Web server


This chapter describes the features of the Web server application, available in the new Server Manager.

After NethServer has been installed the Web server application is already available. It configures and starts the Apache HTTP web server.

The Web server application provides the following features:

  • Apache HTTP web server
  • Integration with system certificates for HTTPS
  • Hosting of multiple web sites
  • HTTP reverse proxy
  • PHP scripting language to run web applications
  • FTP server

The following sections describe the pages of the Web server application. Some of them require additional software components that are automatically downloaded, installed and configured when they are required for the first time.

Web server dashboard

The Web server dashboard page shows the current web server status and statistics. It also lists the additional components installed on the system.

The default Apache configuration serves the contents of /var/www/html and is capable of executing PHP scripts by running them on the Default web stack.


The Settings page allows to change the PHP configuration parameters for resources allocation (e.g. script maximum memory and execution time).

Changes affect the global PHP configuration: as such they are valid for both web applications and command line scripts, unless they are overridden by some means.

PHP settings can also be adjusted for a specific web site from the Virtual hosts page (see also PHP versions and configuration), or overridden with a custom configuration file. To this end,

  1. for PHP 7.2, look at current PHP-FPM settings in /etc/opt/rh/rh-php72/php-fpm.d/000-virtualhost.conf;
  2. create a file under the same directory (e.g. /etc/opt/rh/rh-php72/php-fpm.d/001-custom.conf) and refer to the official PHP-FPM documentation to adjust the pool directives;
  3. add the created file to your configuration backup.

Virtual hosts

Multiple web sites can be hosted on NethServer. It is possible to configure the web site hosting space in the Virtual hosts page.

When a new virtual host is created with one or more server names the new Server Manager contextually creates a server alias name in the local DNS service for each of them.


A server alias name is accessible from web clients if they use the NethServer itself as their DNS server. For public web sites, refer to your DNS provider documentation and ensure the server alias name is correctly set in the public DNS.

Server alias names are listed and can be changed from the new Server Manager dashboard.

Web site access restrictions

It is possible to limit how the web clients access the web site with the following options, available under the Advanced settings section.

  1. Enable the option Allow access from trusted networks only. Refer to Trusted networks for more information.
  2. Enable the switch Require HTTP authentication to grant access only if the specified password is provided by the client. Web applications usually provide an authentication method by themselves: this option could be useful to protect the contents of static web sites.
  3. If the web site must be always accessed through an encrypted channel it is possible to enable the Require SSL encrypted connection option. Any resource request received over the HTTP protocol is redirected over HTTPS.

SSL/TLS certificate

Each virtual host can be assigned a reserved SSL/TLS certificate or rely on the default system one. In any case, the virtual host names must be present among the certificate alternative names, otherwise the web clients can refuse to connect.

Configuring a web application

When a new virtual host is created a web root directory is created as well. The full web root path is displayed under Virtual hosts > List > Web root path.

If the switch Enable FTP access is enabled, it is possible to upload data, configuration and script files to the web root path using a FTP client.


HTTP authentication password should be different from the FTP one, because FTP is used to upload the virtual host contents whilst HTTP is used to see them from the web.

The web site displays a “Welcome” page until a file named index.html or index.php is uploaded under the web root directory. If this is not desired, it is possible to enable the option Root directory file listings, as alternative to the “Welcome” page.

FTP uploaded files are owned by the apache group with read-only permissions. If write or execution permissions are needed, a FTP client can be used to grant them.


If a web site contains executable code, such as PHP scripts, the security implications of file permissions must be evaluated carefully. Grant write access to a limited set of special files and directories, as required by the web application documentation.

The Apache configuration can be overridden by uploading a file named .htaccess. Refer to the official Apache documentation for more information about this feature [1].

PHP versions and configuration

If the PHP version provided by the Default web stack does not fit a web application it is possible to select and install an alternative one and override the global PHP default settings, as explained by the Settings section.

Disabling a virtual host

The Disable action hides the virtual host, making it not accessible from web clients. This operation is reversible, by selecting the Enable action.

Deleting a virtual host

The Delete action removes the virtual host configuration and erases the web root directory. This operation is not reversible.

Reverse proxy

As alternative to a virtual host, which stores static files or a PHP web application under a local web root directory, it is possible to forward web requests to another HTTP server and serve responses in behalf of it. This behavior can be configured from the Reverse proxy page.

Each reverse proxy item is actually a rule that can match an incoming web request. Depending on the rule Name field value, the match can occur in either:

  1. the requested web site name, if Name starts with any character, but the slash /, or
  2. the requested resource path, if Name starts with a slash / character.

If the rule matches, the request is forwarded to another web server, defined by the Destination URL field.

Web site name proxy pass

Scenario for a named proxy pass:

  • NethServer is the firewall of your LAN with public name http://fw.myfirstdomain.org
  • You have a domain http://mydomain.com pointing to the public IP for NethServer
  • You would like http://mydomain.com to forward to the internal server (internal IP:

In this scenario, create a new record by clicking Create a reverse proxy button. Fill the Name field with mydomain.com and the Destination URL with

Resource path proxy pass

Scenario for path-based proxy pass:

  • NethServer is the firewall of your LAN
  • You have a domain http://mydomain.com
  • You would like http://mydomain.com/mysite to forward to the internal server (internal IP:

In this scenario, create a new record by clicking Create a reverse proxy button. Fill the Name field with /mysite and the Destination URL with

Extra options

If only encrypted connections are allowed, enable the Require SSL encrypted connection.

Only clients from certain networks can be allowed to connect, by specifying a comma-separated list of CIDR networks under the Access from CIDR networks field.

Options available only for named proxy pass:

  • Enable or disable forwarding of Host header
  • Enable or disable WebSocket forwarding
  • Accept invalid target SSL certificate: use this option only if the target has a self-signed certificate

Advanced reverse proxy settings

When the reverse proxy rule matches a web site name it is possible to assign it a dedicated certificate, choosing one from the SSL/TLS certificate list.

It is not possible to select the certificate if the rule matches a resource path. In this case only the default certificate can be used.

Regardless the rule type, the following settings are also available:

  • Access from CIDR networks: restricts the access from the given list of CIDR networks. Only web clients connecting from those networks are allowed to open the web site.
  • Require SSL encrypted connection: if enabled, any http:// request is redirected to https://.
  • Accept invalid SSL certificate from target: if the destination URL starts with https:// and an invalid certificate is returned, enabling this option ignores the certificate validation error.
  • Forward HTTP “Host” header to target: if enabled, a HTTP Host header containing the original request host name is forwarded to the destination URL. This could be required by the destination server application to work properly.

FTP server


The FTP protocol is insecure. Passwords and file data are sent in clear text over the network.

The File Transfer Protocol is a standard network protocol used for the transfer of computer files between a client and server [2]. The FTP page enables the FTP service and configures additional user accounts limited to the FTP service only.

Users of the FTP service can be restricted to access their own home directory by enabling Chroot user on home directory. When this option is enabled the user cannot see the other system directories. This configuration is also known as jailing.

When a virtual host is created, a random FTP user name is assigned to it. It is possible to upload the virtual host file contents with FTP. Refer to Configuring a web application for more information.

System users


This configuration is highly discouraged. Also note that when enabled, the integration with the web server will break.

After enabling system users, all virtual users will be disabled. All configuration must be done using the command line.

Enable system users:

config setprop vsftpd UserType system
signal-event nethserver-vsftpd-save

Given a user name goofy, first make sure the user has Remote shell access. Then, enable the FTP access:

db accounts setprop goofy FTPAccess enabled
signal-event user-modify goofy
signal-event nethserver-vsftpd-save

To disable an already enabled user:

db accounts setprop goofy FTPAccess disabled
signal-event nethserver-vsftpd-save

If not explicitly disabled, all system users are chrooted. To disable a chroot for a system user:

db accounts setprop goofy FTPChroot disabled
signal-event nethserver-vsftpd-save


[1]Apache documentation for .htaccess files https://httpd.apache.org/docs/2.4/howto/htaccess.html
[2]File Transfer Protocol https://en.wikipedia.org/wiki/File_Transfer_Protocol