use your own apache web server to run nomachine sessions ... · 2. configuring your apache web...

Use Your Own Apache WebServer to Run NoMachine

Sessions on the web

Use Your Own Apache Web Server to RunNoMachine Sessions on the web

Prepared by:Silvia Regis

N°: D-705_012-SRW-NPC

Approved by: Sarah Dryell

Last modified:2020-02-20

Amended:A

of 20

Table of Contents

Introduction1. Sessions on the Web

Configurations2. Configuring the Apache Web Server

2.1. Adding the Necessary Modules

2.2. Including Directives for the Web Player (Linux)

2.3. Including Directives for the Web Player (Windows)

2.4. Including Directives for the Web Player (macOS)

3. Configuring NoMachine to Use your Web Server

Introduction

1. Sessions on the Web

NoMachine servers supporting connections via HTTP/HTTPS are designed to provide a fully integratedservice to deploy sessions on the web which doesn't require additional software to be installed ormanual configuration. The minimal Apache web server included in the NoMachine package, nxhtd,provides the necessary modules and is pre-configured to work with the 'nxwebplayer' application.Such application is the web client GUI which permits users to run sessions in a browser.

It is possible to run the web player application also with an alternative Apache web server. Thisrequires however to configure the Apache web server and NoMachine. Basic skills about Apacheinstallation and configuration are therefore requested.

Prerequisite is that an official version of Apache is installed on the host machine, please refer to theApache documentation related to your Operating System for instructions.

TIP

Since version 6.4, Web Sockets technology is integrated into NoMachine's web sessions. Thisrequires to use the built-in web server (nxhtd) or to customize your Apache web server to support



N°: D-705_012-SRW-NPC



Amended:A

of 20

that.

2. Configuring your Apache Web Server

2.1. Adding the Necessary Modules

First step to configure the alternative web server is to ensure that the following Apache modules areloaded in your web server:authn_fileauthz_hostauthz_groupfileauthz_userauthz_coreauth_basicsofilterdeflatehttp_coremimelog_configexpiresheaderssetenvifversionsslworkerunixdstatusautoindexcgidiractionsaliasrewrite

This is the list of modules used by the built-in NoMachine web server, nxhtd v. 6.

You can check if some of these modules are already loaded by default by your Apache, please referto the official documentation of your Apache. For example on Ubuntu 19.10 and Apache/2.4.41 orUbuntu 17.04 and Apache/2.4.25 you can use this command:

$ apache2ctl -M Loaded Modules:core_module (static)



N°: D-705_012-SRW-NPC



Amended:A

of 20

so_module (static)watchdog_module (static)http_module (static)[...]

To add the missing module(s), we suggest to refer to the official documentation of your web server.As an example, for adding a module to Apache/2.4.41 (Ubuntu 19.10) or Apache/2.4.25 (Ubuntu17.04):

$ sudo a2enmod ssl

Once your Apache web server is ready, you can proceed to prepare the include file ('web.inc')providing directives for the NoMachine web player program. Follow instructions for the appropriateoperating system, Linux, Windows or Mac detailed in the next paragraphs.

2.2. Including Directives for the Web Player (Linux)

Step 1- Create the web.inc fileCopy content below including between the ---Begin--- and ---End--- tags to a file.Name the file as web.inc and place it in the /usr/NX/etc directory:

---Begin---<Directory />Options NoneAllowOverride NoneRequire all denied</Directory>

<Directory "/usr/NX/">AllowOverride NoneOptions NoneRequire all denied</Directory>

<Directory "/usr/NX/share/htdocs">Options +Indexes +FollowSymLinksAllowOverride NoneRequire all granted</Directory>

<Directory "/usr/NX/share/htdocs/nxwebplayer">Require all denied



N°: D-705_012-SRW-NPC



Amended:A

of 20

<FilesMatch "(?i).+\.(js|css|json|png|ico)$">Require all granted</FilesMatch></Directory>

<Directory "/usr/NX/share/htdocs/mod">Require all denied

<Files "libnxwebsocket.so">Require all granted</Files></Directory>

<IfModule mime_module>## TypesConfig points to the file containing the list of mappings from# filename extension to MIME-type.#TypesConfig "/usr/NX/etc/mime.types"

## AddType allows you to add to or override the MIME configuration# file specified in TypesConfig for specific file types.##AddType application/x-gzip .tgz## AddEncoding allows you to have certain browsers uncompress# information on the fly. Note: Not all browsers support this.##AddEncoding x-compress .Z#AddEncoding x-gzip .gz .tgz## If the AddEncoding directives above are commented-out, then you# probably should define those extensions to indicate media types:#AddType application/x-compress .ZAddType application/x-gzip .gz .tgz

# Added support to VP8 media

AddType video/ogg .ogvAddType video/mp4 .mp4AddType video/webm .webm

## AddHandler allows you to map certain file extensions to "handlers":# actions unrelated to filetype. These can be either built into the server# or added with the Action directive (see below)



N°: D-705_012-SRW-NPC



Amended:A

of 20

## To use CGI scripts outside of ScriptAliased directories:# (You will also need to add "ExecCGI" to the "Options" directive.)#AddHandler cgi-script .cgi

# For type maps (negotiated resources):#AddHandler type-map var

## Filters allow you to process content before it is sent to the client.## To parse .shtml files for server-side includes (SSI):# (You will also need to add "Includes" to the "Options" directive.)##AddType text/html .shtml#AddOutputFilter INCLUDES .shtml</IfModule>

## Note: The following must be present to support starting# without SSL on platforms with no /dev/random equivalent# but a statically compiled-in mod_ssl.#<IfModule ssl_module>SSLRandomSeed startup builtinSSLRandomSeed connect builtin</IfModule>

## deflate module settings#<IfModule mod_deflate.c># these are known to be safe with MSIE 6#AddOutputFilterByType DEFLATE text/html text/plain text/xml

# everything else may cause problems with MSIE 6#AddOutputFilterByType DEFLATE text/css#AddOutputFilterByType DEFLATE application/x-javascript application/javascriptapplication/ecmascript#AddOutputFilterByType DEFLATE application/rss+xml

#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascriptapplication/javascript application/ecmascript application/rss+xml text/x-js

AddOutputFilterByType DEFLATE image/jpeg image/png text/xml text/css application/x-javascriptapplication/javascript application/ecmascript application/rss+xml text/x-js



N°: D-705_012-SRW-NPC



Amended:A

of 20

DeflateCompressionLevel 9DeflateMemLevel 9DeflateWindowSize 15DeflateBufferSize 8096

#Header append Vary User-Agent env=!dont-vary</IfModule>

## expires module settings##<IfModule mod_expires># enable expiry headersExpiresActive on# set global expiry timesExpiresDefault A0# Set up caching on media files for 1 year (forever?)<FilesMatch "\.(ico|gif|png|jpg|jpeg)$">ExpiresDefault A29030400#Header append Cache-Control "public"</FilesMatch>#</IfModule>

Header always append X-Frame-Options SAMEORIGINHeader always set Strict-Transport-Security "max-age=2592000; includeSubDomains"Header always set X-Content-Type-Options nosniffHeader always set X-XSS-Protection "1; mode=block"Header always set Content-Security-Policy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src'self' 'unsafe-inline'; img-src * 'self' data:"

RewriteEngine OnReWriteCond %{SERVER_PORT} !^443$RewriteRule ^/(.*) https://%{SERVER_ADDR}:443/nxwebplayer [R,L]

<VirtualHost 0.0.0.0:443>

ServerAdmin [email protected]

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/?nxwebplayer$ [NC]RewriteCond %{REQUEST_URI} !^/?(event|eventinit)$RewriteCond %{REQUEST_URI} !^/?nxplayer/(js|images|style|languages)/.*$RewriteRule ^(.*)$ - [F,L]



N°: D-705_012-SRW-NPC



Amended:A

of 20

SSLEngine On

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

#server certificate:SSLCertificateFile "/usr/NX/etc/keys/host/ht_host_rsa_key.crt"

#private server key:SSLCertificateKeyFile "/usr/NX/etc/keys/host/ht_host_rsa_key"

#server certificate chain:#SSLCertificateChainFile "/usr/NX/etc/nomachine-CA.crt"

#Certificate Authority (CA):#SSLCACertificateFile "/usr/NX/etc/nomachine-CA.crt"

SSLCipherSuite ALL:!ADH:!EXPORT56:!3DES:+HIGH:+MEDIUM

SetEnvIf User-Agent ".*MSIE.*" \nokeepalive ssl-unclean-shutdown \downgrade-1.0 force-response-1.0</VirtualHost>

Alias /nxplayer/ "/usr/NX/share/htdocs/nxwebplayer/"

ScriptAliasMatch "(?i)^/nxwebplayer" "/usr/NX/bin/nxwebclient"

<Directory "/usr/NX/bin">Require all denied

<Files "nxwebclient">Options +ExecCGIRequire all granted</Files></Directory>---End---

TIPS

I If NoMachine is installed in a non-default path, replace '/usr/NX' with the proper path.

II Example above uses the default Apache port 443. Set it to the appropriate port, if different on



N°: D-705_012-SRW-NPC



Amended:A

of 20

your system.

Step 2- Include the web.inc file in the Apache configuration.Identify your Apache main configuration file, usually httpd.conf. In our example for Ubuntu, the mainconfiguration file of Apache 2.4.41 and 2.4.25 is: /etc/apache2/apache2.conf. On RHEL baseddistributions it's usually /etc/httpd/conf/httpd.conf.

Open the Apache configuration file and look for the "Global configuration" or Global Environment"section. Place the following include directive before that section:Include path_to_installation_directory/etc/web.inc

Step 2- Restart your web server. For example on Ubuntu 19.10 and 17.04:

$ sudo systemctl restart apache2.service

Proceed now to configure NoMachine for using the alternative web server (see the next chapter).

2.3. Including Directives for the Web Player (Windows)

Step 1- Create the web.inc fileCopy content below including between the ---Begin--- and ---End--- tags to a file.Name the file as web.inc and place it in the C:\Program Files (x86)\NoMachine\etc directory:


<Directory "C:\Program Files (x86)\NoMachine/">AllowOverride NoneOptions NoneRequire all denied</Directory>

<Directory "C:\Program Files (x86)\NoMachine/share/htdocs/">Options +Indexes +FollowSymLinksAllowOverride NoneRequire all granted</Directory>



N°: D-705_012-SRW-NPC



Amended:A

of 20

<Directory "C:\Program Files (x86)\NoMachine/share/htdocs/nxwebplayer">Require all denied

<FilesMatch "(?i).+\.(js|css|json|png)$">Require all granted</FilesMatch></Directory>

<Directory "C:\Program Files (x86)\NoMachine/share/htdocs/mod">Require all denied

<Files "libnxwebsocket.dll">Require all granted</Files></Directory>

<IfModule mime_module>## TypesConfig points to the file containing the list of mappings from# filename extension to MIME-type.#TypesConfig "C:\Program Files (x86)\NoMachine/etc/mime.types"



AddType video/ogg .ogvAddType video/mp4 .mp4AddType video/webm .webm



N°: D-705_012-SRW-NPC



Amended:A

of 20

## AddHandler allows you to map certain file extensions to "handlers":# actions unrelated to filetype. These can be either built into the server# or added with the Action directive (see below)## To use CGI scripts outside of ScriptAliased directories:# (You will also need to add "ExecCGI" to the "Options" directive.)#AddHandler cgi-script .cgi






#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascriptapplication/javascript application/ecmascript application/rss+xml text/x-js

AddOutputFilterByType DEFLATE image/jpeg image/png text/xml text/css application/x-javascript



N°: D-705_012-SRW-NPC



Amended:A

of 20

application/javascript application/ecmascript application/rss+xml text/x-js








RewriteEngine On

RewriteCond %{REQUEST_URI} !^/?nxwebplayer$ [NC]RewriteCond %{REQUEST_URI} !^/?(event|eventinit)$RewriteCond %{REQUEST_URI} !^/?nxplayer/(js|images|style|languages)/.*$RewriteRule ^(.*)$ - [F,L]



N°: D-705_012-SRW-NPC



Amended:A

of 20

SSLEngine On


#server certificate:SSLCertificateFile "C:\Program Files (x86)\NoMachine/etc/keys/host/ht_host_rsa_key.crt"

#private server key:SSLCertificateKeyFile "C:\Program Files (x86)\NoMachine/etc/keys/host/ht_host_rsa_key"

#server certificate chain:#SSLCertificateChainFile "C:\Program Files (x86)\NoMachine/etc/nomachine-CA.crt"

#Certificate Authority (CA):#SSLCACertificateFile "C:\Program Files (x86)\NoMachine/etc/nomachine-CA.crt"


PassEnv ALLUSERSPROFILE USERPROFILESetEnvIf User-Agent ".*MSIE.*" \nokeepalive ssl-unclean-shutdown \downgrade-1.0 force-response-1.0</VirtualHost>

Alias /nxplayer/ "C:\Program Files (x86)\NoMachine/share/htdocs/nxwebplayer/"

ScriptAliasMatch "(?i)^/nxwebplayer" "C:\Program Files (x86)\NoMachine/bin/nxwebclient.exe"

<Directory "C:\Program Files (x86)\NoMachine/bin">Require all denied

<Files "nxwebclient.exe">Options +ExecCGIRequire all granted</Files></Directory>---End---

TIPS



N°: D-705_012-SRW-NPC



Amended:A

of 20

I If NoMachine is installed in a non-default path, replace 'C:\Program Files (x86)\' with the properpath.

II Example above uses the default Apache port 443. Set it to the appropriate port, if different onyour system.

Step 2- Include the web.inc file in the Apache configuration.Identify your Apache main configuration file, usually httpd.conf, e.g.path_to_apache_installation_directory/Apache24/conf/httpd.conf for Apache 2.4 on Windows 10.

Open the Apache configuration fileand place the following include directive at the end of the file:Include path_to_nomachine_installation_directory/etc/web.inc

Step 2- Restart your web server. You can do that from the Windows system tray or manually from aCMD console executed as administrator, for example:

> cd path_to_apache_installation_directory\bin> httpd -k restart


2.4. Including Directives for the Web Player (macOS)

Step 1- Create the web.inc fileCopy content below including between the ---Begin--- and ---End--- tags to a file.Name the file as web.inc and place it in the /Applications/NoMachine.app/Contents/Frameworks/etc/directory:


<Directory "//Applications/NoMachine.app/Contents/Frameworks/">AllowOverride NoneOptions NoneRequire all denied</Directory>

<Directory "/Applications/NoMachine.app/Contents/Frameworks/share/htdocs">Options +Indexes +FollowSymLinksAllowOverride NoneRequire all granted



N°: D-705_012-SRW-NPC



Amended:A

of 20

</Directory>

<Directory "/Applications/NoMachine.app/Contents/Frameworks/share/htdocs/nxwebplayer">Require all denied

<FilesMatch "(?i).+\.(js|css|json|png|ico)$">Require all granted</FilesMatch></Directory>

<Directory "/Applications/NoMachine.app/Contents/Frameworks/share/htdocs/mod">Require all denied

<Files "libnxwebsocket.dlyb">Require all granted</Files></Directory>

<IfModule mime_module>## TypesConfig points to the file containing the list of mappings from# filename extension to MIME-type.#TypesConfig "/Applications/NoMachine.app/Contents/Frameworks/etc/mime.types"



AddType video/ogg .ogvAddType video/mp4 .mp4



N°: D-705_012-SRW-NPC



Amended:A

of 20

AddType video/webm .webm

## AddHandler allows you to map certain file extensions to "handlers":# actions unrelated to filetype. These can be either built into the server# or added with the Action directive (see below)## To use CGI scripts outside of ScriptAliased directories:# (You will also need to add "ExecCGI" to the "Options" directive.)#AddHandler cgi-script .cgi






#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript



N°: D-705_012-SRW-NPC



Amended:A

of 20

application/javascript application/ecmascript application/rss+xml text/x-js

AddOutputFilterByType DEFLATE image/jpeg image/png text/xml text/css application/x-javascriptapplication/javascript application/ecmascript application/rss+xml text/x-js








RewriteEngine On

RewriteCond %{REQUEST_URI} !^/?nxwebplayer$ [NC]RewriteCond %{REQUEST_URI} !^/?(event|eventinit)$



N°: D-705_012-SRW-NPC



Amended:A

of 20

RewriteCond %{REQUEST_URI} !^/?nxplayer/(js|images|style|languages)/.*$RewriteRule ^(.*)$ - [F,L]

SSLEngine On


#server certificate:SSLCertificateFile"/Applications/NoMachine.app/Contents/Frameworks/etc/keys/host/ht_host_rsa_key.crt"

#private server key:SSLCertificateKeyFile"/Applications/NoMachine.app/Contents/Frameworks/etc/keys/host/ht_host_rsa_key"

#server certificate chain:#SSLCertificateChainFile "/Applications/NoMachine.app/Contents/Frameworks/etc/nomachine-CA.crt"

#Certificate Authority (CA):#SSLCACertificateFile "/Applications/NoMachine.app/Contents/Frameworks/etc/nomachine-CA.crt"


SetEnvIf User-Agent ".*MSIE.*" \nokeepalive ssl-unclean-shutdown \downgrade-1.0 force-response-1.0</VirtualHost>

Alias /nxplayer/ "/Applications/NoMachine.app/Contents/Frameworks/share/htdocs/nxwebplayer/"

ScriptAliasMatch "(?i)^/nxwebplayer""/Applications/NoMachine.app/Contents/Frameworks/bin/nxwebclient"

<Directory "/Applications/NoMachine.app/Contents/Frameworks/bin">Require all denied

<Files "nxwebclient">Options +ExecCGIRequire all granted</Files></Directory>---End---



N°: D-705_012-SRW-NPC



Amended:A

of 20

TIP

I Example above uses the default Apache port 443. Set it to the appropriate port, if different onyour system.

Step 2- Include the web.inc file in the Apache configuration.Identify your Apache main configuration file, usually httpd.conf. For example:/etc/apache2/httpd.conf.

Open the Apache configuration fileand place the following include directive at the end of the file:Include path_to_nomachine_installation_directory/etc/web.inc

Step 2- Restart your web server. For example:

$ sudo apachectl -k restart


3. Configuring NoMachine to Use your Web Server

Step 1- Set the Apache's user and group in the NoMachine configuration.Edit the NoMachine server configuration file: /usr/NX/etc/server.cfg on Linux C:\Program files (x86)\NoMachine\etc\server.cfg on Windows/Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg on Macand update the following keys to fit your web server:ApacheUname nxhtd ApacheGname nxhtd

For example, if your web server is running as user www-data and group www-data, set:ApacheUname www-dataApacheGname www-data

Step 2- Update the web player configurationRun the update procedure to update the webplayer accordingly to the new configuration settings. OnLinux and macOS:

$ sudo /etc/NX/nxwebplayer --update

On Windows:

> cd C:\Program files (x86)\NoMachine\bin >nxwebplayer --update



N°: D-705_012-SRW-NPC



Amended:A

of 20

This will change ownership and group of the web player files according to the new value set in theApacheUname and ApacheGname keys.

Step 3- Stop the NoMachine HTTP server Stop nxhtd by using the nxserver tools. On Linux and macOS

$ sudo /etc/NX/nxserver --stop nxhtd

On Windows:

>cd C:\Program files (x86)\NoMachine\bin >nxserver --stop nxhtd

Step 4- Disable the starting of the NoMachine HTTP serverEdit server.cfg and remove HTTP from the ClientConnectionMethods key. It should look like:ClientConnectionMethods NX,SSH

Then restart the NoMachine server to make this change effective. On Linux and macOS:

$ sudo /etc/NX/nxserver --restart

On Windows:

>cd C:\Program files (x86)\NoMachine\bin>nxserver --restart

You are now ready to serve the NoMachine session trough your own web server.

Point the browser to:https://IP:PORT/nxwebplayer to reach the web player application.

TIP

If the Apache configuration include this directive: <VirtualHost *:80>when users connect to https://IP:PORT or https://IP they will se the Apache index listing all webapplications available. To forbid the directory listing, remove the <VirtualHost *:80> directive fromthe Apache configuration.



N°: D-705_012-SRW-NPC



Amended:A

of 20

use your own apache web server to run nomachine sessions ... · 2. configuring your apache web...

Documents