AdguardTeam
Separate certificate & key for GUI login
AdGuard Home uses the same certificate and key for both GUI login and for DoH clients. Login credentials are also protected by BCrypt, but GUI login should be assigned its own certificate and key.
I admit I was surprised by AGH using the same cert\key for the GUI and DNS encryption but I actually can't find a security issue there. Is there a security-based reason for having different certs\keys?
I think that if you really want to use different certificate and key, maybe you can just use NGINX or something for your Web UI, that's quite simple.
Or AGH can implement an option to use exclusively use HTTPS for Web GUI connection, not DoH. I think this is the best option for a local DNS server that serves only LAN clients and is not meant to allow anyone to connect to it over WAN.
Or AGH can implement an option to use exclusively use HTTPS for Web GUI connection, not DoH. I think this is the best option for a local DNS server that serves only LAN clients and is not meant to allow anyone to connect to it over WAN.
I hardly think so, this is not AdGuardHome should do, and two different certificates maybe will make the users confuse :(
If you really wanna use two different certificates for LAN/WAN, maybe https://github.com/AdguardTeam/AdGuardHome/discussions/4675#discussioncomment-2973755 will help you.
If NGINX is not an option and encryption must be used exclusively for AGH GUI login (never for DoH address resolution), then how should Encryption Settings in AGH be configured?
I noticed that leaving "Server name" blank in AGH Encryption Settings results in AGH log (var\log\AdGuardHome.err) not saying that AGH is listening on DoH port for DoH requests. If "Server name" is provided (as name or IP), then the same log says that AGH is listening for DoH requests on DoH port. Does that mean that leaving "Server name" blank prevents all DoH resolution on that AGH server, but allows for encrypted login?