55 (ssl) - a light and fast webserver
then replace your /etc/lighttpd/external.conf file by this one.
make sure your hostname + certs path are correct below:
server.modules += ( "mod_openssl" )
$HTTP["host"] == "[put your hostname here]" {
#Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")#Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/[my domain]/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/[my domain]/fullchain.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3",
"Options" => "ServerPreference,
-SessionTicket", #(lighttpd 1.4.55 and earlier)
"CipherString" => "HIGH")
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000")
}#Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ "." {
url.redirect = ("." => "https://%0$0")
}
}
}
For those who are using older browsers, you can still relax security with TLS 1.2 and up, just change "MinProtocol" => "TLSv1.3" to "MinProtocol" => "TLSv1.2"
external.conf file will survive a pi-hole update
Restart the service: sudo service lighttpd restart
Check Status: sudo service lighttpd status
Et voila (tested with MS Edge Version 97.0.1072.69 (Official build) (64-bit) )
