I recently got Pi-hole configured on my Raspberry Pi 3 to block ads on my home network. So far the Pi-hole has worked great and the amount of ads it has blocked is impressive. I have about 13 devices that all connect wirelessly to my home network including several TV’s, and it’s blocking several thousand ads per day, with a significant bandwidth savings to boot.
There is an admin page where you can view all these interesting stats (http://%5Bpi-hole-IP-address%5D/admin). There is one problem with this page though – it’s not password protected, so anyone that knows the IP address of your Pi-hole (AKA, anyone who can connect and view their client’s IP info) and also knows it’s a Pi-hole and the admin page is /admin can reach it.
In addition, in the “/admin” page is a section called “Query Log”, and as the name indicates, it’s a log of all the DNS lookups performed for devices on your network. While I don’t particularly have anything to hide, it’s also not information I want freely available for anyone to review either.
This post will detail how to configure authentication on the Pi-hole admin page. One of the Pi-hole developers (Jacob Salmela) has a pretty detailed set of instructions on how to enable this (kudos for the info), but I found that with my Linux/Pi-hole newbness, there were some gaps I had to fill in, and figured maybe someone else will find this useful as well.
- Open an SSH session to your Raspberry Pi. The first step in this process is to create a password file in a hidden directory. This password file will be hashed in a later step.Enter the command “sudo mkdir /etc/lighttpd/.htpasswd”
- Change to the hidden directory by entering the command “cd /etc/lighttpd/.htpasswd”.
- This step creates a script that will hash a user’s password. Enter the command “sudo touch [filename.sh]”. Then, enter the command “ls” to verify the script exists in the directory. I called my file “hashme.sh”.
- Now, we will need to add the following content into the script file by entering the command “sudo nano hashme.sh” to modify it in nano (text editor).
hash=`echo -n “$user:$realm:$pass” | md5sum | cut -b -32`
After you’ve pasted in the script content, enter “Ctrl+X”, then “Y” to save the changes, then hit “Enter” to accept the “File Name to Write”.
- Now we need to make the file executable by entering the command “sudo chmod 755 [filename.sh]
- In this step we will run the script with three arguments (user, realm, password) which will then get hashed. Enter the command “sudo ./[filename.sh] ‘[username]’ ‘[realm]’ ‘[password]’”. The output will look something like “username:realm:[string of numbers and letters]. Copy the output to your text editor of choice (outside of the SSH session) as we will need it in the next step.
- Now we will create the password file. You will paste the output of the previous command into nano after issuing this command “sudo nano /etc/lighttpd/.htpasswd/lighttpd-htdigest.user”.
Once you’ve pasted in the output from the previous step, enter “Ctrl+X”, then enter “Y” to save the changes, and then “Enter” to accept the file name to write to.
- I found the next couple of steps to be a bit hard to understand in the developer’s blog post (mainly, where exactly the code had to be inserted). It took a few tries to get it right, so I recommend backing up the lighttpd.conf file prior to making any changes – it makes recovering from a problem easy. Because we are still in the “hidden” .htpasswd directory, enter the command “cd ..” to go up one directory.First, we will back up the lighttpd.conf file by entering the command “sudo cp lighttpd.conf lighttpd.conf.bak”.
Then enter the command “ls” to verify the backup file exists.
If you need to rollback the changes made to the lighttpd.conf file, just enter the command “sudo cp lighttpd.conf.bak lighttpd.conf” and the unmodified file will be restored.
- Now that we’ve made our backup of the lighttpd.conf file, it’s time to modify the original. Enter the command “sudo nano /etc/lighttpd/lighttpd.conf”.The highlighted section below is where we will be pasting in the additional content. Hit “Enter” at the arrow.
Copy the following text and place it in the blank space created by your “enter” key strikes:backend = “htdigest”
auth.backend.htdigest.userfile = “/etc/lighttpd/.htpasswd/lighttpd-htdigest.user”auth.require = ( “/path/to/protect/” =>
“method” => “digest”,
“realm” => “myrealm”,
“require” => “valid-user”
)Change the “auth.require = ( “/path/to/protect/” =>” field to “auth.require = (“/admin/” =>
Then hit “Ctrl + X”, then “Y”, then “enter” to save the changes.
- Now we need to restart the lighttpd service by entering the command “sudo service lighttpd restart”.
- If your changes to lighttpd.conf were successful, you should receive no errors and go right back to the command prompt.
- Now, you need to go to your admin page and see if you are prompted for credentials. If you’re currently logged into the admin page, hit “Ctrl + F5” or try opening the page in a private/incognito window. Enter the username and password configured in the previous step, and you should log right into the admin page.