This article is about how to configure an Apache web server to work as a reverse HTTP proxy.

On the host machine (hostA) which will work as reverse HTTP proxy, install the Apache web server and the proxy module (mod_proxy) for redirecting web connections to implement the reverse proxy gateway.

The NoMachine web player + nxhtd are installed on hostB. HostB is in the same network of hostA and has for example internal IP 192.168.3.201. The URL of the webplayer is: 192.168.3.201:4443.

Instructions

At least these modules are necessary:
proxy
proxy_http
rewrite
proxy_wstunnel

Add the following directives in the configuration file of Apache (the reverse proxy) on hostA:

1.1 FOR HTTPS:

SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off

<Location /event>
    ProxyPass "wss://192.168.3.201:4443/event"
    ProxyPassReverse "wss://192.168.3.201:4443/event"
    ProxyPreserveHost On
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/event/(.*) wss://192.168.3.201:4443/event/$1 [P,L]
</Location>

1.2 FOR HTTP
(Since v8, HTTP is disabled. If you want to use it, follow instructions at https://kb.nomachine.com/AR05T01162)

ProxyPass "/" "http://192.168.3.201:4080/"
ProxyPassReverse "/" "http://192.168.3.201:4080/"

<Location /event>
    ProxyPass "ws://192.168.3.201:4080/event"
    ProxyPassReverse "ws://192.168.3.201:4080/event"
    ProxyPreserveHost On
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/event/(.*) ws://192.168.3.201:4080/event/$1 [P,L]
</Location>
 

With the instructions above, the NoMachine webplayer will work as a reverse proxy, but not with WebSocket. To make it work with WebSocket, apply also instructions below.

Edit the web.cfg file:
on Linux /usr/NX/etc/web.cfg 
on Windows C:\Program files (x86)\NoMachine\etc\web.cfg 
on macOS /Applications/NoMachine.app/Contents/Frameworks/etc\web.cfg

and set:

WebSocketOriginCheck Trusted

# Define your trusted origins here
WebSocketTrustedOrigin http://<reverse-proxy-ip>
WebSocketTrustedOrigin https://<reverse-proxy-ip

Then add the lines below, in bold:

<IfModule mod_websocket.c>
    <Location /event>
        SetHandler websocket-handler
         WebSocketOriginCheck Trusted
         # Define your trusted origins here
         WebSocketTrustedOrigin http://<reverse-proxy-ip>
         WebSocketTrustedOrigin https://<reverse-proxy-ip>
        WebSocketHandler share/htdocs/mod/libnxwebsocket.so event_init
    </Location>
</IfModule>

Troubleshooting
If you have an issue with setting up the websocket, you can 'Disable Origin Checks'. If it works after disabling, it means that the Origin needs to be properly adjusted.

To disable Origin checks, set in web.cfg:

WebSocketOriginCheck Off

and add the line in bold:
<IfModule mod_websocket.c>
    <Location /event>
        SetHandler websocket-handler
          WebSocketOriginCheck Off
        WebSocketHandler share/htdocs/mod/libnxwebsocket.so event_init
    </Location>
</IfModule>
 

Note that the directive

WebSocketOriginCheck Off

will completely disable checks on the Origin header and allow connections through a user-agent from any website. As a general rule, this should only be done if your WebSocket plugin provides a global service to anonymous users, and those users have no reason to care if third parties can connect to that service on their behalf. Otherwise, use of this directive opens your users to hijacking attacks. You have been warned.

References: https://github.com/jchampio/apache-websocket

Users will connect to the URL of the Apache reverse proxy host and will access the NoMachine web player application.