Pi-Hole with Lighttpd HTTPS active on

Hi!

If you want https active on Lighttpd with Pi-Hole: (only IPv4)

Here's a custom config of:

"/etc/lighttpd/lighttpd.conf"

server.modules = (
"mod_access",
"mod_accesslog",
"mod_auth",
"mod_expire",
"mod_compress",
"mod_redirect",
"mod_setenv",
"mod_rewrite"
)

server.document-root = "/var/www/html"
server.error-handler-404 = "/pihole/index.php"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80
server.use-ipv6 = "disable"
accesslog.filename = "/var/log/lighttpd/access.log"
accesslog.format = "%{%s}t|%V|%r|%s|%b"

index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc", ".md", ".yml", ".ini" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )

mimetype.assign = ( ".png" => "image/png",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".html" => "text/html",
".css" => "text/css; charset=utf-8",
".js" => "application/javascript",
".json" => "application/json",
".txt" => "text/plain",
".svg" => "image/svg+xml" )

include_shell "find /etc/lighttpd/conf-enabled -name '*.conf' -a ! -name 'letsencrypt.conf' -printf 'include "%p"\n' 2>/dev/null"

$HTTP["url"] =~ "^/admin/" {
setenv.add-response-header = (
"X-Pi-hole" => "The Pi-hole Web interface is working!",
"X-Frame-Options" => "DENY"
)

$HTTP["url"] =~ ".ttf$" {
    setenv.add-response-header = ( "Access-Control-Allow-Origin" => "`*`" )
}

}

$HTTP["url"] =~ "^/admin/.(.*)" {
url.access-deny = ("")
}

include_shell "cat external.conf 2>/dev/null"

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "pi-hole-ip-here:443" {
protocol = "https://"

ssl.engine = "enable"

ssl.disable-client-renegotiation = "enable"

ssl.pemfile = "/path-to/your-.pem-file-here"
ssl.ca-file = "/path-to/your-.pem-file-here"

ssl.dh-file = "/path-to/your-Diffie–Hellman-key.pem-here"

setenv.add-environment = ( "HTTPS" => "on" )

ssl.openssl.ssl-conf-cmd = ( "Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1", "Curves" => "X25519:prime256v1:secp384r1" )

ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"

ssl.honor-cipher-order = "enable"

setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload", "X-Frame-Options" => "DENY", "X-Content-Type-Options" => "nosniff" )
}

$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = ( ".*" => "https://%0$0" )
}
}

server.modules += ( "mod_fastcgi" )

fastcgi.server = ( ".php" =>
((
"bin-path" => "/usr/bin/php-cgi",

  "socket" => "path-to-your-php-fast-cgi-socket/file-name.socket" + var.PID,

  "max-procs" => 1,

  "bin-environment" => ( 
  	"PHP_FCGI_CHILDREN" => "4",
  	"PHP_FCGI_MAX_REQUESTS" => "10000"
  ),
  "bin-copy-environment" => (
  	"PATH",
  	"SHELL",
  	"USER"
  ),
  "check-local" => "enable",
  "broken-scriptfilename" => "enable"

))
)

Before edit settings at your owns, create your OpenSSL keys.

Edit:

$SERVER["socket"] == "pi-hole-ip-here:443" # from your: "/etc/pihole/setupVars.conf" (IPV4_ADDRESS=)

ssl.pemfile = "/path-to/your-.pem-file-here"
ssl.ca-file = "/path-to/your-.pem-file-here"

ssl.dh-file = "/path-to/your-Diffie–Hellman-key.pem-file-here"

"socket" => "/path-to/your-php-fast-cgi-socket.socket-file-here" + var.PID,

Possibly adapt the iptables:

/sbin/iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A INPUT -p tcp --dport 4711 -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

I removed at "/etc/lighttpd/conf-enabled" these 2 files:
10-fastcgi.conf
15-fastcgi-php.conf

because "fast-cgi" is in my lighttpd.conf.

At your own risk!

Its in the FAQ:

ah ok, sorry.

Then it can be removed

Leave it.
Everyone tries to improve / reinvent the wheel but most has been tried already.
The official docs and searching here is good place to start.

ok, thanks!

Changes to this file will prevent pihole -up from working. You're on your own for support.

$ head -n 20 /etc/lighttpd/lighttpd.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Lighttpd config for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#     FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE.     #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#              CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE:              #
#                         /etc/lighttpd/external.conf                         #
###############################################################################

server.modules = (
        "mod_access",
        "mod_accesslog",