I use my pi as a webserver in addition to using it as a pi-hole. The webserver is exposed to the internet and has a valid let's encrypt certificate (which serves the admin page through a reverse proxy).
I accomplished this by changing the lighttpd port to 8077. I wrote my own update function for pi-hole to prevent it from changing the port back:
pihole -up
# Allow framing of admin page
sed -i 's/"X-Frame-Options" => "DENY"/"X-Frame-Options" => "SAMEORIGIN"/' /etc/lighttpd/lighttpd.conf
sed -i "s/server.port = 80\n/server.port = $PIHOLE_PORT\n/" /etc/lighttpd/lighttpd.conf
sed -i 's:127.0.0.1/admin/:127.0.0.1\:'$PIHOLE_PORT'/admin/:g' /opt/pihole/chronometer.sh
service lighttpd restart
When I visit a pi-holed domain I get a security warning informing me that the page I am visiting serves the security certificate of my domain.
I think this could be circumvented by running pi-hole on it's own ip using these commands to add an ip to the interface the pi is running on:
INTERNALIP=`ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/'`
OIFS=$IFS; IFS='.'; ip=($INTERNALIP); IFS=$OIFS
cp /etc/network/interfaces /etc/network/interfaces.bak
#nano /etc/network/interfaces
ex /etc/network/interfaces << END_EX_COMMANDS
" Find the mark
/^iface eth0 inet manual/
" Add the complex, multi-line text
a
#IP Aliasing
auto eth0:0
iface eth0:0 inet static
name Ethernet alias LAN card
address ${ip[0]}.${ip[1]}.${ip[2]}.$((${ip[3]}+1))
netmask 255.255.255.0
broadcast ${ip[0]}.${ip[1]}.${ip[2]}.255
network ${ip[0]}.${ip[1]}.${ip[2]}.0
.
" The '.' terminates the a-command. Write out changed file.
w!
q
END_EX_COMMANDS
unset ip OIFS
I propose running the pi-hole lighttpd server on an alternative interface standard, or at least as a choice during install in order to keep the common ports on the raspberry available to serve a website.