Discussion: lighttpd.conf configuration
Closed this issue · 2 comments
So, I wanted to get some feedback here.
-
Any changes that we're recommending people to make to /etc/lighttpd/lighttpd.conf should really be changed to /etc/lighttpd/external.conf (per the comments from the PiHole team in the lighttpd.conf). This will make them persist through PiHole upgrades.
-
I've been playing around with some options tonight. Not that I don't like seeing the PiPass page all over the place, but having it in place of ads on a page isn't particularly helpful/useful. I still want the PiPass page when I go to a page, but not in the ad sections. So I worked out this addition to /etc/lighttpd/external.conf which seems to be accomplishing this:
setenv.add-response-header = (
"Content-Security-Policy" => "frame-ancestors 'none'",
"X-Frame-Options" => "DENY SAMEORIGIN",
"X-Content-Type-Options" => "nosniff"
)
I'd like to get some feedback from people about this. Some of these may be a bit of overkill... still needs refining.
- What issues are anyone having by just using:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
}
in /etc/lighttpd/external.conf after creating the ssl file with:
cd /etc/lighttpd/certs
openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes
chmod 400 lighttpd.pem
for me, this appears to be working but I haven't really tested heavily.
@yoinx good point. Using /etc/lighttpd/external.conf is definitely better than /etc/lighttpd/lighttpd.conf. I've already had lighttpd.conf overwritten once while updating PiHole. @roenw I think it would be good to address that in README.
Speaking of your second point, I need to say that I haven't experienced "seeing the PiPass page all over the place" yet. That being said, it is also true that I am not visiting a lot of websites with huge amounts of ads...
Now about SSL certificates... I've followed the cibercity tutorial the first time I was setting this up and it worked well.
Now I've generated the certificate using your instructions and it works fine for now.
Any ideas on how to test it heavily? I have around 20 machines on my network and I'll see if anyone will complain about something not working... Otherwise I don't know how to test it...
Oh, also. Because the certificate is self-signed you have to always accept the "security risk" before proceeding to blockpage. I've found a way around this in Firefox but... Any ideas on how to solve this?
We will address this in a future update, likely 1.3.6 or 1.4. I've added it to the To-Do board as a high-priority issue.
Updating existing users to this might take some effort, though.