Skip to content

Configuration of HTTPS for DoH and Rest API

Jump to bottom Edit New page
Dimitri Herzog edited this page May 23, 2020 · 5 revisions

If blocky is reachable from the internet, you should configure HTTPS for HTTP endpoints (REST API, Prometheus, ...). For DNS over HTTPS (DoH) the encryption is mandatory.

Docker

For docker setup it is recommended to use reverse proxy (Traefik, Caddy, Nginx, ...) to manage and renew certificates.

Example: Manual setup for Let's encrypt and DuckDNS

This example shows, how to use Let's encrypt certificate with DuckDNS free domain (DNS challenge) with blocky.

  • register domain by DuckDNS
  • install certbot
  • execute sudo certbot certonly --manual --preferred-challenges=dns
  • answer all questions, you will be asked to set the TXT record: execute https://www.duckdns.org/update?domains={DOMAIN}&token={TOKEN}&txt={RECORD}&verbose=true
    • replace {DOMAIN} with your DuckDNS domain
    • replace {TOKEN} with your DuckDNS token
    • replace {RECORD} with text record from certbot
  • copy generated fullchain.pem and privkey.pem into your blocky's directory and adjust permissions (run user should have read permissions)
  • enable HTTPS by setting httpsPort: 443 in config.yml
  • set paths to certificate and the private key in config.yml
    • httpsCertFile: fullchain.pem
    • httpsKeyFile: privkey.pem
Add a custom footer
Add a custom sidebar
Clone this wiki locally