DEV Community

Cover image for Adding TLS to Pi-hole

Posted on

Adding TLS to Pi-hole

PiHole is a great tool for blocking ads across an entire network. However, the web-based administration panel defaults to connecting to HTTP over port 80. As a network engineer, it has always bothered me that I had to pass a password into the pi-hole I've always had it on my list to update Pi-hole to use HTTPS and I could not find any documentation.

Disclaimer: configure to meet your own baseline for security standards, the examples given are generic.


  1. Raspberry Pi
  2. Pi-hole installed
  3. Backup of your configuration


1. Create the SSL Cert:

a. Create the self signed certificate:

openssl req -new -x509 -keyout pihole.pem -out pihole.pem -days 365 -nodes
Enter fullscreen mode Exit fullscreen mode

b. Change permissions to read-only:

chmod 400 pihole.pem
Enter fullscreen mode Exit fullscreen mode

2. Configure Lighttpd

a. Create and move cert into Lighttpd:

sudo mkdir /etc/lighttpd/certs
mv pihole.pem /etc/lighttpd/certs/pihole.pem
Enter fullscreen mode Exit fullscreen mode

b. Configure Lighttpd to accept HTTPS requests: sudo vim /etc/lighttpd/external.conf

An example configuration would be for my Pi-hole DNS address at

$HTTP["host"] == "" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/certs/pihole.pem" #Location of PEM file.
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
Enter fullscreen mode Exit fullscreen mode

3. Restart Lighttpd

a. Run the command sudo systemctl restart lighttpd to restart Lighttpd.

4. Test the configuration

b. Log into your Pi-hole:

Top comments (0)