NetWeaver Logo

Add https to Pi-hole with caddy

Phil
Open Source, Security, Tech
No Comments

We’re huge fans of Pi-hole – mainly for it’s blocking of trackers.  I previously published a guide on installing a LetsEncrypt certificate to the standard Lighttpd server to enable access over https.  For our use, I’ve now replaced this with the wonderful Caddy server and would recommend this method.

For this guide, I’ll assume you have a standard, running, install of Pi-Hole on CentOS 7 or 8.

Edit Lighttpd Configuration

Open up the configuration in your favourite editor (nano for me):

[user@server ~] sudo nano /etc/lighttpd/lighttpd.conf

Find the following line:

server.port                 = 80

And alter the port number to 1080

server.port                 = 1080

CTRL+O to save, and CTRL+X to exit.

Restart Lighttpd server:

[user@server ~] sudo systemctl restart lighttpd

Install Caddy

The version on EPEL is quite old, so we’ll download the binary from the caddy website.

[user@server ~] curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.1.1/caddy_2.1.1_linux_amd64.tar.gz"

Decompress the file

[user@server ~] tar xpf caddy_2.1.1_linux_amd64.tar.gz

Move the file:

[user@server ~] sudo mv caddy /usr/bin/

Test it’s correctly installed:

[user@server ~] caddy version

Add a user and group:

[user@server ~] sudo groupadd --system caddy
[user@server ~] sudo useradd --system --gid caddy --create-home --home-dir /var/lib/caddy --shell /usr/sbin/nologin --comment "Caddy web server" caddy

Configuration

Create a system config:

[user@server ~] sudo nano /etc/systemd/system/caddy.service

and add the contents of this file: https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service

CTRL+O to save, and CTRL+X to exit.

Now we need to create our Caddyfile

[user@server ~] sudo mkdir /etc/caddy
[user@server ~] sudo nano /etc/caddy/Caddyfile

Enter the following (replacing with your own hostname):

hostname.ext
reverse_proxy localhost:1080

CTRL+O to save, and CTRL+X to exit.

Set Caddy to load at reboot and start it up:

[user@server ~] sudo systemctl daemon-reload 
[user@server ~] sudo systemctl enable caddy 
[user@server ~] sudo systemctl start caddy

You should now be able to access your pi-hole over https – caddy automatically installs a LetsEncrypt certificate and renews it when required.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu