Use Your Own Apache Web Server to Run NoMachine Sessions on the web (v.6)

Knowledge Base

Searching in : Document

ID: DT03O00128

Version: NoMachine 6

Added on: 2017-11-14

Last Update: 2020-12-17

Print this article

PDF version

Use Your Own Apache Web Server to Run NoMachine Sessions on the web (v.6)

Table of Contents

Introduction

1. Sessions on the Web

Configurations

2. Configuring the Apache Web Server

2.1. Adding the Necessary Modules

2.2. Including Directives for the Web Player (Linux)

2.3. Including Directives for the Web Player (Windows)

2.4. Including Directives for the Web Player (macOS)

3. Configuring NoMachine to Use your Web Server

Introduction
1. Sessions on the Web

NoMachine servers supporting connections via HTTP/HTTPS are designed to provide a fully integrated service to deploy sessions on the web which doesn't require additional software to be installed or manual configuration. The minimal Apache web server included in the NoMachine package, nxhtd, provides the necessary modules and is pre-configured to work with the 'nxwebplayer' application. Such application is the web client GUI which permits users to run sessions in a browser.

It is possible to run the web player application also with an alternative Apache web server. This requires however to configure the Apache web server and NoMachine. Basic skills about Apache installation and configuration are therefore requested.

Prerequisite is that an official version of Apache is installed on the host machine, please refer to the Apache documentation related to your Operating System for instructions.

TIP

Since version 6.4, Web Sockets technology is integrated into NoMachine's web sessions. This requires to use the built-in web server (nxhtd) or to customize your Apache web server to support that.

2. Configuring your Apache Web Server

2.1. Adding the Necessary Modules

First step to configure the alternative web server is to ensure that the following Apache modules are loaded in your web server:
authn_file
authz_host
authz_groupfile
authz_user
authz_core
auth_basic
so
filter
deflate
http_core
mime
log_config
expires
headers
setenvif
version
ssl
worker
unixd
status
autoindex
cgi
dir
actions
alias
rewrite

This is the list of modules used by the built-in NoMachine web server, nxhtd v. 6.

You can check if some of these modules are already loaded by default by your Apache, please refer to the official documentation of your Apache. For example on Ubuntu 19.10 and Apache/2.4.41 or Ubuntu 17.04 and Apache/2.4.25 you can use this command:

$ apache2ctl -M
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
[...]

To add the missing module(s), we suggest to refer to the official documentation of your web server. As an example, for adding a module to Apache/2.4.41 (Ubuntu 19.10) or Apache/2.4.25 (Ubuntu 17.04):

$ sudo a2enmod ssl

Once your Apache web server is ready, you can proceed to prepare the include file ('web.inc') providing directives for the NoMachine web player program. Follow instructions for the appropriate operating system, Linux, Windows or Mac detailed in the next paragraphs.

2.2. Including Directives for the Web Player (Linux)

Step 1- Create the web.inc file
Copy content below including between the ---Begin--- and ---End--- tags to a file.
Name the file as web.inc and place it in the /usr/NX/etc directory:

---Begin---
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>

<Directory "/usr/NX/">
AllowOverride None
Options None
Require all denied
</Directory>

<Directory "/usr/NX/share/htdocs">
Options +Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>

<Directory "/usr/NX/share/htdocs/nxwebplayer">
Require all denied

<FilesMatch "(?i).+\.(js|css|json|png|ico)$">
Require all granted
</FilesMatch>
</Directory>

<Directory "/usr/NX/share/htdocs/mod">
Require all denied

<Files "libnxwebsocket.so">
Require all granted
</Files>
</Directory>

<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig "/usr/NX/etc/mime.types"

#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

# Added support to VP8 media

AddType video/ogg .ogv
AddType video/mp4 .mp4
AddType video/webm .webm

#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
AddHandler cgi-script .cgi

# For type maps (negotiated resources):
#AddHandler type-map var

#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>

#
# Note: The following must be present to support starting
# without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

#
# deflate module settings
#
<IfModule mod_deflate.c>
# these are known to be safe with MSIE 6
#AddOutputFilterByType DEFLATE text/html text/plain text/xml

# everything else may cause problems with MSIE 6
#AddOutputFilterByType DEFLATE text/css
#AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
#AddOutputFilterByType DEFLATE application/rss+xml

#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript application/javascript application/ecmascript application/rss+xml text/x-js

AddOutputFilterByType DEFLATE image/jpeg image/png text/xml text/css application/x-javascript application/javascript application/ecmascript application/rss+xml text/x-js

DeflateCompressionLevel 9
DeflateMemLevel 9
DeflateWindowSize 15
DeflateBufferSize 8096

#Header append Vary User-Agent env=!dont-vary
</IfModule>

#
# expires module settings
#
#<IfModule mod_expires>
# enable expiry headers
ExpiresActive on
# set global expiry times
ExpiresDefault A0
# Set up caching on media files for 1 year (forever?)
<FilesMatch "\.(ico|gif|png|jpg|jpeg)$">
ExpiresDefault A29030400
#Header append Cache-Control "public"
</FilesMatch>
#</IfModule>

Header always append X-Frame-Options SAMEORIGIN
Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains"
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src * 'self' data:"

RewriteEngine On
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_ADDR}:443/nxwebplayer [R,L]

ServerAdmin you@example.com

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/?nxwebplayer$ [NC]
RewriteCond %{REQUEST_URI} !^/?(event|eventinit)$
RewriteCond %{REQUEST_URI} !^/?nxplayer/(js|images|style|languages)/.*$
RewriteRule ^(.*)$ - [F,L]

SSLEngine On

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

#server certificate:
SSLCertificateFile "/usr/NX/etc/keys/host/ht_host_rsa_key.crt"

#private server key:
SSLCertificateKeyFile "/usr/NX/etc/keys/host/ht_host_rsa_key"

#server certificate chain:
#SSLCertificateChainFile "/usr/NX/etc/nomachine-CA.crt"

#Certificate Authority (CA):
#SSLCACertificateFile "/usr/NX/etc/nomachine-CA.crt"

SSLCipherSuite ALL:!ADH:!EXPORT56:!3DES:+HIGH:+MEDIUM

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

Alias /nxplayer/ "/usr/NX/share/htdocs/nxwebplayer/"

ScriptAliasMatch "(?i)^/nxwebplayer" "/usr/NX/bin/nxwebclient"

<Directory "/usr/NX/bin">
Require all denied

<Files "nxwebclient">
Options +ExecCGI
Require all granted
</Files>
</Directory>
---End---

TIPS

If NoMachine is installed in a non-default path, replace '/usr/NX' with the proper path.

Example above uses the default Apache port 443. Set it to the appropriate port, if different on your system.

Step 2- Include the web.inc file in the Apache configuration.
Identify your Apache main configuration file, usually httpd.conf. In our example for Ubuntu, the main configuration file of Apache 2.4.41 and 2.4.25 is: /etc/apache2/apache2.conf. On RHEL based distributions it's usually /etc/httpd/conf/httpd.conf.

Open the Apache configuration file and look for the "Global configuration" or Global Environment" section. Place the following include directive before that section:
Include path_to_installation_directory/etc/web.inc

Step 2- Restart your web server. For example on Ubuntu 19.10 and 17.04:

$ sudo systemctl restart apache2.service

Proceed now to configure NoMachine for using the alternative web server (see the next chapter).

2.3. Including Directives for the Web Player (Windows)

Step 1- Create the web.inc file
Copy content below including between the ---Begin--- and ---End--- tags to a file.
Name the file as web.inc and place it in the C:\Program Files (x86)\NoMachine\etc directory:

---Begin---
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>

<Directory "C:\Program Files (x86)\NoMachine/">
AllowOverride None
Options None
Require all denied
</Directory>

<Directory "C:\Program Files (x86)\NoMachine/share/htdocs/">
Options +Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>

<Directory "C:\Program Files (x86)\NoMachine/share/htdocs/nxwebplayer">
Require all denied

<FilesMatch "(?i).+\.(js|css|json|png)$">
Require all granted
</FilesMatch>
</Directory>

<Directory "C:\Program Files (x86)\NoMachine/share/htdocs/mod">
Require all denied

<Files "libnxwebsocket.dll">
Require all granted
</Files>
</Directory>

<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig "C:\Program Files (x86)\NoMachine/etc/mime.types"

# Added support to VP8 media

AddType video/ogg .ogv
AddType video/mp4 .mp4
AddType video/webm .webm

# For type maps (negotiated resources):
#AddHandler type-map var

#
# deflate module settings
#
<IfModule mod_deflate.c>
# these are known to be safe with MSIE 6
#AddOutputFilterByType DEFLATE text/html text/plain text/xml

#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript application/javascript application/ecmascript application/rss+xml text/x-js

AddOutputFilterByType DEFLATE image/jpeg image/png text/xml text/css application/x-javascript application/javascript application/ecmascript application/rss+xml text/x-js

DeflateCompressionLevel 9
DeflateMemLevel 9
DeflateWindowSize 15
DeflateBufferSize 8096

#Header append Vary User-Agent env=!dont-vary
</IfModule>

RewriteEngine On
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_ADDR}:443/nxwebplayer [R,L]

ServerAdmin you@example.com

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/?nxwebplayer$ [NC]
RewriteCond %{REQUEST_URI} !^/?(event|eventinit)$
RewriteCond %{REQUEST_URI} !^/?nxplayer/(js|images|style|languages)/.*$
RewriteRule ^(.*)$ - [F,L]

SSLEngine On

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

#server certificate:
SSLCertificateFile "C:\Program Files (x86)\NoMachine/etc/keys/host/ht_host_rsa_key.crt"

#private server key:
SSLCertificateKeyFile "C:\Program Files (x86)\NoMachine/etc/keys/host/ht_host_rsa_key"

#server certificate chain:
#SSLCertificateChainFile "C:\Program Files (x86)\NoMachine/etc/nomachine-CA.crt"

#Certificate Authority (CA):
#SSLCACertificateFile "C:\Program Files (x86)\NoMachine/etc/nomachine-CA.crt"

SSLCipherSuite ALL:!ADH:!EXPORT56:!3DES:+HIGH:+MEDIUM

PassEnv ALLUSERSPROFILE USERPROFILE
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

Alias /nxplayer/ "C:\Program Files (x86)\NoMachine/share/htdocs/nxwebplayer/"

ScriptAliasMatch "(?i)^/nxwebplayer" "C:\Program Files (x86)\NoMachine/bin/nxwebclient.exe"

<Directory "C:\Program Files (x86)\NoMachine/bin">
Require all denied

<Files "nxwebclient.exe">
Options +ExecCGI
Require all granted
</Files>
</Directory>
---End---

TIPS

If NoMachine is installed in a non-default path, replace 'C:\Program Files (x86)\' with the proper path.

Example above uses the default Apache port 443. Set it to the appropriate port, if different on your system.

Step 2- Include the web.inc file in the Apache configuration.
Identify your Apache main configuration file, usually httpd.conf, e.g. path_to_apache_installation_directory/Apache24/conf/httpd.conf for Apache 2.4 on Windows 10.

Open the Apache configuration fileand place the following include directive at the end of the file:
Include path_to_nomachine_installation_directory/etc/web.inc

Step 2- Restart your web server. You can do that from the Windows system tray or manually from a CMD console executed as administrator, for example:

> cd path_to_apache_installation_directory\bin
> httpd -k restart

Proceed now to configure NoMachine for using the alternative web server (see the next chapter).

2.4. Including Directives for the Web Player (macOS)

Step 1- Create the web.inc file
Copy content below including between the ---Begin--- and ---End--- tags to a file.
Name the file as web.inc and place it in the /Applications/NoMachine.app/Contents/Frameworks/etc/ directory:

---Begin---
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>

<Directory "//Applications/NoMachine.app/Contents/Frameworks/">
AllowOverride None
Options None
Require all denied
</Directory>

<Directory "/Applications/NoMachine.app/Contents/Frameworks/share/htdocs">
Options +Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>

<Directory "/Applications/NoMachine.app/Contents/Frameworks/share/htdocs/nxwebplayer">
Require all denied

<FilesMatch "(?i).+\.(js|css|json|png|ico)$">
Require all granted
</FilesMatch>
</Directory>

<Directory "/Applications/NoMachine.app/Contents/Frameworks/share/htdocs/mod">
Require all denied

<Files "libnxwebsocket.dlyb">
Require all granted
</Files>
</Directory>

<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig "/Applications/NoMachine.app/Contents/Frameworks/etc/mime.types"

# Added support to VP8 media

AddType video/ogg .ogv
AddType video/mp4 .mp4
AddType video/webm .webm

# For type maps (negotiated resources):
#AddHandler type-map var

#
# deflate module settings
#
<IfModule mod_deflate.c>
# these are known to be safe with MSIE 6
#AddOutputFilterByType DEFLATE text/html text/plain text/xml

#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript application/javascript application/ecmascript application/rss+xml text/x-js

AddOutputFilterByType DEFLATE image/jpeg image/png text/xml text/css application/x-javascript application/javascript application/ecmascript application/rss+xml text/x-js

DeflateCompressionLevel 9
DeflateMemLevel 9
DeflateWindowSize 15
DeflateBufferSize 8096

#Header append Vary User-Agent env=!dont-vary
</IfModule>

RewriteEngine On
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_ADDR}:443/nxwebplayer [R,L]

ServerAdmin you@example.com

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/?nxwebplayer$ [NC]
RewriteCond %{REQUEST_URI} !^/?(event|eventinit)$
RewriteCond %{REQUEST_URI} !^/?nxplayer/(js|images|style|languages)/.*$
RewriteRule ^(.*)$ - [F,L]

SSLEngine On

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

#server certificate:
SSLCertificateFile "/Applications/NoMachine.app/Contents/Frameworks/etc/keys/host/ht_host_rsa_key.crt"

#private server key:
SSLCertificateKeyFile "/Applications/NoMachine.app/Contents/Frameworks/etc/keys/host/ht_host_rsa_key"

#server certificate chain:
#SSLCertificateChainFile "/Applications/NoMachine.app/Contents/Frameworks/etc/nomachine-CA.crt"

#Certificate Authority (CA):
#SSLCACertificateFile "/Applications/NoMachine.app/Contents/Frameworks/etc/nomachine-CA.crt"

SSLCipherSuite ALL:!ADH:!EXPORT56:!3DES:+HIGH:+MEDIUM

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>

Alias /nxplayer/ "/Applications/NoMachine.app/Contents/Frameworks/share/htdocs/nxwebplayer/"

ScriptAliasMatch "(?i)^/nxwebplayer" "/Applications/NoMachine.app/Contents/Frameworks/bin/nxwebclient"

<Directory "/Applications/NoMachine.app/Contents/Frameworks/bin">
Require all denied

<Files "nxwebclient">
Options +ExecCGI
Require all granted
</Files>
</Directory>
---End---

TIP

Example above uses the default Apache port 443. Set it to the appropriate port, if different on your system.

Step 2- Include the web.inc file in the Apache configuration.
Identify your Apache main configuration file, usually httpd.conf. For example: /etc/apache2/httpd.conf.

Open the Apache configuration fileand place the following include directive at the end of the file:
Include path_to_nomachine_installation_directory/etc/web.inc

Step 2- Restart your web server. For example:

$ sudo apachectl -k restart

Proceed now to configure NoMachine for using the alternative web server (see the next chapter).

3. Configuring NoMachine to Use your Web Server

Step 1- Set the Apache's user and group in the NoMachine configuration.
Edit the NoMachine server configuration file:
/usr/NX/etc/server.cfg on Linux
C:\Program files (x86)\NoMachine\etc\server.cfg on Windows
/Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg on Mac
and update the following keys to fit your web server:
ApacheUname nxhtd
ApacheGname nxhtd

For example, if your web server is running as user www-data and group www-data, set:
ApacheUname www-data
ApacheGname www-data

Step 2- Update the web player configuration
Run the update procedure to update the webplayer accordingly to the new configuration settings. On Linux and macOS:

$ sudo /etc/NX/nxwebplayer --update

On Windows:

> cd C:\Program files (x86)\NoMachine\bin
>nxwebplayer --update

This will change ownership and group of the web player files according to the new value set in the ApacheUname and ApacheGname keys.

Step 3- Stop the NoMachine HTTP server
Stop nxhtd by using the nxserver tools. On Linux and macOS

$ sudo /etc/NX/nxserver --stop nxhtd

On Windows:

>cd C:\Program files (x86)\NoMachine\bin
>nxserver --stop nxhtd

Step 4- Disable the starting of the NoMachine HTTP server
Edit server.cfg and remove HTTP from the ClientConnectionMethods key. It should look like:
ClientConnectionMethods NX,SSH

Then restart the NoMachine server to make this change effective. On Linux and macOS:

$ sudo /etc/NX/nxserver --restart

On Windows:

>cd C:\Program files (x86)\NoMachine\bin
>nxserver --restart

You are now ready to serve the NoMachine session trough your own web server.

Point the browser to:
https://IP:PORT/nxwebplayer
to reach the web player application.

TIP

If the Apache configuration include this directive:
<VirtualHost *:80>
when users connect to https://IP:PORT or https://IP they will se the Apache index listing all web applications available. To forbid the directory listing, remove the <VirtualHost *:80> directive from the Apache configuration.