The issue I am facing:
Hi there,
I'm trying to set up Pi-Hole as a subdomain of my existing Apache installation on my Raspberry Pi. All my current Apache configurations use my existing Let's Encrypt certificates (*.domain.com & domain.com), so I only have to update 2 certificates for all my services.
I started by forwarding the lighttpd port to :4567 to use ProxyPass on my VirtualHost.
I then try to modify the external.conf file of lighttpd to allow SSL by following the tutorial in this forum. However, I only get errors because my port :443 "is already in use", but more importantly, when my configuration doesn't produce errors when restarting lighttpd, I get an error 500 "Error during SSL Handshake with remote server".
What am I doing wrong?
# /etc/apache2/sites-enabled/000-default-le-ssl.conf
<VirtualHost *:443>
ServerName pihole.domain.com
Timeout 5400
ProxyTimeout 5400
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
ProxyPass / https://localhost:4567/admin/
ProxyPassReverse / https://localhost:4567/admin/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Let's Encrypt
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
# /etc/lighttpd/external.conf (lighttpd.conf is unmodified)
server.port := 4567
server.modules += (
"mod_openssl"
)
# Beginning of problems
# temporary
$HTTP["host"] != "pihole.domain.com" {
url.redirect = ("" => "https://pihole.domain.com")
}
# Modified configuration from tutorial
#$HTTP["host"] == "pihole.domain.com" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
#$SERVER["socket"] == ":443" { # if I leave this, "443 already used", else "ssl.engine is valid only in global scope or $SERVER["socket"]
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/domain.com/combined.pem" # combined as tutorial did
ssl.ca-file = "/etc/letsencrypt/live/domain.com/fullchain.pem"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
#}
# Redirect HTTP to HTTPS ➜ not needed as my Apache VirtualHost already handles this
#$HTTP["scheme"] == "http" {
# $HTTP["host"] =~ ".*" {
# url.redirect = (".*" => "https://%0$0")
# }
#}
#}
Details about my system: Raspberry Pi 3, latest version, lighttpd-mod-openssl installed
What I have changed since installing Pi-hole: Nothing but DNS servers and these files
Thanks!
(N.B.: Note that most of the ssl keys given by the tutorial are deprecated, a working configuration with updated keys would be amazing)
I think what goes wrong with your setup is trying to proxy https to https which could pose a security risk and fails because of how SSL/TLS works ... not sure though.
I would first default that external.conf file again so lighttpd listens default to port 80 without SSL/TLS.
If port 80 conflicts with other services, configure lighttpd to listen on that other port 4567 that you mentioned (but without SSL).
Then proxy port 80 on apache to port 80 (or 4567) for lighttpd.
If that works, try proxy port 443 (with SSL) on apache to port 80 (without SSL) from lighttpd.
I've got a similar setup where the proxy target 192.168.0.4:8080 is without SSL:
EDIT: I have no experience with that SSLProxyEngine directive.
Maybe that one does allows you to proxy https to https somehow.
EDIT2: What also is unclear to me, are apache and lighttpd running on the same host?
If so, why not entirely switch to apache and ditch lighttpd?
That would make the cert renewal easier and you only have one cert instead of two.
Thank you for your answer. What you're describing seems great, I'm gonna try it right now.
About edit 1: AFAIK it's something to handle SSL correctly, and I even think it's required for it
About edit 2: Yes, they are (I even have another service provided with nginx, I have my apache redirecting to it too). I would love to move entirely to apache, but I'm not sure how to configure my virtualhost to replicate the exact same configuration as lighttpd.
But I've had found someone who migrated this way and who disables lighttpd again after each pi-hole update, but they haven't shared their exact configuration I'm looking for. So... redirect for now.
# /etc/apache2/sites-enabled/000-default-le-ssl.conf
<VirtualHost *:443>
ServerName pihole.domain.com
# non mandatory lines
Timeout 5400
ProxyTimeout 5400
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
# end of non mandatory lines
ProxyPass / http://localhost:4567/admin/ # notice 'http' and not 'https'
ProxyPassReverse / http://localhost:4567/admin/ # same
ErrorLog ${APACHE_LOG_DIR}/error.log # both non mandatory neither
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Let's Encrypt
SSLCertificateFile /etc/letsencrypt/live/pihole.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pihole.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
# /etc/lighttpd/external.conf
server.port := 4567 # whatever you want, just make it match with apache's virtualhost
setenv.add-environment = ( "VIRTUAL_HOST" => "pihole.domain.com" ) # very important!
So setting INSTALL_WEB_SERVER=false, makes sure that Pi-hole wont install lighttpd + PHP dependencies.
But keeping INSTALL_WEB_INTERFACE=true, makes sure the web files are installed in that /var/www/html/admin/ folder that can be used as a DocumentRoot for a VirtualHost in apache2.
Below the PHP web dependencies that are also needed for apache2:
And the www-data user, under which apache2 runs, needs to be a member of the pihole group to be able to write to certain locations.
With below you can check
pi@ph5b:~ $ groups www-data
www-data : www-data pihole
And below can be used if you want to add the www-datauser to the piholegroup: