Web admin not accessible through https && Wireguard

inuit-lang · October 7, 2021, 8:41pm

Hello everyone !

The web admin page of my pihole runs on lighttpd on ports 8080 and 1080 (https) which are not NATed to prevent unauthorized access.

I"ve also set up a wireguard server that lets me connect my phone to pihole, it works fine.

I want to be able to access the web admin page from my phone trough the Wireguard VPN, I have so to type directly the virtual wireguard IP adress instead of the domain name (which would lead to public IP adress) but I receive a "Failed to establish secure connection".

t seems that lighttpd takes offense to not being able to match the ssl certificate to the corresponding domain name and won't let me make an exception, by temporary disabling the ssl config I could get access to the page.

I want to be able to ask my browser to make a security exception after manually verifying the certificate to have the page in HTTPS.

Debug token : https://tricorder.pi-hole.net/Cs4m79PD/

Thanks for your help !

jfb · October 7, 2021, 11:38pm

How have you configured your lighttpd instance running in Pi-hole to answer https traffic. By default, the Pi-hole webserver works only with http.

inuit-lang · October 8, 2021, 10:53am

I followed instructions of this topic: Enabling HTTPS for your Pi-hole Web Interface

So my /etc/lighttpd/external.conf is configured as well:

$HTTP["host"] == "domain.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
    setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":1080" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/domain.com/combined.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/domain.com/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

I also moved the document root folder to /var/www/pihole/admin because I discovered that it was accessible to apache.

system · October 29, 2021, 10:53am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.