Raspberry Pi webserver

Imnoexpert_2

I have had some helpful advice on here in the past which led me to get my 14 yo a Pi for Christmas. Today we got it up and running.

Son now plans to use it as awebserver to host his website on. A couple of hours has seen him set up some of the basics such that he can post text on a page that is readable if you know the IP address. I don’t think it will take him much longer, though he will make sure he knows what he is doing before going live. In truth he has left me a bit behind.

The advice I need is not about how he does this (Plenty on the web and the challenge will do him goodJ but about what I need to do to ensure that our home widows peer to peer network is not vulnerable from people able to access his site on the Pi, which is also now part of that network.

Clearly I am not the techie in the family any more so if you can keep it simple I, would appreciate it.


Thanks

John_Gray

Have you worked through the relevant Google hits?
Undoubtedly worth a look...

S0litaire

Start here :
https://projects.raspberrypi.org/en/projects/lamp-web-server-with-wordpress

onomatopoeia99

Is he planning to make the webserver accessible to the whole internet, or just in your home?

If it's just in your home then there's not a great deal to worry about as someone will have to be connected to the network in your house to hack it. If he's planning to open up port 80 on the router and foward it to the pi so the webserver is world accessible, then he should take at least some precautions. A simple one is to (as root, I don't do sudo in my house) :

apt-get install unattended-upgrades apt-listchanges

which will at least keep everything installed through apt up to date once it is configured. Wordpress sites tend to be vulnerable if they are customised and the customised bits don't get updated.

This is a page explaining configuration of the unattended upgrades package https://wiki.debian.org/UnattendedUpgrades

I am assuming the debian (raspbian) operating system is being used.

Owain_Moneysaver

Your router may have a DMZ (de-militarized zone) setting which is between the outside world and your internal network, where the webserver can be attached. It will be visible to both internal and outside, but the normal router firewall still won't allow outside to see internal.

You may also want to look at dynamic DNS which will allow the server to be accessed with an.internet.style.name rather than an IP address, as your external IP address allocated by the ISP will change. Some routers support dyynamic DNS, some don't, and for some it has to be made to work painstakingly manually.

Imnoexpert_2

Thanks guys. I will check out your suggestions.

I should have explained that whilst I have conducted the usual google searches I am not myself familiar with Linux, Pi, Networking (other than simple windows ones). I therefore struggled to do the right search, or indeed to understand the answers. This is why this forum is so helpful.

I read about dynamic dns and thought that would be the way forward but wasn’t sure how secure it would be so I am a little reassured.

D

psychic_teabag

The other way the router might do it is via port-forwarding... your router is the only computer in the house that is actually on the internet (has a public internet address).** You can configure it so that a given tcp port number (typically 80 for www) is forwarded to a particular computer within the local network (your pi). Attempts to access any other ports are ignored as usual.

In fact, this page says port forwarding can be better than using DMZ:
https://routerguide.net/when-and-how-to-setup-dmz-host-for-home-use/

It's secure provided someone can't trick the webserver on the pi into accessing another internal machine. The sort of way that might work is if the pi also mounts a windows network share onto its filesystem, and then allows external computers to access windows files that way.

A true DMZ would isolate the pi from the rest of the internal network. But that then makes it harder for you to access the pi to perform updates.

For dynamic dns, you don't need to the router to do the work.. For the ddns I'm registered with, I can just run a daily cron job on the pi to update the registered ip address - just doing a 'curl' on a particular web address gets their server to do any updates required. But since this just for my occassional use, it doesn't matter if it's not updated as soon as the ip address changes. (Which the router would be able to do.)

**EDIT: well, that's true for IPv4, for most people. IPv6 might work differently.