Rémy Schumm blog ingénieur

kassandra: part I: a simple web server with apache httpd

publiziert am 15. 03. 2024 um 16:05

Since 1998, «kassandra» is my experimental WebServer. The goal was to reactivate it as kassandra.schumm.ch on my Rapsberry Pi I got from Matthieu - which is running at home on an old porcellaine dish. Originally, I wanted to run my stuff using k3s, but I found that it was too much for this Raspberry Pi 2. So I decided to do it the old-fashioned way: with apache httpd, by hand, as a small exercise. This is my note to myself how I did it - including automatic retrieving of the SSL certificates from Let’s Encrypt - and running a Java Web Application in Part II of this Blog Post.

Components Overview

graph LR; Internet-->DNS DNS--A Record-->W[Wingo Router] W--NAT-->Apache L[Let's Entrypt]<--ACME-->W W<--ACME-->Certbot Certbot--Write Cert-->Apache subgraph Raspberry Pi Apache--Reverse Proxy-->Java Certbot Java-->PostgreSQL end

The Main Components are: the Apache2 Web Server that acts both as a WebServer and a ReverseProxy, and the Java Application that does some fun stuff and is hidden behind the ReverseProxy.

Operating System

The Raspberry Pi system runs a standart Raspberry Pi OS.

Prepare the Site

for WebServer Content, put HTML and PHP stuff in


Apache (and PHP) Installation

To Install Apache2 and PHP, do:

apt install apache2
apt install php libapache2-mod-php

Router Configuration

How to configure the router is very dependent on your Internet Provider: In my case, I use the Swisscom Box that comes with Wingo. I did following:

on the router ( http://winbox.local/#overview):

Caution: now, the Raspberry is exposed to public internet and should always be updated to the newest security patches. Make sure no other Ports are open and no other Software with these ports are running on the machine.

DNS Configuration

At my DNS Provider, I put an A Record for kassandra.schumm.ch into the Zone File with the fix IP I got from the step above, e.g.

kassandra.schumm.ch 300 IN A

Apache Configuration

The Configuration of apache2 is organised in the file-tree located in /etc/apache2/, in several ...-available folders, e.g.

⎿ sites-available
⎿ conf-available
⎿ etc. 

So, to configure my kassandra-site, I created a file in

⎿  kassandra.conf 

The content of kassandra.conf is (the SSL Stuff we will look at in the next section):

<VirtualHost *:80>
    ServerName kassandra.schumm.ch
    # DocumentRoot /home/rschumm/kassandra

    # ServerAdmin abuse@schumm.ch
    # Redirect all HTTP requests to HTTPS
    Redirect permanent / https://kassandra.schumm.ch/

<VirtualHost *:443>
    ServerName kassandra.schumm.ch
    DocumentRoot /home/rschumm/kassandra

    ServerAdmin abuse@schumm.ch

    # SSL configuration
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/kassandra.schumm.ch/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/kassandra.schumm.ch/privkey.pem"

    # Other SSL configurations (e.g., protocols, ciphers, etc.) can be added here
    # Additional security headers and configurations can be added here

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

now, I can enable the site with the command

sudo su - 
a2ensite kassandra.conf

that creates a symbolic link to the ...-enabled sub-directory, here in the directory /etc/apache2/sites-enabled that points to the file in sites-available.

There are several commands like this:

Finally, I restart the server with

sudo su - 
systemctl restart apache2

Logs are in /var/log/apache2/

The HTTP part of the Site should run now if you uncomment stuff in the <VirtualHost *:80> part.

In the next steps I will get the certificates and activate them:

Get the Certificate

To get the SSL Certificates I need for HTTPS mode of my site, I get free Certificates from Let’s Ecnrypt, using the ACME Protocoll:

To automate this, I use the Certbot - though, the easy-made documentation was too abfuscated to me, actually it’s very easy:

Install the bot:

sudo su - 
apt search certbot
apt-get install certbot 

Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.

Then, configure the Bot to get Certificates for kassandra:

certbot certonly --webroot -w /home/rschumm/kassandra -d kassandra.schumm.ch

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/kassandra.schumm.ch/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/kassandra.schumm.ch/privkey.pem
This certificate expires on 2024-03-08.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list. You can try again later by visiting https://act.eff.org.

The Bot will place some probes to the webroot so that Let’s Encrpyt can check if I actually am running this site. It will then place the Certificates to the path mentionned.

This provided paths I configure in the kassandra.conf mentionned above - that’s it.

The certbot will check the certificates twice a day and put new ones if the certificates expire. There is no need to remember the expiration date. Nice, isn’t it?

The HTTPS part of the Site should run now! You can re-comment stuff in the <VirtualHost *:80> part again as above to be sure requests are always redirected to HTTPS.

So, this is it.

In a next Blog Post I am showing how to run a lightweight Java-Application on the Raspberry - using this apache2 as a reverse proxy and without without using kubernetes.


Let’s Encrypt: https://letsencrypt.org/getting-started/

uses ACME protocoll

SSL: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

Rerverse Proxy:



Hinweis: dieser Blog wiederspiegelt meine persönliche Meinung und hat nichts mit meiner Anstellung als Dozent der zhaw noch mit anderen Anstellungen zu tun.

zurück zum Seitenanfang