PiHole is a great tool for blocking ads across an entire network. However, the web-based administration panel defaults to connecting to HTTP over port 80. As a network engineer, it has always bothered me that I had to pass a password into the pi-hole I've always had it on my list to update Pi-hole to use HTTPS and I could not find any documentation.
Disclaimer: configure to meet your own baseline for security standards, the examples given are generic.
Prerequisites
- Raspberry Pi
- Pi-hole installed
- Backup of your configuration
Instructions
1. Create the SSL Cert:
a. Create the self signed certificate:
openssl req -new -x509 -keyout pihole.pem -out pihole.pem -days 365 -nodes b. Change permissions to read-only:
chmod 400 pihole.pem 2. Configure Lighttpd
a. Create and move cert into Lighttpd:
sudo mkdir /etc/lighttpd/certs mv pihole.pem /etc/lighttpd/certs/pihole.pem b. Configure Lighttpd to accept HTTPS requests: sudo vim /etc/lighttpd/external.conf
An example configuration would be for my Pi-hole DNS address at pihole.example.com:
$HTTP["host"] == "pihole.example.com" { # Ensure the Pi-hole Block Page knows that this is not a blocked domain setenv.add-environment = ("fqdn" => "true") # Enable the SSL engine with a LE cert, only for this specific host $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/certs/pihole.pem" #Location of PEM file. ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" } # Redirect HTTP to HTTPS $HTTP["scheme"] == "http" { $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } } } 3. Restart Lighttpd
a. Run the command sudo systemctl restart lighttpd to restart Lighttpd.
4. Test the configuration
b. Log into your Pi-hole: https://pihole.example.com
Top comments (1)
To further enhance security you could issue the the certificate from a private PKI such as HashiCorp Vault developer.hashicorp.com/vault/tuto...
Vault is a tiny appliance which can be installed on many OSs or run as a container and is free for up to 25 secrets.