Tags: raspberry-pi • linux
Want want to listen on port 80 for HTTP and port 443 for HTTPS, but only root can listen on these ports, so we’re going to listen on 8800 and 44433 and redirect traffic to 80 and 443 to these ports so we don’t have to run our app as root.
In your CreateHostBuilder
method:
.UseKestrel(options =>
webBuilder{
.Listen(IPAddress.Any, 8800);
options.Listen(IPAddress.Any, 44433);
options});
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8800
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 44433
sudo iptables -t nat -S | grep REDIRECT
If you configure .NET to use port 44433 for HTTPS then it will try to redirect HTTP traffic to this port. But you want it to go to 443 still. In your ConfigureServices
method:
.AddHttpsRedirection(options =>
services{
.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = 443;
options});
dotnet publish [project name] --configuration Release --runtime linux-arm
cd [project name]\bin\Release\[dotnet core version]\linux-arm\publish
scp -r * pi@[pi ip address]:/var/www/[project name]
cd ..\..\..\..\..\..
cd /var/www/[project name]
dotnet [project name].dll
Note this will listen on port 80 as a verification step so won’t work if the server is currently running and/or the port forwarding is enabled. A reboot will fix both.
sudo apt-get install certbot
sudo certbot certonly --standalone
sudo openssl pkcs12 -export -out certificate.pfx -inkey /etc/letsencrypt/live/[your domain]/privkey.pem -in /etc/letsencrypt/live/[your domain]/fullchain.pem
sudo chmod 755 certificate.pfx
sudo certbot renew
Then repeat step above.
sudo iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8800
sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 44433
sudo netstat -lnp | grep :80
webBuilder.UseKestrel(options =>
{
options.Listen(IPAddress.Any, 8800);
options.Listen(IPAddress.Any, 44433, listenOptions =>
{
listenOptions.UseHttps("certificate.pfx", "password chosen in previous step");
});
});
Create service file
sudo vim /etc/systemd/system/mysite.service
Enter contents:
Description=My Website
After=network.target
[Service]
ExecStartPre=/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8800 ; /sbin/iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 44433
ExecStart=/usr/bin/sudo -u pi dotnet <website>.dll &
ExecStopPost=/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8800 ; /sbin/iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 44433
WorkingDirectory=/var/www/<website>/
StandardOutput=inherit
StandardError=inherit
Restart=always
User=root
[Install]
WantedBy=multi-user.target
Enable start on boot:
sudo systemctl enable mysite.service
Start now:
sudo systemctl start mysite.service
#!/bin/bash
systemctl stop mysite.service
certbot renew
openssl pkcs12 -export -out /var/www/<website>/certificate.pfx -inkey /etc/letsencrypt/live/[your domain]/privkey.pem -in /etc/letsencrypt/live/[your domain]/fullchain.pem
chown pi /var/www/<website>/certificate.pfx
chmod 600 /var/www/<website>/certificate.pfx
systemctl start mysite.service