The main purpose of this post is to show the many services that you can run on a Raspberry, also I shared the links that I refer to do all the stuff and configurations.
I'm faithful believer that the things we do for ourselves, deserve recognition, maybe not public recognition of other person, but a personal one for the work that implies.
I decided to divide this post into 2 entries, one for setting up the basic web server and the part 2 setting up the other services I had. If you have already running a secure web server you can check the part two.
So where do I got with all this?
Nowadays we are in a world that our data is in a far computer of a certain provider, I don't want to seem kind of paranoid but given the risks that exist on the Internet, I prefer to have my own infrastructure that can be access any time, anywhere where I am.
Ok, ok, maybe is not going to be the best infrastructure, the most fastest, the biggest with a lot of capacity, but at least it's is going to be mine, I'm the owner of it and the best part of this is that I'm be the one who controlled it.
Why use a Raspberry?
As many of you know the Raspberry is a low-cost computer, based on ARM architecture and there's a lot of awesome projects you can do with it, domotic, maker stuff, IoT, to name a few. But In this post I'm going to focus specifically to use a Raspberry to our own server, our own cloud, our own storage device and other things that I have tried to experience.
First steps
The first thing we need to do, of course is install an OS to the Raspi, there's a lot of flavors to choose.
I choose to install the "default" flavor Raspbian, maybe you're going to said that why this, why not pure Debian (BTW I use Debian testing on my laptop XD) but that's my first choice, maybe later I'm going to put Debian on it.
Once we log in our Raspbian, we need to configure a static ip to connect vía SSH (previously install) to manage the device. We are not going to use the Raspbian graphical environment so we can disable it entering to a terminal and writing:
# systemctl set-default multi-user.target
This command is going to shut down the graphical environment and put the system into a multi-user command line.
Summarizing this section, the things we need to do are:
- Install the OS.
- Set a static IP.
- Open a terminal to disable the graphical environment.
SSH connection
We are using SSH to connect to our device. When we install SSH the default configuration is on, we can log in the device using the password authentication, but this is kind of risky, remember that the device is going to be exposed to the Internet and there are going to be some bad guys, most of the time bots trying to gain access to our device as we are going to see below.
So we are going to change the SSH configuration file and we are going to use a SSH key-based authentication to our device and use a key to access, we are going to use.
Also we can follow basic good security practices as disable root password, set the name of the user that is going to authenticate, disable de X11 forwarding.
How To Configure SSH Key-Based Authentication on a Linux Server
Summarizing this section:
- Change the SSH configuration.
- Disable the password authentication.
- Set up key-based authetication.
Setting up
So at this point nothing extraordinary is going on, only basic administration and configuration. As I said at the beginning, we need to expose the device to Internet.
In my case, I have an ISP that gives me a dynamic IP, so I need to have something that help me to connect to the Rasp when the public IP change.
To make this possible I'm using a service called NoIp that is a service that is going to help us to always have access to our device at any place we are.
NoIp is a free service that offer us a Dynamic Update Client that is a service that run on our computer and check frecuently when our IP change, so when this happen, this client detect the change and automatically update our hostname to correct the IP.
It's really easy to set up, the only thing we have to do is Sign Up (no ads, no nothing), set the hostname we want and follow the instructions to install the Dynamic Update Client in our machine.
When NoIp detect that there have been passed 30 days, they send you an email to refresh your hostname.
Opening the world to our device
Once we have configured our NoIp service on the Raspi, we need to open the door to the Internet to get exposed, we are going to do this at entering in our home router, select the IP device and set the port forwarding to have remote access.
As you can see I have set up some other ports due to the services I'm running on my Raspi. I'm going to cover all, talking about each one according to specific service.
At this point we are going to be able to access via SSH outside our network, wherever we are.
When you set up your hostname on NoIp yo see that there is a domain that point directly to your public IP. In my case is diego-go.sytes.net, if we do a ping to this address we will be able to see that is my public address (that maybe is going to change 24hrs or more).
With this on mind, let's keep on.
Summarizing this section:
- Sign up at NoIp NoIp
- Install the DUC of NoIp.
- Configure the port forwarding on our router.
- Test NoIp hostname
Setting up a web server
I know there are many web servers, light and "heavy" ones.
Maybe you are going to think why Apache, if there are others (Nginx, Lighttpd for example), but for this purpose I'm using Apache that I know and always use (have to still learn Nginx I know, don't worry :-D).
To install is going to be so easy, just type
# apt install apache2
and this is going to install our web server.
How To Install the Apache Web Server on Debian 9
For the next step, we are going to secure our web server following some of the steps that are in this page.
13 Apache Web Server Security and Hardening Tips
The things I have set up are:
- How to hide Apache Version and OS Identity from Errors.
- Disable Directory Listing.
- Disable Unnecessary Modules.
- Securing Apache with SSL Certificates.
Obviously this is open to your choice.
Securing Apache with SSL certificates
Below I'm going to explain how do I install Owncloud, that is a service to have our own storage service, similar to Dropbox, Google Drive, but this is controlled and administered by us.
To install the SSL certificates and have https in our web server I'm am going to use Let's Encrypt, that is a Certificate Authority that provides us an easy way to obtain and install certificates.
I refer to DigitalOcean blog to follow the installation of Let's Encrypt in our Raspi.
How To Secure Apache with Let's Encrypt on Debian 9
Also, you can refer to certbot website that show you step by step how to install the cert
Opening new ports
At this point we install a web server and a certificate so we need to open new ports on our homer router to reach the web server from outside, so as we do in the SSH section, we need to specify the local ip and set the ports 80 and 443 that it is going to correspond to the web service and the secure web service.
Doing this we will be able to reach our server from outside, even using https protocol.
Note: I force Apache to redirect http to https using a2enmod How to Redirect HTTP to HTTPS on Apache
Summarizing this section:
- Setting up Apache.
- Secure some aspects of the web server.
- Install certificate.
- Open new ports on home router.
Top comments (0)