Ssl, reverse proxy, virtual hosts

I am struggling to understand how to get SSL working on my local network for additional servers. I have a domain through host Gator with remote SSL connections working for Nethserver and it’s built in apps like nextcloud.

I have several proxmox VMs like home assistant and jellyfin that I’m trying to get rid of the “site not secure” warning. Before starting on this quest I was able to ping them such as ping on my local network and it was returning the proper IP address of my jellyfin server.

My understanding from reading the documentation is that I could use either a reverse proxy or virtual host. I’ve tried both without success trying to set them up using the GUI interface. After testing failed I deleted the reverse proxy and the virtual hosts I created but now when I ping I get the address of my nethserver. These settings survive a reboot and my internal dns is no longer working properly.

I deleted the dns entry for in nethserver and did a “sudo systemd-resolve --flush-caches” on my Ubuntu machine I’m using to test but pinging still returns my nethserver IP.

This is slowly driving me insane.
Should I use a reverse proxy, virtual host, or both?
When I ping what IP should I see?
When it’s working should I enter or in a web browser?
Where does the port for jellyfin go in nethserver?

NethServer Version: 7.9.2009

1 Like


I deleted all reverse proxy and virtual host settings then rebooted. I then created a new reverse proxy for as the name and as the destination url and now when I ping I get my nethserver IP but when I go to on my local network I get the jellyfin web page.

It is still however not secure.

I’m using letsencrypt for my cert through nethserver and is listed as an alternative name in my cert.

What am I missing?


You need to set the LE cert as default in NS7 Cockpit.
Log out from Cockpit. wait 5 minutes then try Jellyfin URL again. It should work without issues.

My 2 cents

Hi @happnatious1

I have a NethSever-7.9.2009 as my main server connected directly to the internet.
It redirects all requests for LAN domains (VM or not) to the appropriate LOCAL server.

  1. On NethSever-7.9.2009, create a DNS host name for pointing to the LOCAL IP.
  2. On NethSever-7.9.2009, install reverse proxy.
  3. Use reverse-proxy to create a virtual host pointing to (do not forget the https).
  4. Create a firewall object for
  5. Create a port forward for the object giving source port and destination port (for you, I think they will the same).
  6. Open the port on the NethSever-7.9.2009, and on the LOCAL server.
  7. On NethSever-7.9.2009 systemctl restart httpd to clear the cache.

Use TOR browser and give it the URL:

All should work.

If you registrar is too slow, try to transfer, free of charge, your domain to (you just have to change the nameserves at the original registrar to the one used by Clouflare) and config the working station NIC to use as DNS name server.
Whenever you change a DNS record, you won’t have to wait for the DNS propagation.

Good luck,


ssl cert is default in nethserver and it works. If I go to I get a secure connection. If I go to I get a security warning.

Do I need the same cert on my jellyfin server?

“Require SSL encrypted connection” makes no difference. Putting http: or https: in the destination url makes no difference.

I have “Accept invalid SSL certificate from target” checked. To me this would mean that the connection between my browser and nethserver is encrypted but the forward between my nethserver and jellyfin server are not. which is fine, they are both on my local network.

Not sure what “Forward HTTP Host header to target” does.

Enable websocket is checked.

Hi @happnatious1

From memory, it will forward the header in raw form (exactly as it received it) to the destination without modifying it.

Also, again from memory, there is a way to do that in the Apache config file for the vitualhost definition…

Search this forum for it, I wrote about that with Marcus long time ago…


I’ve tried every combination of settings there is in Nethserver reverse proxy and they all end up with cert errors on any server that is not Netherserver itself.

Is there a way to use Nethservers letsencrypt cert on other servers without copying it?

Hi @happnatious1

Since it is NethServer establishing the crypted communication, it uses its certificate since the reverse proxy tells any request to to use the default cert.

Request a Let’s Encrypt certificate from NethServer’s Cockpit for
then tell on the reverse proxy to use this new certificate.


Unfortunately, this is what I have already done and it still doesn’t work.
I should be using a dns-01 challenge anyway which apparently Nethserver can’t do so I’ve started looking for other solutions.

Hi @happnatious1

This should work, you have a typo somewhere.


Hi @happnatious1

[… I deleted the reverse proxy and the virtual hosts I created but now when I ping I get the address of my nethserver. …]

I think you shoud check if it is present, and remove it, under system->dashboard → hostname/alias.
because when you setup a new LE cert for, nethserver automatically creates a new alias with that FQDN. (hope it’s true I’m relying on my memory)

Check my post about a similar argument here: How I expose services both to Internet and to LAN - SSL enabled

hope it’ll be usefull to you.