Web Hosting

If you run your own website, email server or other services like OwnCloud at home then you may find yourself in need of a SSL certificate. When you install Apache, it generates a self-signed "snakeoil" certificate that can be used to encrypt your session. However, while this certificate is useful for testing purposes, it falls short in a couple of important ways:

1. The snakeoil certificate has not been signed by an authority that your browser trusts, so your browser will throw an error when you connect.
2. The common name on the certificate probably doesn't match your domain name. Another browser error.
3. Short of manually inspecting the certificate's checksum, you have no guarantee that you are communicating with your own server - it could easily be an imposter using another self-signed certificate.

This tutorial will show you how to generate your own SSL certificate, and get it signed by the community driven SSL certificate signing authority CAcert. Once you have imported the certificate into your browser or into your operating system's root filesystem, your computer will automatically verify the identity of the server and you will enjoy error-free secure communications. Oh, and CAcert is free of charge!

This tutorial will show you how to take a vanilla Raspbian image and turn it into a HTTP server hosting one or more WordPress website. I’ve previously written a few bits and pieces about WordPress, but I’ve never actually covered how to install it on a Raspberry Pi until now. This was one of the first things I did with my Pi, so I’m going to assume you know very little and try to be as detailed as possible. The actual WordPress bit is very quick and easy once the ground work is done: wordpress.org has a 5 minute installation guide, but it doesn’t tell you how to do the difficult bits! This tutorial will cover everything you need, from the ground up.

Google Analytics is everywhere. Seriously, everywhere. So much so that Google probably has a complete record of you hopping from site to site during your normal browsing, information that happens to be both extremely valuable to them and a pretty serious invasion of your privacy.

Want to host more than one website on your Raspberry Pi, without having to pay for multiple IP addresses? You can do this easily using Apache’s name-based VirtualHost configuration feature. This feature allows someone to connect to your Raspberry Pi (or other server) and get served different content based on the host header they sent with their request. This is automatic, and the user is none the wiser: they simply type your web address in the header, and your server uses that information to decide which website to display. Unless you tell them, they won’t know the Pi is also hosting other content.

I recently installed a plugin for WordPress called “Better WP Security”. One of the features this plugin has is the ability to log all 404 errors, and temporarily or permanently block hosts that request too many non-existent pages in a short space of time. This is useful for blocking scripts that try to guess the location of your admin pages and then brute force their way in or exploit some specific vulnerability in the software. I noticed in the logs that one particular script (“w00tw00t.at.blackhats.romanian.anti-sec:)”) was checking my website to see if phpmyadmin had been installed but the setup script not run, requesting lots of pages like “phpMyAdmin/scripts/setup.php”. This got me thinking about securing the phpMyAdmin page a little, as I had pretty much just set it up and forgotten about it. I very rarely use it, but still wanted it installed just in case. So, the best solution was to simply disable access from outside my LAN.

While tinkering with the settings for my site, I discovered an Apache module called mod_proxy. I was interested in it because I am running two webservers – one for www.samhobbs.co.uk and one for webmail, and I wanted to redirect traffic from one part of the site to the webmail server using ProxyPass. Unfortunately, I was over-enthusiastic in my explorations and made an error: I enabled my server to be used as an open proxy, and attracted thousands and thousands of dodgy requests from around the world. What this meant is that anyone could connect to my server and use it to visit web pages whilst concealing their true identity: the pages visited would only see my IP, not theirs.