[Suggestion] Always use HTTPS

tomwilson · November 18, 2023, 1:28pm

It would be nice to see a setting in web to always enable HTTPS.

This way if you have set up an SSL, it would always redirect to HTTPS

Blockhead · November 18, 2023, 1:53pm

I believe you can edit the pihole.toml settings, under all settings in the web interface, to set port to "80r,[::]:80r,443s,[::]:443s” for example. (Or directly edit pihole.toml to port = "80r,[::]:80r,443s,[::]:443s”)

The r stands for redirect.

tomwilson · November 18, 2023, 10:36pm

I've done that, but it redirects to the IP of my server, not the domain, despite it being set in webserver.domain?

Blockhead · November 19, 2023, 12:30am

What does curl -vL <your fqdn> show?

DL6ER · November 19, 2023, 8:37am

Please try FTL from custom branch tweak/auth_domain using

pihole checkout ftl tweak/auth_domain

The name is a bit misleading, but it seems they have already recognized this themselves:

github.com

pi-hole/FTL/blob/17716ef51a54384a21afc88562e271162575961a/src/webserver/civetweb/civetweb.c#L21382-L21384


      
          	/* Authentication domain is mandatory */
          	/* TODO: Maybe use a new option hostname? */
          	if (!new_dom->config[AUTHENTICATION_DOMAIN]) {

edit Connected PR

github.com/pi-hole/FTL

Set CivetWeb authentication_domain

pi-hole:development-v6 ← pi-hole:tweak/auth_domain

opened 10:29AM - 19 Nov 23 UTC

DL6ER

+3 -34

# What does this implement/fix? Set `authentication_domain` to `webserver.dom…ain` (defaulting to `pi.hole`). Even when [the CivetWeb documentation](https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md) says: > authentication_domain `mydomain.com` > > Authorization realm used for HTTP digest authentication. This domain is used in the encoding of the `.htpasswd` authorization files as well. Changing the domain retroactively will render the existing passwords useless. it is actually much more. This is apparently also known to the CivetWeb authors, even when they did not do anything about it (yet): https://github.com/pi-hole/FTL/blob/17716ef51a54384a21afc88562e271162575961a/src/webserver/civetweb/civetweb.c#L21382-L21384 When this property is not set, CivetWeb rewrites redirections to use absolute URLs based on the IP address the query received on. This typically means that addresses like `http://pi.hole/admin` are redirected to, e.g., `https://[1234:3456::7890]/admin` when port 80 is configured to redirect to TLS (`webserver.port = 80r,443s`). This PR adds two related changes: 1. Make sure the webserver is restarted when `webserver.domain` is changed - this will also ensure that the TLS certificate is re-read and re-checked if it matches the new domain. 2. Revert a previously added Pi-hole patch to Civetweb where we found that redirecting to slash URIs (e.g., `https://pi.hole/admin -> https://pi.hole/admin/`) did not work and did a similar redirection to the IP address instead. It is not needed any longer. --- **Related issue or feature (if applicable):** N/A **Pull request in [docs](https://github.com/pi-hole/docs) with documentation (if applicable):** N/A --- **By submitting this pull request, I confirm the following:** 1. I have read and understood the [contributors guide](https://docs.pi-hole.net/guides/github/contributing/), as well as this entire template. I understand which branch to base my commits and Pull Requests against. 3. I have commented my proposed changes within the code. 4. I am willing to help maintain this change if there are issues with it later. 5. It is compatible with the [EUPL 1.2 license](https://opensource.org/licenses/EUPL-1.1) 6. I have squashed any insignificant commits. ([`git rebase`](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)) ## Checklist: - [x] The code change is tested and works locally. - [x] I based my code and PRs against the repositories `developmental` branch. - [x] I [signed off](https://docs.pi-hole.net/guides/github/how-to-signoff/) all commits. Pi-hole enforces the [DCO](https://docs.pi-hole.net/guides/github/dco/) for all contributions - [x] I [signed](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) all my commits. Pi-hole requires signatures to verify authorship - [x] I have read the above and my PR is ready for review.

tomwilson · November 22, 2023, 9:28pm

This works now! Thanks. Would be good to have this as a setting though that’s easily able to turn off/on.

DL6ER · November 22, 2023, 9:33pm

Since you have full control about the ports string, I am not sure right now how we'd add such a setting without adding a possible conflict between these two settings... Any ideas are welcomed and will be discussed!