Raspberry Pi Web Server Setup

Home | Miscellaneous | Pi | Web Server

Sonora Computer Repair
A subsidiary of Charles Varvayanis

Since 1990
(209) 586-3782
charles@varvayanis.com

Raspberry Pi Web Server Setup

Step-by-step instructions for setting up a simple and reliable Web Server hosting one or more websites using Apache 2 with HTTP, HTTPS, Raspberry Pi Connect, SSH, FTP, VNC, TeamViewer and a Firewall.

These procedures apply to Raspberry Pi 5, 4 or 3 with Raspberry Pi OS (64-Bit), (32-Bit) or (Legacy, 32-Bit) with or without the Web Server, HTTPS, Raspberry Pi Connect, SSH, FTP, VNC, TeamViewer and/or a Firewall.

General Notes

1. General: The procedures below are optimized for setting up a Web Server with HTTP and HTTPS hosting one or more websites on a Raspberry Pi 5, 4 or 3 with Raspberry Pi OS (64-Bit), (32-Bit) or (Legacy, 32-Bit) connected via Ethernet. Management connectivity is provided via Raspberry Pi Connect, SSH, TeamViewer, VNC and/or FTP. A firewall is included. While Ethernet connections are highly recommended for Wake on LAN Server applications, a Wi-Fi connection can be used by setting up Wi-Fi in the section below "Load the Raspberry Pi OS onto a Micro SD Card" and by substituting your Wi-Fi Connection for "Wired Connection 1" in the section below "Change the Raspberry Pi IP address and network settings using the Raspberry Pi Desktop Interface (GUI), NetworkManager User Interface (UI), or Command Line Interface (CLI)".

2. Web Server on the Internet: If the Web Server needs to be publically accessible from the Internet, the Internet connection the Raspberry Pi is connected to must have a Public IP address. Note: Certain ISPs such as Starlink do not and cannot supply Public IP Addresses on their standard Internet circuits, but can on their business Internet circuits. If a router is between the Internet and Raspberry Pi, it must be configured to pass HTTP, HTTPS, SSH, FTP and VNC traffic as appropriate from the public IP Address to the Raspberry Pi's local IP Address. A Domain Name must be owned by the end user and a Public DNS Server must be configured to have an "A" record or "CNAME" record pointing to the Public IP Address of the Raspberry Pi Web Server. Domain Names and Public DNS services can be purchased from services such as GoDaddy and alike. If the Public IP address is not Static, but is Dynamic, a DDNS service such as noip.com or alike can be employed and a CNAME record set up in the Public DNS Server using the hostname setup in the DDNS service. Alternatively, the hostname name setup in a DDNS server can be used directly as the URL for the website, forgoing the need for a Domain Name and Public DNS Server.

3. Internet access during setup: Many of the steps below assume and require the target Raspberry Pi is connected to a network with access to the Internet and a DHCP server is on the network configured for DHCP clients to access the Internet. This is the standard and/or default configuration for most networks, so in most cases nothing additional will need to be done.

4. Firewall Option: A good quality firewall ahead of the Raspberry Pi is a good practice. In cases where the Raspberry Pi is connected directly to the Internet or a public network without a firewall ahead of it, running a firewall on the Raspberry Pi is advisable. Raspberry Pi OS includes iptables, an IP packet filter, however it is disabled by default. UFW (Uncomplicated FireWall) is a firewall user interface for use with iptables. UFW together with iptables provide basic firewall features, but lack more sophisticated firewall features and protections. In the case of a good quality firewall ahead of the Raspberry Pi, it would likely be able to detect and block more sophisticated attacks than UFW together with iptables. In addition, running a firewall ahead of the Raspberry Pi and not running a firewall on the Raspberry Pi would reduce resource consumption on the Raspberry Pi. The firewall on the Raspberry Pi can be omitted by not implementing the steps in the section below: "Install UFW and configure the firewall".

5. Management Connectivity Options: Certain Management Connectivity options below can be selectively omitted by not implementing the steps in any of these sections below: "Install or update and setup Raspberry Pi Connect", "Install and configure TeamViewer", "Enable SSH", "Enable and Configure VNC" and/or "Install and configure the FTP server - VSFTP". Raspberry Pi Connect and/or SSH can be omitted while configuring the Raspberry Pi Imager in the "Load Raspberry Pi OS onto a Micro SD Card" section below. Important note about Raspberry Pi Connect and TeamViewer: Both screen sharing programs can exist on a Raspberry Pi without interfering with each other, but the Raspberry Pi Connect screen sharing program requires Wayland (Remote Graphics Support A.K.A. compositor) and TeamViewer currently uses only the older X11 (compositor). Raspberry Pi Connect Remote shell does not use the compositor and will work with either compositor in use. It is posable to switch between Wayland and X11, however a reboot may be required. Raspberry Pi Connect is recommended for typical users, while TeamViewer may be more attractive to more experienced users.

6. HTTPS Web Server Option: The steps below are for implementing a Web Server with both HTTP and HTTPS. If the need requires HTTP only and not HTTPS, the system can be simplified by omitting and not implementing the steps in the section "Setup HTTPS using Let's Encrypt Certificates and Certbot" below.

7. No Web Server Option: The steps below are for implementing a Web Server with both HTTP and HTTPS. If the need is to simply get a Raspberry Pi up and running for some other application, the system can be further simplified by omitting and not implementing the steps in the sections below: "Install and configure the Web Server - Apache 2" and "Setup HTTPS using Let's Encrypt Certificates and Certbot".

Notice about updates, upgrades and installations failing due to repository or network congestion or outages

Occasionally updates, upgrades and installations fail due to repository or network congestion or outages. Sometimes there is an appropriate message saying as such, sometimes a missing file is reported, and sometimes there is just a failure message without an explanation. When this occurs, simply run the command again. If that does not solve the issues immediately, try again later.

Raspberry Pi OS Documentation

https://www.raspberrypi.com/documentation/computers/os.html

Skip past Raspbery Pi OS and optional components setup:

Install and configure the Web Server - Apache 2

Setup HTTPS using Let's Encrypt Certificates and Certbot

Download and Install the Raspberry Pi Imager onto a Windows PC, Mac, Rapberry Pi or Linux Computer

Download the Raspberry Pi Imager

https://www.raspberrypi.com/software

Install the Raspberry Pi Imager

Run the downloaded file and follow the installation instructions.

Load the Raspberry Pi OS onto a Micro SD Card

Connect the target Micro SD Card

Connect the target Micro SD Card to a computer with the Raspberry Pi Imager installed.

Open the Raspberry Pi Imager

Select the Desired Options

APP OPTIONS | (Located near the lower left corner of the window)

Play sound when finished | Off

Eject media when finished | On

Enable anonymous statistics (telemetry) | On

Disable warnings | Off

[SAVE]

Device |

Select your Raspberry PI device |

<Your Raspberry Pi model>
Example:
Raspberry Pi 5

[NEXT]

OS |

Choose operating system |

<Select the desired operating system>
(Raspberry Pi OS, preferrably (64-bit) for this configuration)
Example:
Raspberry Pi OS (64-bit)

[NEXT]

Storage |

Select your storage Device |

Exclude system drives | Checked

<Select the target storage Device>
Example:
Generic-SD/MMC USB Device

[NEXT]

Customisation |

Hostname |

<Enter your hostname>
(This gives the Raspberry Pi a name)
Example:
Pi-0001

[NEXT]

Localisation |

Capital city:
<Select your Wi-Fi Country>
Example:
Washinton, D.C. (United States)

Time zone:
<Select your time zone>
Example:
America/Los_Angels

Keyboard layout:
<Select your keyboard layout>
Example:
us

[NEXT]

User |

Username:
<Enter your username>
(This gives the Raspberry Pi a username)
Example:
pi

Password:
<Enter your password>
(This gives the Raspberry Pi a password)
Example:
PiPassword

Confirm password:
<Re-enter your password>
(This confirms the Raspberry Pi password)
Example:
PiPassword

[NEXT]

Wi-Fi |

[SECURE NETWORK]

SSID:
<Network name>
This field can be ignored for Ethernet only installations.

Password:
<Network password>
This field can be ignored for Ethernet only installations.

Confirm password:
<Re-enter password>
This field can be ignored for Ethernet only installations.

Hidden SSID | Un-Checked

[NEXT]

Remote access |

Enable SSH | On
(Optional - See "General Notes" 5. near the top of this document)

Use password authentication | Selected

[NEXT]

Raspbery Pi Connect |

Enable Raspbery Pi Connect | On
(Optional - See "General Notes" 5. near the top of this document)

[OPEN RASPBERRY PI CONNECT]

"Sign in with Raspberry Pi ID" or "create one for free"

Create auth key and launch Raspberry Pi Imager

Go back to the "Raspberry Pi Imager" window if it did not go there automaticly

[NEXT]

Writing |

[WRITE]

You are about to ERASE all data on: Generic-SD/MMC USB Device |

[I UNDERSTAND, ERASE AND WRITE]

When the message "Write Complete" is displayed | [FINISH]

Remove the Micro SD card from the reader.

Insert the Micro SD Card into the Target Raspberry Pi

Be certain the Target Raspberry Pi is powered off.

Insert the Micro SD Card loaded with the Raspberry Pi OS into the target Raspberry Pi 5, 4 or 3. Note: It inserts up-side-down (contacts up) into the Raspberry Pi.

Power on the Raspberry Pi.

It is typical for the Raspberry Pi to reboot one to three times the first time it is powered up before it is ready for its first use. This often takes three to five minutes.

Connect to the target Raspberry Pi

Via Raspberry Pi Connect Remote shell or Raspberry Pi Connect Screen share then open a Terminal window.

https://www.raspberrypi.com/software/connect

- or -

Via a Display, Keyboard and Mouse, then open a Terminal window.

- or -

Via SSH

Determine the target Raspberry Pi IP Address:

Via Raspberry Pi Connect Remote shell or Raspberry Pi Connect Screen share then open a Terminal window.

https://www.raspberrypi.com/software/connect
sudo hostname -I
- or -

Connect directly to the target Raspberry Pi via a Display, Keyboard and Mouse, then open a Terminal window.

sudo hostname -I
- or -

Use an IP Scanner tool such as Advanced IP Scanner on a PC or alike to locate the DHCP IP Address assigned to the Raspberry Pi.

https://www.advanced-ip-scanner.com
- or -

Login to your router and examine the DHCP assignments, sometimes labeled "Connected Devices" or similar.

Use SSH via a tool such as PuTTY to connect to the Raspberry Pi.

https://putty.software/

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

https://www.putty.org

Connect using the IP address determined above or URL of the target Raspberry Pi.

Note: The first time a connection is made, a security warning may be displayed | Yes

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Update the Raspberry Pi 4 or Pi 5 EEPROM Version

Note: This tool only works with Raspberry Pi 4 or Pi 5. Raspberry Pi 3B+ and below have a ROM that can not be updated.

Check if the Raspberry Pi 4 or Pi 5 EEPROM should be updated

sudo rpi-eeprom-update -a

Update the Raspberry Pi 4 or Pi 5 EEPROM if required.

Install or update and setup Raspberry Pi Connect (Optional)

Notes:

Raspberry Pi Connect runs on Raspberry Pi OS bookworm (debian 12), trixie (debian 13) and above, older versions of Raspberry Pi OS are not supported. Raspberry Pi Connect is installed by default in newer Raspberry Pi OS bookworm (debian 12) installations, all trixie (debian 13) and above installations, but is disabled by default. However, it could have been enabled and setup during SD card setup as an option in Raspberry Pi Imager 2.0 (released in November 2025) and above. If it was enabled and setup in Raspberry Pi Imager, it sould not require being enabled and setup here. There is no danger in enabeling and seting it up it here as well.

See "General Notes" 5. near the top of this document.

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Install or update Raspberry Pi Connect as required

sudo apt install rpi-connect

Setup Raspberry Pi Connect

rpi-connect signin

"rpi-connect signin" will return a message similar to:

"Complete sign in by visiting https://connect.raspberrypi.com/verify/XXXX-XXXX"

Paste or type the provided URL into a browser on any device.

"Sign in with Raspberry Pi ID" or "Create one for free"

The Raspberry Pi has been automticaly added to your account when you see the message below on the Raspberry Pi:

✓ Signed in

Connect to the target Raspberry Pi via Raspberry Pi Connect (Optional)

https://www.raspberrypi.com/software/connect

Usefull Raspberry Pi Connect Commands (Optional)

Raspberry Pi Connect Diagnostics

rpi-connect doctor

Disable Raspberry Pi Connect

rpi-connect off

Enable Raspberry Pi Connect

rpi-connect on

Install and configure TeamViewer (Optional)

See "General Notes" 5. near the top of this document.

Install TeamViewer

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Download and install TeamViewer - Select one of the four configurations below:

1) TeamViewer Full Client installation with a 64-Bit OS:

Download TeamViewer

wget https://download.teamviewer.com/download/linux/teamviewer_arm64.deb

Install TeamViewer

(Errors during installation are normal and can usually be ignored.)
sudo dpkg -i teamviewer_arm64.deb

2) TeamViewer Full Client installation with a 32-Bit OS:

Download TeamViewer

wget https://download.teamviewer.com/download/linux/teamviewer_armhf.deb

Install TeamViewer

(Errors during installation are normal and can usually be ignored.)
sudo dpkg -i teamviewer_armhf.deb

3) TeamViewer Host installation with a 64-Bit OS:

Download TeamViewer

wget https://download.teamviewer.com/download/linux/teamviewer-host_arm64.deb

Install TeamViewer

(Errors during installation are normal and can usually be ignored.)
sudo dpkg -i teamviewer-host_arm64.deb

4) TeamViewer Host installation with a 32-Bit OS:

Download TeamViewer

wget https://download.teamviewer.com/download/linux/teamviewer-host_armhf.deb

Install TeamViewer

(Errors during installation are normal and can usually be ignored.)
sudo dpkg -i teamviewer-host_armhf.deb

Download and install additional OS components needed by TeamViewer

(This corrects for the errors above, if any.)
sudo apt --fix-broken install -y

Download latest package lists

sudo apt-get update -y

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Configure TeamViewer

Set the TeamViewer password

sudo teamviewer passwd <DefineYourTeamViewerPassword>
Example:
sudo teamviewer passwd MyPassword

Ensure the TeamViewer service has started

sudo teamviewer --daemon start

Accept TeamViewer Licensing only, but do no additional configuration from this setup tool

sudo teamviewer setup

Are you a resident of the Republic of Korea? (y/n) | n

Accept License Agreement? (y/n) | y

Abort the TeamViewer setup at this poit by pressing Control-C (Pressing the "Control" key and "C" key at the same time).

Obtain and record the TeamViewer ID (Note: This only provides the TeamViewer ID if it is connected to the Internet)

sudo teamviewer info

The TeamViewer ID is displayed twice near the top of the TeamViewer information. Record the TeamViewer ID for you records.

Disable Wayland (Remote Graphics Support) and switch to the older X11 (Remote Graphics Support) because TeamViewer does not yet work with Wayland (Note: Wayland is not enabled on Raspberry Pi OS (Legacy) by default)

Reboot the Raspberry Pi to get TeamViewer working. Note: "sudo teamviewer --daemon restart" or "sudo systemctl restart teamviewerd" do not get TeamViewer working

sudo reboot

Since TeamViewer should now be working, a connection to the Raspberry Pi GUI should be possible via the TeamViewer client by using the TeamViewer ID of the target Raspberry Pi, obtained above.

Set TeamViewer to accept incoming LAN connections, i.e., add the additional methods of connecting to TeamViewer via IP address or URL (Optional):

Using TeamViewer from another machine, connect to the Raspberry Pi using the TeamViewer ID of the target Raspberry Pi, obtained in the section above.
- or -
Connect directly to the target Raspberry Pi via a Display, Keyboard and Mouse, then open a Terminal window.

From the Raspberry Pi GUI open TeamViewer by clicking on the TeamViewer icon in the right side of the Task Bar at the top of the Raspberry Pi desktop.

Close or cancel any windows that appear asking for Username and/or password.

Click on "Extras" in the left side of the TeamViewer Menu Bar at the top of the TeamViewer window.

Click on "Options". It opens to the "General" window.

In the "General" window, click on the "Incoming LAN connections" drop down list and select "accept".

Click on the "OK" button.

Close the TeamViewer window by clicking on the X in the upper right hand corner of the TeamViewer window.

Connect to the target Raspberry Pi via TeamViewer (Optional)

Use TeamViewer to connect to the Raspberry Pi

https://www.teamviewer.com
Connect using the TeamViewer ID, IP address or URL of the target Raspberry Pi.

Enable SSH (Optional)

Notes:

SSH is preinstalled in Raspberry Pi OS, but is disabled by default. However, it may have been enabled as an option in Raspberry Pi Imager during SD Card setup. If you are uncertain, there is no danger in enabeling it here as well.

See "General Notes" 3. near the top of this document.

Port used by SSH: 22, Type TCP

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Enable SSH

Via Raspberry Pi Config

sudo raspi-config

Interface Options | SSH | Yes | OK | Finish | Yes

- or -

Via the Raspberry Pi GUI (Desktop)

Connect to the target Raspberry Pi via SSH (Optional)

Determine the target Raspberry Pi IP Address:

Via Raspberry Pi Connect Remote shell or Raspberry Pi Connect Screen share then open a Terminal window.

https://www.raspberrypi.com/software/connect
sudo hostname -I
- or -

Connect directly to the target Raspberry Pi via a Display, Keyboard and Mouse, then open a Terminal window.

sudo hostname -I
- or -

Use an IP Scanner tool such as Advanced IP Scanner on a PC or alike to locate the DHCP IP Address assigned to the Raspberry Pi.

https://www.advanced-ip-scanner.com
- or -

Login to your router and examine the DHCP assignments, sometimes labeled "Connected Devices" or similar.

Use SSH via a tool such as PuTTY to connect to the Raspberry Pi.

Enable and Configure VNC (Optional)

Notes:

VNC is preinstalled in Raspberry Pi OS, but is disabled by default.

See "General Notes" 3. near the top of this document.

Port used by VNC: 5900, Types TCP and UDP

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Enable VNC and Set VNC Display Resolution

Via Raspberry Pi Config

sudo raspi-config

Interface Options | VNC | Yes | OK | Display Options | VNC Resolution | 1024x768 | OK | Finish | Yes

- or -

Via the Raspberry Pi GUI (Desktop)

Click on "Start" (Raspberry) On the left side of the Task Bar at the top of the Raspberry Pi desktop
Click on "Preferences"
Click on "Control Centre"
Click on the "Interfaces"
Click on the "VNC:" | On
Click on the "Display"
Click on the "Headless Resolution:" | "1024x768"
Click on the "Close" Button
When this is displayed: "The changes you have made require the Raspberry Pi to be rebooted to take effect. Would you like to reboot now?" | Yes

Connect to the target Raspberry Pi via VNC (Optional)

Determine the target Raspberry Pi IP Address:

Via Raspberry Pi Connect Remote shell or Raspberry Pi Connect Screen share then open a Terminal window.

https://www.raspberrypi.com/software/connect
sudo hostname -I
- or -

Connect directly to the target Raspberry Pi via a Display, Keyboard and Mouse, then open a Terminal window.

sudo hostname -I
- or -

Use an IP Scanner tool such as Advanced IP Scanner on a PC or alike to locate the DHCP IP Address assigned to the Raspberry Pi.

https://www.advanced-ip-scanner.com
- or -

Login to your router and examine the DHCP assignments, sometimes labeled "Connected Devices" or similar.

Use a tool such as RealNVC Viewer to connect to the Raspberry Pi

https://www.realvnc.com/en/connect/download/viewer (Free / Recommended)

https://www.realvnc.com/en/connect/plan/lite (Free)

https://www.realvnc.com/en/connect/download/combined (Paid)

https://www.realvnc.com

Connect using the IP address or URL of the target Raspberry Pi.

Note: The first time a connection is made, a security warning may be displayed | Continue

Install and configure the Web Server - Apache 2

Notes:

See "General Notes" 2., 6. and 7. near the top of this document.

Apache 2 manual page: https://manpages.debian.org/trixie/apache2-bin/apache2.8.en.html

Apache 2 full documentation: https://httpd.apache.org/docs

Port used by HTTP: 80, Type TCP
Port used by HTTPS: 433, Type TCP

Install the Apache 2 Web Server

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Download and install Apache

sudo apt install apache2 -y

Test the Apache 2 Web Server (Optional)

Get the Apache2 version

sudo apache2ctl -v

View the Apache2 default website

Type the IP Address of the Raspberry Pi Web Server into the browser of a device connected to the same network as the Raspberry Pi Web Server. The Apache2 default website should be displayed.

Configure the Apache 2 Web Server

Set Up Virtual Hosts (Web Servers)

Apache 2 supports one or more Virtual Hosts on a single machine. In the examples below, two (2) Virtual Hosts are being setup and configured:
exampledomain1.com
exampledomain2.com

Note:

In the examples below replace exampledomain1.com and exampledomain2.com with your URLs.

Create directories to hold the website files for each of the websites to be hosted

sudo mkdir -p /var/www/exampledomain1.com/html/

sudo mkdir -p /var/www/exampledomain2.com/html/

Change the ownership for the general web directory /var/www and its contents so pages can be uploaded, downloaded and served correctly

sudo chown -R pi:pi /var/www

Change the permissions for the general web directory /var/www and its contents so pages can be uploaded, downloaded and served correctly

sudo chmod -R 755 /var/www

Create Virtual Host Configuration files for each website to be hosted by copying the Default Virtual Host Configuration file

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/exampledomain1.com.conf

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/exampledomain2.com.conf

Edit each of the New Virtual Host Files using either Mousepad in the Raspberry Pi GUI or nano via SSH or Terminal

Launch Mousepad from Terminal in the Raspberry Pi GUI (Desktop)

sudo mousepad /etc/apache2/sites-available/exampledomain1.com.conf

- or -

Launch nano via SSH or Terminal

sudo nano /etc/apache2/sites-available/exampledomain1.com.conf

Replace these two items:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

With these four items:

ServerAdmin <YourEMailAddress>
Example:
ServerAdmin example@gmail.com

ServerName exampledomain1.com

ServerAlias www.exampledomain1.com

DocumentRoot /var/www/exampledomain1.com/html

Save and close mousepad

File| Save [Ctrl+S] and File | Quit [Ctrl+Q] or X out

- or -

Save and close nano

Press CTRL + X and then press y and ENTER to save changes

Launch Mousepad from Terminal in the Raspberry Pi GUI (Desktop)

sudo mousepad /etc/apache2/sites-available/exampledomain2.com.conf

- or -

Launch nano via SSH or Terminal

sudo nano /etc/apache2/sites-available/exampledomain2.com.conf

Replace these two items:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

With these four items:

ServerAdmin <YourEMailAddress>
Example:
ServerAdmin example@gmail.com

ServerName exampledomain2.com

ServerAlias www.exampledomain2.com

DocumentRoot /var/www/exampledomain2.com/html

Save and close mousepad

File| Save [Ctrl+S] and File | Quit [Ctrl+Q] or X out

- or -

Save and close nano

Press CTRL + X and then press y and ENTER to save changes

Enable the New Virtual Hosts

sudo a2ensite exampledomain1.com.conf

sudo a2ensite exampledomain2.com.conf

Reload the Apache 2 Web Server

sudo systemctl reload apache2

Note:

If a site needs to be edited again, disable the site before editing it using the a2dissite command with a syntax similar to the a2ensite commands above, then reload the Apache 2 Web Server. After editing the site, save the changes and enable the site again using the a2ensite command as mentioned above, then reload Apache for it to get and begin using the new configuration.

Install and configure the FTP server - VSFTP (Optional)

Notes:

See "General Notes" 5. near the top of this document.

VSFTP manual page
https://manpages.debian.org/trixie/vsftpd/vsftpd.8.en.html

vsftpd.conf manual page
https://manpages.debian.org/trixie/vsftpd/vsftpd.conf.5.en.html

Port used by FTP: 21, Type TCP

Install the VSFTP FTP server

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Download and install VSFTP

sudo apt install vsftpd

Configure the VSFTP FTP server

Edit the vsftpd configuration file using either Mousepad in the Raspberry Pi GUI or nano via SSH or Terminal

Launch Mousepad from Terminal in the Raspberry Pi GUI (Desktop)

sudo mousepad /etc/vsftpd.conf

- or -

Launch nano via SSH or Terminal

sudo nano /etc/vsftpd.conf

Uncomment:
#write_enable=YES
Example:
write_enable=YES

Uncomment:
#local_umask=022&
Example:
local_umask=022

Add this line to bottom of the file: local_root=/var/www

Save and close mousepad

File| Save [Ctrl+S] and File | Quit [Ctrl+Q] or X out

- or -

Save and close nano

Press CTRL + X and then press y and ENTER to save changes

Restart the VSFTP FTP server

sudo systemctl restart vsftpd

Connect to the target Raspberry Pi via FTP (Optional)

Use a tool such as FileZilla to connect to the Raspberry Pi

https://filezilla-project.org

Connect using the IP address or URL of the target Raspberry Pi.

Change the Raspberry Pi IP address and network settings using the Raspberry Pi Desktop Interface (GUI), NetworkManager User Interface (UI), or Command Line Interface (CLI)

Note: While the steps below are specific to setting the IP Address of the Ethernet Port, they can be used for setting the IP Address of a Wi-Fi connection by substituting the references to "Wired Connection 1" with your Wi-Fi Connection.

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Enable NetworkManager on Raspberry Pi OS (Legacy) only. Note: NetworkManager is already enabled by default on Raspberry Pi OS (64-bit) and (32-Bit).

Enable NetworkManager

Note: The Subnetwork Mask is expressed in Slash Notation along with an IP Address in certain areas of this section.

Network Subnetwork Mask and Slash Notation Relationships

Class	Mask	Slash	Nodes
A	255.000.000.000	/8	16777214
B	255.255.000.000	/16	65534
B	255.255.128.000	/17	32766
B	255.255.192.000	/18	16382
B	255.255.224.000	/19	8190
B	255.255.240.000	/20	4094
B	255.255.248.000	/21	2046
B	255.255.252.000	/22	1022
B	255.255.254.000	/23	510
C	255.255.255.000	/24	254
C	255.255.255.128	/25	126
C	255.255.255.192	/26	62
C	255.255.255.224	/27	30
C	255.255.255.240	/28	14
C	255.255.255.248	/29	6
C	255.255.255.252	/30	2
C	255.255.255.254	/31	0
C	255.255.255.255	/32	0

Change the Raspberry Pi IP address and network settings using the Raspberry Pi GUI (Desktop)

Note: "Wired connection 1" is the default Ethernet connection name and is assumed in the following commands.

Click on the two arrows facing up and down on the right side of the Task Bar at the top of the Raspberry Pi desktop

Click on "Advanced Options" | "Edit Connections..."

Doubke Click on "Ethernet" | "Wired connection 1"

Click on the "IPv4 Settings" Tab

Click on these fields to edit them:

"Method" | Manual

"Address"
(Your Rspbrry Pi IP Address)
Example:
192.168.0.25

"Netmask"
(See the section above "The Subnetwork Mask is expressed in Slash Notation...")
Example:
/24

"Gateway"
(Typicaly the network router LAN IP Address)
Example:
192.168.0.1

"DNS servers"
(Use commas to seperate multiple domain name server addresses)
Example:
8.8.8.8,8.8.4.4

Click on the "Save" Button

X out of the "Network Connections" window

- or -

Change the Raspberry Pi IP address and network settings using the NetworkManager User Interface (UI)

Note: "Wired connection 1" is the default Ethernet connection name and is assumed in the following commands.

Open the NetworkManager User Interface (UI)

Restart the connection to begin using the new settings

sudo nmcli con up "Wired connection 1"

- or -

Change the Raspberry Pi IP address and network settings using NetworkManager Command Line Interface (CLI)

Show all network connections

sudo nmcli con show

Note: "Wired connection 1" is the default Ethernet connection name and is assumed in the following commands.

Set IP Address

(Note: The Subnetwork Mask is expressed in Slash Notation along with the IP Address)
sudo nmcli con mod "Wired connection 1" ipv4.addresses <YourRaspberryPiIPAddress>/<YourNetworkSubnetworkMask>
Example:
sudo nmcli con mod "Wired connection 1" ipv4.addresses 192.168.0.25/24

Set the Gateway Address

(Note: Typicaly the Gateway Address is network router LAN IP Address)
sudo nmcli con mod "Wired connection 1" ipv4.gateway <YourNetworkDefaultGatewayIPAddress>
Example:
sudo nmcli con mod "Wired connection 1" ipv4.gateway 192.168.0.1

Set the DNS Servers

(Note: Use spaces to seperate multiple domain name server addresses)
sudo nmcli con mod "Wired connection 1" ipv4.dns" <DNSServer1> <DNSServer2> <DNSServer...>"
Example:
sudo nmcli con mod "Wired connection 1" ipv4.dns "8.8.8.8 8.8.4.4"

Set the Addressing Mode to Manual (Static)

sudo nmcli con mod "Wired connection 1" ipv4.method manual

Restart the connection to begin using the new settings

sudo nmcli con up "Wired connection 1"

Network information commands (Optional)

Display the IP Address, Gateway, DNS Servers and Addressing Mode (Short version)

sudo nmcli -g ip4.address,ipv4.gateway,ip4.dns,ipv4.method connection show "Wired connection 1"

Display general network information (Medium version)

sudo nmcli device show

Display the complete profile for "Wired connection 1" so all parameters can be reviewed (Long version)

sudo nmcli -p con show "Wired connection 1"

Setup HTTPS using Let's Encrypt Certificates and Certbot

Notes:

See "General Notes" 6. and 7. near the top of this document.

Let's Encrypt home page: https://letsencrypt.org

certbot instructions: https://certbot.eff.org/instructions?ws=apache&os=snap

Installing snap on Raspberry Pi OS: https://snapcraft.io/docs/installing-snap-on-raspbian

snap manual page: https://manpages.debian.org/trixie/snapd/snap.8.en.html

Port used by HTTPS: 433, Type TCP

Install the snap Package Manager

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Download and install snapd

sudo apt install snapd -y

Reboot the Pi to get snap working

sudo reboot

Download and install the core snap in order to get the latest snapd

sudo snap install core

Note: Some snaps require new snapd features and will show an error such as "snap 'lxd' assumes unsupported features" during install. You can solve this issue by making sure the core snap is installed (sudo snap install core) and it’s the latest version (sudo snap refresh core).

Install Certbot - Certificate Fetcher for Let’s Encrypt

Remove certbot-auto and any Certbot OS packages from the apt package manager

sudo apt-get remove certbot

Install Certbot

sudo snap install --classic certbot

Prepare the Certbot command

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Note: Some snaps require new snapd features and will show an error such as "snap 'lxd' assumes unsupported features" during install. You can solve this issue by making sure the core snap is installed (sudo snap install core) and it’s the latest version (sudo snap refresh core).

Configure Certbot, get certificats from Let’s Encrypt and automatically configure apache for HTTPS

Note: For this command to succeed, the Domain Name must already be setup in a public DNS server with either A or CNAME record pointing to the public IP Address of the target Raspberry Pi Web Server. Alternatively, a host name setup in a DDNS server will work as well (See "General Notes" 2. near the top of this document).

Get and install certificates, edit apache configuration files automatically, and turn on HTTPS access

sudo certbot --apache

Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): | <YourEMailAddress> - Example: example@gmail.com

Terms of Service... Do you agree? | y

Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot | y

Which names would you like to activate HTTPS for? We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: exampledomain1.com
2: www.exampledomain1.com
3: exampledomain2.com
4: www.exampledomain2.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): | [Enter]

Test Certbot

Test automatic renewal

sudo certbot renew --dry-run

Install and configure a firewall - UFW (Optional)

Notes:

See "General Notes" 4. near the top of this document.

UFW manual page: https://manpages.debian.org/trixie/ufw/ufw.8.en.html

Install UFW

Update Raspberry Pi OS and Components

Download latest package lists

sudo apt-get update -y

Download and install updated listed packages

sudo apt-get upgrade -y

Download and install UFW

sudo apt install ufw

Once installed, UFW is disabled by default. The default configuration blocks all incoming traffic (denied), and allows all outgoing traffic (allowed). Therefore incoming SSH, FTP, HTTP, HTTPS and VNC traffic would be denied, however Raspberry Pi Connect and TeamViewer would continue functioning. It is important to allow necessary management traffic such as SSH and/or VNC prior to enabling the firewall. Not doing so will require management via Raspberry Pi Connect, TeamViewer or a directly attached Display, Keyboard and Mouse.

Note: The Subnetwork Mask is expressed in Slash Notation along with an IP Address in certain areas of the next sections.

Network Subnetwork Mask and Slash Notation Relationships:

Class	Mask	Slash	Nodes
A	255.000.000.000	/8	16777214
B	255.255.000.000	/16	65534
B	255.255.128.000	/17	32766
B	255.255.192.000	/18	16382
B	255.255.224.000	/19	8190
B	255.255.240.000	/20	4094
B	255.255.248.000	/21	2046
B	255.255.252.000	/22	1022
B	255.255.254.000	/23	510
C	255.255.255.000	/24	254
C	255.255.255.128	/25	126
C	255.255.255.192	/26	62
C	255.255.255.224	/27	30
C	255.255.255.240	/28	14
C	255.255.255.248	/29	6
C	255.255.255.252	/30	2
C	255.255.255.254	/31	0
C	255.255.255.255	/32	0

Configure UFW

Set the firewall rules as appropriate for the installation. Multiple rules can be applied to each service type. Source Addresses and Source Subnets can be either internal or external of the network the Raspberry Pi is connected to. If any of the services below have not been installed, do not set a rule for that service. See "General Notes" 4., 5., 6. and 7. near the top of this document.

FTP

Allow from anywhere:
sudo ufw allow 21/TCP
Example:
sudo ufw allow 21/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 21
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 21

Allow from a specific IP Address:
sudo ufw allow from <SourceAddress> proto TCP to <YourRaspberryPiIPAddress> port 21
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 21

SSH

Allow from anywhere:
sudo ufw allow 22/TCP
Example:
sudo ufw allow 22/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 22
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 22

Allow from a specific IP Address:
sudo ufw allow from <SourceAddress> proto TCP to <YourRaspberryPiIPAddress> port 22
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 22

HTTP

Allow from anywhere:
sudo ufw allow 80/TCP
Example:
sudo ufw allow 80/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 80
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 80

Allow from a specific IP Address:
sudo ufw allow from <SourceAddress> proto TCP to <YourRaspberryPiIPAddress> port 80
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 80

HTTPS

Allow from anywhere:
sudo ufw allow 433/TCP
Example:
sudo ufw allow 433/TCP

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 433
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 433

Allow from a specific IP Address:
sudo ufw allow from <SourceAddress> proto TCP to <YourRaspberryPiIPAddress> port 433
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 433

VNC Server

Allow from anywhere:
sudo ufw allow 5900/TCP
sudo ufw allow 5900/UDP
Example:
sudo ufw allow 5900/TCP
sudo ufw allow 5900/UPD

Allow from a specific Subnet:
sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto TCP to <YourRaspberryPiIPAddress> port 5900

sudo ufw allow from <SourceSubnetAddress>/<SourceSubnetMask> proto UDP to <YourRaspberryPiIPAddress> port 5900
Example:
ufw allow from 50.209.187.25/29 proto TCP to 192.168.0.25 port 5900

ufw allow from 50.209.187.25/29 proto UDP to 192.168.0.25 port 5900

Allow from a specific IP Address:
sudo ufw allow from <SourceAddress> proto TCP to <YourRaspberryPiIPAddress> port 5900

sudo ufw allow from <SourceAddress> proto UDP to <YourRaspberryPiIPAddress> port 5900
Example:
ufw allow from 50.209.187.26 proto TCP to 192.168.0.25 port 5900

ufw allow from 50.209.187.26 proto UDP to 192.168.0.25 port 5900

Enable the firewall

sudo ufw enable

Note: This also enables iptables

If it is ever desirable to disable the firewall for testing or other reasons (Optional)

sudo ufw disable

Note: This also disables iptables

Check UFW status to see if it's active (Optional)

sudo ufw status

To list current rules (Optional)

sudo ufw status
- or -
sudo ufw status verbose

To remove a rule (Optional)

Identify the rule ID number to be removed

sudo ufw status numbered

Remove the rule by ID number

sudo ufw delete <ID>
Example:
sudo ufw delete 2

Remove packages that were automatically installed and are no longer required

Occasionally excess update, upgrade and installation packages install automatically, but are no longer required and can be removed automatically.

Automatically detect and remove packages no longer required

sudo apt autoremove -y

Sonora Computer Repair
Sonora, CA 95370
e-mail: charles@varvayanis.com
Phone: (209) 586-3782
Fax: (209) 586-3761
Business Card (PDF 153 KB)

www.sonoracomputer.com