Https for web interface

… my pihole servers run on two AWS ECS2 Ubuntu instances with fixed IPs (elastic IPs). For the web interface I would like to force only https. How do I do this? I don’t have a domain / domain certificate for the pihole servers. Please advise…

Thanks, I checked this one out but it doesn’t work for me. My environment is AWS Ubuntu 18.04 LTS with pihole web interface 4.3.2, with an elastic IP. Please advise what the best route is to take…

I tried the below but I cannot reach the ip via https:

Since most of us run these internal without a FQDN, here’s how to generate a self-signed cert, to create the combined.pem and proceed with the process avoiding letsencrypt.

mkdir ssl ; cd ssl
openssl req \
       -newkey rsa:2048 -nodes -keyout domain.key \
       -x509 -days 365 -out domain.crt
# fill out the interactive prompt for country, org, CN, etc
cat domain.key domain.crt > combined.pem
cp -R ../ssl /etc/lightttpd

external.conf modified to use SSL regardless of HOST header – e.g. if you visit
https://192.168.0.200 it will work

cat /etc/lighttpd/external.conf
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")

# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
	ssl.engine = "enable"
	ssl.pemfile = "/etc/lighttpd/ssl/combined.pem"
	ssl.honor-cipher-order = "enable"
	ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
	ssl.use-sslv2 = "disable"
	ssl.use-sslv3 = "disable"
}

# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
	$HTTP["host"] =~ ".*" {
		url.redirect = (".*" => "https://%0$0")
	}
}

You probably should address that as a response to the user that provided the instructions. It’s not something we support directly.

1 Like

OK will do, thanks!

It seems you are running your Pi-holes on a cloud server.

If that’s publicly available, and the Pi-holes with it, I wonder whether that might be the reason why you try to secure access to Pi-hole’s Admin UI.

In that case, before thinking about HTTPS, you probably want to divert your attention about securing access to Pi-hole first, lest it be used in DNS amplification attacks. Also, most providers don’t react very friendly to having open resolvers running on their network.

If you are fully aware of this and already have exercised all necessary precautions, please ignore my remark.

If not, you probably might want to reverify your motives for a cloud-based Pi-hole setup once again.
Edit: Most users will be perfectly happy with running Pi-hole just locally, possibly expanding their home network by means of a VPN to include roaming devices if needed. The former is Pi-hole’s default scenario upon installation, the latter is covered in the docs exemplarily, while neither of those makes a cloud server a requirement.

Hi, thanks for this and yes the necessary precautions have been taken for securing pihole in the cloud. Still keen to understand how I secure the web interface as otherwise I would disable it entirely. Can this web interface https functionality be included as feature request for the future roadmap?

What I have done to mitigate insecure http is to actually blocking all incoming traffic from the world unless it comes across WireGuard or SSH. So the only open ports to the VPS are the port WireGuard uses and SSH as I login with keys (not a password). That way I can still access http://pi.hole/admin but the rest of the world can’t see it all.

I’m all for https everywhere on my things. The problem with shipping a default https/tls configuration is that it is hostname dependent. We don’t know what hostname you will chose, we don’t know if Let’sEncrypt is viable (Are you behind a proxy, are the required ports open, are you using the http challenge or the DNS challenge, do you want a wildcard cert…)

You can disable the interface completely, using a pre-configured /etc/pihole/setupVars.conf that modifies the flags shown below:

INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
1 Like