For anyone updating from an older version of pihole please note that the external.conf file needs to be placed either into
/etc/lighttpd/conf-enabled
or else into
/etc/lighttpd/conf-available
and then symlinked to conf-enabled.
This little wrinkle caught me out as I had previously solved the TLS issue but at that stage the external.conf file could be left in the /etc/lighttpd folder as lighttpd.conf was "including" from there.
FYI, you have the lighty-enable-mod and lighty-disable-mod commands available for symlinking config files contained in conf-available to conf-enabled:
pi@ph5b:~ $ man lighty-enable-mod
[..]
DESCRIPTION
This manual page documents briefly the lighty-enable-mod and
lighty-disable-mod commands.
lighty-enable-mod and lighty-disable-mod are programs that enable
(and respectively disable) the specified configuration file within
lighttpd configuration.
Both programs can be run interactively or from command line. If ei‐
ther program is called without any arguments, an input prompt is
displayed to the user, where he might choose among available
lighttpd modules. Immediate action is taken, if a module name was
given on the command line.
[..]
I can not confirm such a requirement:
My custom options in external.conf are fully applied (but then those are not related to TLS).
That's still the case, as Pi-hole's lighttdp.conf still contains:
68:# Add user chosen options held in external file
69:# This uses include_shell instead of an include wildcard for compatibility
70:include_shell "cat external.conf 2>/dev/null"
I'm on Pi-hole v5.11.4, FTL v5.16.1 Web interface v5.13 Lighttpd 1.4.59
This whole issue with Lighttpd started when I upgraded my Pi-hole OS to the latest PiOS by using a new image and then reinstalling Pi-hole. I prefer to access my web interface on HTTPS (yes, i know it's overkill ) so then set about modding my external.conf to suit. Note as well that I also needed to reinstall mod-openssl
sudo apt-get reinstall lighttpd-mod-openssl
My /etc/lighttpd/lighttpd.conf definitely only has the line
include "/etc/lighttpd/conf-enabled/*.conf"
and lighttpd only starts with my TLS requirements enabled when my external.conf is in this directory.
This is my external.conf.
server.modules += ( "mod_openssl" )
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/usr/local/share/ca-certificates/pi-hole.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
That lighttpd.conf wasn't created by Pi-hole.
I'm going to split your posts into a separate topic, so we can follow this through as a separate issue.
EDIT: Done.
Note that `lighttpd.conf` should not be edited at all, as per disclaimer at the top of that file (click for disclaimer):
###############################################################################
# FILE AUTOMATICALLY OVERWRITTEN BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE: #
# /etc/lighttpd/external.conf #
###############################################################################
My guess would be that reinstalling lighttpd-mod-openssl may have overwritten lighttpd.conf as generated by Pi-hole (which would contain the aforementioned disclaimer to a total of about 100 lines).
You are correct about the lightpd.conf. I actually run 2 pi-holes here for 2 separate networks. I have yet to update the other one's OS and when I checked their 2 lighttpd.conf's the one I was working on does NOT have the PiHole disclaimer.
I have just run
pihole -r
choosing the repair option which has reinstated the pihole's lighttpd.conf. I have also moved my external.conf back into the /etc/lighttpd folder. The mods I made to get the external.conf working with the other lighttpd.conf were no longer valid and I have modified it accordingly.
This external.conf works correctly in that HTTPS access to the pi-hole is working but this thread does highlight that I am no expert so there may be other mods/tweaks which would make this even better?
server.modules += ( "mod_openssl" )
$HTTP["host"] == "pi-hole.paradigm.local" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/usr/local/share/ca-certificates/pi-hole.pem"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}
) so then set about modding my external.conf to suit. Note as well that I also needed to reinstall mod-openssl
