virtual hosts single: HTTP single: HTTPS
Note
This chapter describes the features of the Web server application, available in the new Server Manager.
After has been installed the Web server
application is already available. It configures and starts the Apache HTTP web server.
The Web server
application provides the following features:
- Apache HTTP web server
- Integration with system certificates for HTTPS
- Hosting of multiple web sites
- HTTP
reverse proxy
PHP
scripting language to run web applicationsFTP server
The following sections describe the pages of the Web server
application. Some of them require additional software components that are automatically downloaded, installed and configured when they are required for the first time.
The Web server dashboard
page shows the current web server status and statistics. It also lists the additional components installed on the system.
The default Apache configuration serves the contents of /var/www/html
and is capable of executing PHP scripts by running them on the Default web stack
.
The Settings
page allows to change the PHP configuration parameters for resources allocation (e.g. script maximum memory and execution time).
Changes affect the global PHP configuration: as such they are valid for both web applications and command line scripts, unless they are overridden by some means.
PHP settings can also be adjusted for a specific web site from the Virtual hosts
page (see also webserver-phpversions-section
), or overridden with a custom configuration file. To this end,
- for PHP 7.2, look at current PHP-FPM settings in
/etc/opt/rh/rh-php72/php-fpm.d/000-virtualhost.conf
;- create a file under the same directory (e.g.
/etc/opt/rh/rh-php72/php-fpm.d/001-custom.conf
) and refer to the official PHP-FPM documentation to adjust the pool directives;- add the created file to your
configuration backup <configuration_backup-section>
.
Multiple web sites can be hosted on . It is possible to configure the web site hosting space in the Virtual hosts
page.
When a new virtual host is created with one or more server names the new Server Manager contextually creates a server alias name in the local DNS service for each of them.
Note
A server alias name is accessible from web clients if they use the itself as their DNS server. For public web sites, refer to your DNS provider documentation and ensure the server alias name is correctly set in the public DNS.
Server alias names are listed and can be changed from the new Server Manager dashboard <system-section>
.
It is possible to limit how the web clients access the web site with the following options, available under the Advanced settings
section.
- Enable the option
Allow access from trusted networks only
. Refer totrusted_networks-section
for more information. - Enable the switch
Require HTTP authentication
to grant access only if the specified password is provided by the client. Web applications usually provide an authentication method by themselves: this option could be useful to protect the contents of static web sites. - If the web site must be always accessed through an encrypted channel it is possible to enable the
Require SSL encrypted connection
option. Any resource request received over the HTTP protocol is redirected over HTTPS.
Each virtual host can be assigned a reserved SSL/TLS certificate
or rely on the default system one. In any case, the virtual host names must be present among the certificate alternative names, otherwise the web clients can refuse to connect.
When a new virtual host is created a web root directory is created as well. The full web root path is displayed under Virtual hosts > List > Web root
path
.
If the switch Enable FTP access
is enabled, it is possible to upload data, configuration and script files to the web root path using a FTP client.
Hint
HTTP authentication password should be different from the FTP one, because FTP is used to upload the virtual host contents whilst HTTP is used to see them from the web.
The web site displays a "Welcome" page until a file named index.html
or index.php
is uploaded under the web root directory. If this is not desired, it is possible to enable the option Root directory file
listings
, as alternative to the "Welcome" page.
FTP uploaded files are owned by the apache group with read-only permissions. If write or execution permissions are needed, a FTP client can be used to grant them.
Warning
If a web site contains executable code, such as PHP scripts, the security implications of file permissions must be evaluated carefully. Grant write access to a limited set of special files and directories, as required by the web application documentation.
The Apache configuration can be overridden by uploading a file named .htaccess
. Refer to the official Apache documentation for more information about this feature1.
If the PHP version provided by the Default web stack
does not fit a web application it is possible to select and install an alternative one and override the global PHP default settings, as explained by the webserver-settings-section
section.
The Disable
action hides the virtual host, making it not accessible from web clients. This operation is reversible, by selecting the Enable
action.
The Delete
action removes the virtual host configuration and erases the web root directory. This operation is not reversible.
As alternative to a virtual host, which stores static files or a PHP web application under a local web root directory, it is possible to forward web requests to another HTTP server and serve responses in behalf of it. This behavior can be configured from the Reverse proxy
page.
Each reverse proxy item is actually a rule that can match an incoming web request. Depending on the rule Name
field value, the match can occur in either:
- the requested web site name, if
Name
starts with any character, but the slash/
, or- the requested resource path, if
Name
starts with a slash/
character.
If the rule matches, the request is forwarded to another web server, defined by the Destination URL
field.
Scenario for a named proxy pass:
- is the firewall of your LAN with public name
http://fw.myfirstdomain.org
- You have a domain
http://mydomain.com
pointing to the public IP for - You would like
http://mydomain.com
to forward to the internal server (internal IP: 192.168.2.100)
In this scenario, create a new record by clicking Create a reverse proxy
button. Fill the Name
field with mydomain.com
and the Destination URL
with http://192.168.2.100
.
Scenario for path-based proxy pass:
- is the firewall of your LAN
- You have a domain
http://mydomain.com
- You would like
http://mydomain.com/mysite
to forward to the internal server (internal IP: 192.168.2.100)
In this scenario, create a new record by clicking Create a reverse proxy
button. Fill the Name
field with /mysite
and the Destination URL
with http://192.168.2.100
.
If only encrypted connections are allowed, enable the Require SSL
encrypted connection
.
Only clients from certain networks can be allowed to connect, by specifying a comma-separated list of CIDR networks under the Access from CIDR
networks
field.
Options available only for named proxy pass:
- Enable or disable forwarding of
Host
header - Enable or disable WebSocket forwarding
- Accept invalid target SSL certificate: use this option only if the target has a self-signed certificate
When the reverse proxy rule matches a web site name it is possible to assign it a dedicated certificate, choosing one from the SSL/TLS
certificate
list.
It is not possible to select the certificate if the rule matches a resource path. In this case only the default certificate can be used.
Regardless the rule type, the following settings are also available:
Access from CIDR networks
: restricts the access from the given list of CIDR networks. Only web clients connecting from those networks are allowed to open the web site.Require SSL encrypted connection
: if enabled, any http:// request is redirected to https://.Accept invalid SSL certificate from target
: if the destination URL starts with https:// and an invalid certificate is returned, enabling this option ignores the certificate validation error.Forward HTTP "Host" header to target
: if enabled, a HTTP Host header containing the original request host name is forwarded to the destination URL. This could be required by the destination server application to work properly.
Warning
The FTP protocol is insecure. Passwords and file data are sent in clear text over the network.
The File Transfer Protocol is a standard network protocol used for the transfer of computer files between a client and server2. The FTP
page enables the FTP service and configures additional user accounts limited to the FTP service only.
pair: FTP; jail
Users of the FTP service can be restricted to access their own home directory by enabling Chroot user on home directory
. When this option is enabled the user cannot see the other system directories. This configuration is also known as jailing.
When a virtual host is created, a random FTP user name is assigned to it. It is possible to upload the virtual host file contents with FTP. Refer to configuring-web-app
for more information.
Warning
This configuration is highly discouraged. Also note that when enabled, the integration with the web server will break.
After enabling system users, all virtual users will be disabled. All configuration must be done using the command line.
Enable system users: :
config setprop vsftpd UserType system
signal-event nethserver-vsftpd-save
Given a user name goofy, first make sure the user has Remote shell access. Then, enable the FTP access: :
db accounts setprop goofy FTPAccess enabled
signal-event user-modify goofy
signal-event nethserver-vsftpd-save
To disable an already enabled user: :
db accounts setprop goofy FTPAccess disabled
signal-event nethserver-vsftpd-save
If not explicitly disabled, all system users are chrooted. To disable a chroot for a system user: :
db accounts setprop goofy FTPChroot disabled
signal-event nethserver-vsftpd-save
References
Apache documentation for
.htaccess
files https://httpd.apache.org/docs/2.4/howto/htaccess.html↩File Transfer Protocol https://en.wikipedia.org/wiki/File_Transfer_Protocol↩