Skip to content

Configuration of HTTPS for DoH and Rest API

Peter Dave Hello edited this page Apr 2, 2022 · 5 revisions

If blocky is reachable from the internet, you should configure HTTPS for HTTP endpoints (REST API, Prometheus, ...). For DNS over HTTPS (DoH) the encryption is mandatory.

Docker

For docker setup it is recommended to use reverse proxy (Traefik, Caddy, Nginx, ...) to manage and renew certificates.

Example: Manual setup for Let's encrypt and DuckDNS

This example shows, how to generate Let's encrypt wildcard certificate with DuckDNS free domain (DNS challenge) and how to configure blocky.

  • register domain at DuckDNS, get your TOKEN
  • install Lego
  • set environment variable DUCKDNS_TOKEN with your token DUCKDNS_TOKEN=1df927c4-CENSORED
  • execute lego --domains '*.DOMAIN.duckdns.org' --email [email protected] --dns duckdns -a run
  • copy generated fullchain.pem and privkey.pem (typically from .lego/certificates) into your blocky's directory and adjust permissions (run user should have read permissions)
  • enable HTTPS by setting httpsPort: 443 in config.yml
  • enable TLS by setting tlsPort: 853
  • set paths to certificate and the private key in config.yml
    • certFile: yourfile.crt
    • keyFile: yourfile.key