publiziert am 15. 03. 2024 um 16:05
Since 1998, «kassandra» is my experimental WebServer. The goal was to reactivate it as kassandra.schumm.ch on my Rapsberry Pi I got from Matthieu - which is running at home on an old porcellaine dish. Originally, I wanted to run my stuff using k3s, but I found that it was too much for this Raspberry Pi 2. So I decided to do it the old-fashioned way: with apache httpd, by hand, as a small exercise. This is my note to myself how I did it - including automatic retrieving of the SSL certificates from Let’s Encrypt - and running a Java Web Application in Part II of this Blog Post.
The Main Components are: the Apache2 Web Server that acts both as a WebServer and a ReverseProxy, and the Java Application that does some fun stuff and is hidden behind the ReverseProxy.
The Raspberry Pi system runs a standart Raspberry Pi OS.
for WebServer Content, put HTML and PHP stuff in
/home/rschumm/kassandra
To Install Apache2 and PHP, do:
apt install apache2
apt install php libapache2-mod-php
How to configure the router is very dependent on your Internet Provider: In my case, I use the Swisscom Box that comes with Wingo. I did following:
on the router ( http://winbox.local/#overview):
80 and 443 to the Raspberry PI.Caution: now, the Raspberry is exposed to public internet and should always be updated to the newest security patches. Make sure no other Ports are open and no other Software with these ports are running on the machine.
At my DNS Provider, I put an A Record for kassandra.schumm.ch into the Zone File with the fix IP I got from the step above, e.g.
kassandra.schumm.ch 300 IN A 144.1.111.111
The Configuration of apache2 is organised in the file-tree located in /etc/apache2/, in several ...-available folders, e.g.
/etc/apache2/
⎿ sites-available
⎿ conf-available
⎿ etc.
So, to configure my kassandra-site, I created a file in
/etc/apache2/sites-available
⎿ kassandra.conf
The content of kassandra.conf is (the SSL Stuff we will look at in the next section):
<VirtualHost *:80>
ServerName kassandra.schumm.ch
# DocumentRoot /home/rschumm/kassandra
# ServerAdmin abuse@schumm.ch
# Redirect all HTTP requests to HTTPS
Redirect permanent / https://kassandra.schumm.ch/
</VirtualHost>
<VirtualHost *:443>
ServerName kassandra.schumm.ch
DocumentRoot /home/rschumm/kassandra
ServerAdmin abuse@schumm.ch
# SSL configuration
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/kassandra.schumm.ch/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/kassandra.schumm.ch/privkey.pem"
# Other SSL configurations (e.g., protocols, ciphers, etc.) can be added here
# Additional security headers and configurations can be added here
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
now, I can enable the site with the command
sudo su -
a2ensite kassandra.conf
that creates a symbolic link to the ...-enabled sub-directory, here in the directory /etc/apache2/sites-enabled that points to the file in sites-available.
There are several commands like this:
a2enmod to enable modules,a2dismod to disable modules,a2dissite to disable a site,a2enconf to enable a configuration,a2disconf to disable a configuration.Finally, I restart the server with
sudo su -
systemctl restart apache2
Logs are in /var/log/apache2/
The HTTP part of the Site should run now if you uncomment stuff in the <VirtualHost *:80> part.
Yeah!
In the next steps I will get the certificates and activate them:
To get the SSL Certificates I need for HTTPS mode of my site, I get free Certificates from Let’s Ecnrypt, using the ACME Protocoll:
To automate this, I use the Certbot - though, the easy-made documentation was too abfuscated to me, actually it’s very easy:
Install the bot:
sudo su -
apt search certbot
apt-get install certbot
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
Then, configure the Bot to get Certificates for kassandra:
certbot certonly --webroot -w /home/rschumm/kassandra -d kassandra.schumm.ch
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/kassandra.schumm.ch/fullchain.pem
Key is saved at: /etc/letsencrypt/live/kassandra.schumm.ch/privkey.pem
This certificate expires on 2024-03-08.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list. You can try again later by visiting https://act.eff.org.
The Bot will place some probes to the webroot so that Let’s Encrpyt can check if I actually am running this site. It will then place the Certificates to the path mentionned.
This provided paths I configure in the kassandra.conf mentionned above - that’s it.
The certbot will check the certificates twice a day and put new ones if the certificates expire. There is no need to remember the expiration date. Nice, isn’t it?
The HTTPS part of the Site should run now! You can re-comment stuff in the <VirtualHost *:80> part again as above to be sure requests are always redirected to HTTPS.
So, this is it.
In a next Blog Post I am showing how to run a lightweight Java-Application on the Raspberry - using this apache2 as a reverse proxy and without without using kubernetes.
Let’s Encrypt: https://letsencrypt.org/getting-started/
uses ACME protocoll
https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment
SSL: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
Rerverse Proxy:
https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#access
Raspi-Links:
https://www.raspberrypi.com/documentation/computers/remote-access.html#setting-up-an-apache-web-server
Hinweis: dieser Blog wiederspiegelt meine persönliche Meinung und hat nichts mit meiner Anstellung als Dozent der zhaw noch mit anderen Anstellungen zu tun.