HTTPS for Pi-hole Web Interface


#1

Hello there,

I would like to access the Admin Web-Interface via HTTPS instead of HTTP. HTTP should be disabled as well.

Can anyone help me to manage this? I already read this article: Enabling HTTPS for your Pi-hole Web Interface
But I just want to do it local. So my Web-Interface just can be accessed local. You may wonder why I need HTTPS if it is just local, but there are several reasons for me to do that.

And do I need a SSL-Certificate? I know that I will get a Security-Error-Message every time I want to visit the Interface. But except this fact, are there any other disadvantages? And will this Security-Error-Message disappear if I install a Self-Signed certificate with letsencrypt?

I would welcome any response and help! :smile:

Best Regards,
HideWood


#2

Yes

No, not really

letsencrypt does not allow purely local domains like pi.hole.

No, I strongly disagree. 1.) HTTP works for everyone and is most people are able to trust the users in their internal network, 2.) As you already pointed out yourself, using self-signed certificates is quite a stony path with many obstacles on the way, 3.) HTTP needs to stay enabled for the blocking page. However, access to the admin interface may be restricted.


#3

First at all, thank you for your input.
If I understand you right, it is not possible to get a SSL-Certificat for a local domain or it is really hard.
But I didn’t need a SSL-Certificat, right (if I ignore the warning)?
So why did you wrote that I need a SSL-Certificate?

And if I disable HTTP, Pi-Hole won’t work properly, right? But what exatly do you mean with “blocking page” and that the admin interface may be restriced?

But the most important questions: How to enable SSL? :smiley:


#4

It is not possible to get a certificate signed by a CA for a purely local domain such as pi.hole. You also don’t need one, unless you want to access the block page or web interface over HTTPS.

Since you want to use HTTPS on the web interface, you need to create a self-signed certificate (google is your friend).

If you disable HTTP, you can’t access the web interface over it and the block page will not work for many ads.


#5

No, you will need one, but you can go with a self-signed one (that will generate the mentioned warning).

You have to enable it with lighttpd. There will be many tutorial online for this.


#6

So, I created a self-signed Certificate and enabled SSL. Seems to work. But if I set the Port to 8443 it doesn’t work anymore. I thought 8443 is the standard port for a HTTPS Website with login-access? Nevertheless 443 works fine.

The encryption seems to be okay, but it is possible to change AES_128_GCM to AES_256_CBC with HMAC-SHA1?

And about disabling HTTP. I don’t get it… Why wouldn’t Pi-Hole block any DNS-Requests anymore, if the interface is only reachable through HTTPS? I can’t see the connection.
For example: Before I used Pi-Hole I set my providers DNS as the default on my Router. And I told my devices to use the DNS-Server from my Router. And I disabled HTTP Access on my Router as well. So the interface of my Router can only be accessed through HTTPS. But DNS-Requests worked fine. So why is here a problem?


#7

I’ve never heard of port 8443 being used. Did you specify that port when trying to go to the page? If not, then it will automatically use port 443 for HTTPS.

The encryption will depend on what you used to generate the certificate afaik.

Pi-hole will continue to block ads if you disable HTTP, but the block page will not show up for any HTTP ad, you might have HTTP ads time out causing the page to load slower, and the web interface will not be available over HTTP. I know some of these are not an issue for you, but disabling HTTP does not bring any real benefits.


#8

I just made a google research and found this: https://redmine.lighttpd.net/projects/1/wiki/HowToSimpleSSL

I wasn’t able to find any way to set it to AES256. Are there really any generator for AES256 and do you know one? I was looking on so many sites and didn’t find any solutions… =/

And I have another question. You may have heard of FritzBox. It’s a router which is pretty popular in Germany. You can access the Web interface via http://fritz.box (Local-URL)
And there is also the possibility to set it to HTTPS only. Then there will be a certificate Error. But FritzBox have the option, to download the certificate and import it to Chrome. Then the Warning will disappear. Is this also possible with Pi-Hole?


#9

From this page: https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html

AES 128 is preferred to AES 256. There has been discussions on whether AES256 extra security was worth the cost, and the result is far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.

You should be able to do the same import with Pi-hole. It isn’t a FritzBox specific thing.


#10

Yes, when you generated your self-signed certificate you obtained a certificate. This can be imported in Chrome in a similar way. See maybe also this link for an example of how to add such a file to Chrome.


#11

So, I tried to set up HTTPS with the Link from @Mcat12 : https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html

I need to add following statements:

ssl.use-compression = "disable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
ssl.dh-file = CERT-Link
ssl.ec-curve = "secp384r1"

But where do I add them?
Do I just add them at the end from the lighttpd.conf file? Because it doesn’t work.

If I just add this at the end of the lighttpd.conf file, it works. But this seems not to be safe enough.

$SERVER["socket"] == ":443" {
  ssl.engine = "enable" 
  ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" 
}

And about importing a self-signed certificate into Chrome. Is that dangerous? Because I heard that some Anti-Virus Programs also use self-signed Certificates to scan the Internet-Access. But some Viruses use those Certificates to sniffer and modify a SSL-Connection. Can this happen to me too with my self-signed Certificate?


#12

No, you can add your certificate without having to worry about such things (they are much too unlikely to be of any concern).

How about adding them inside the

$SERVER["socket"] == ":443" {
    ...
}

block?


#13

Sorry, I forgot to write it down. But I also tried to write it within the brackets. Like this:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.use-compression = "disable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"
ssl.dh-file = CERT-Link
ssl.ec-curve = "secp384r1"
}

But it still doesn’t work. I can’t reach Pi-Hole via HTTPS with those settings… =/

And about importing the certificate: Event though it is extremely unlikely, would it be possible theoretically?


#14

Okay, so then these settings seem to be unsuitable at least for the browser you are using to connect to the Pi-hole. Maybe you can try putting them in one by one and see which one causes the connection to fail.

A hacker could steal the certificate and could then sign any mocked domain with it and you wouldn’t get a warning about the certificate being doubtful (as it isn’t as you explicitly added this certificate).


#15

So, the problem is the certificate.
I created it like this:

> openssl dhparam -out dhparam.pem 4096
The other one like this:

> openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes
The second one (req) works fine. I will try to create a new one with dhparam. But this may take a while. But why are there so many parameters at the second Certificate? Are they not needed for the Diffie-Hellman as well? And do I have to set the Certificate to chmod 400?

And this may be a stupid question: But is it possible or necessary to disable sslv1?


#16

If you are interested then read about the differente you can read e.g. on

This means: only the owner can read the file, nobody (not even the owner) can change it.

sslv1 does not exist. This version circulated only inside Netscape Communications, since it had several shortcomings and flaws. For example, it didn’t provide data integrity protection. Not a stupid question at all :slight_smile:


#17

Thanks for your help! Everything is working fine now.
With websites like: https://www.ssllabs.com/ssltest/ is it possible to test the SSL. Is there maybe an add-on or something like that to test the SSL on a local URL?
I just want to make sure that I didn’t forgot anything… :smiley:


#18

Below one connects to the SSL port 443 and shows detailed info for plain old RSA certs (replace github.com with the domain to test):

echo | openssl s_client -connect github.com:443 2>/dev/null | openssl x509 -text