For other noobs like me… to avoid this kind of unexpected access you need to go at SERVICE section and remove RED zone from the service that you would not expose.
In this case httpd (and httpd-admin) is the related service of webserver that show this page at port 80 or 443.
Not all service are blocked from outside connection in a clean installation (as per my expectation)… please review SERVICE and in case remove all RED zone to avoid public/external access for specific port/service.
I am pretty sure that whit little adjustment on nethserver docs this system can be used whit success also from user whit low networks knowledge.
I thinks that for small company and nethserver can be great businesses case.
Correct, though it could be configured in such a way that it only responds to queries under /.well-known/acme-challenge. Or you could use DNS validation, which is now semi-implemented, and doesn’t require any ports to be open. But I suspect what’s going on is just an assumption that if you want a web server, you probably want it to be public, so that’s the default–and it can be easily changed if desired.