This menu contains settings for FreshTomato's internal web server (Nginx) and optional support for PHP. Note that FreshTomato also has a built-in (httpd) web server used only for router administration. This additional minimal web server is based on a more modern version of Nginx.

NGINX is currently running: This displays the service status. Clicking [Stop Now] immediately stops the service.

NGINX is currently stopped: This displays the service status. Clicking [Start Now] immediately stops the service.

Enable Server on Start: Enabling this causes the nginx service to load at boot time at each boot.

Enable PHP support: Enabling this will cause any PHP pages served by the webserver to be interpreted.

Run As: The option chosen here specifies under which system account the nginx daemon will run.

• root - The nginx daemon will run under the root account.

• nobody - The nginx daemon will run under the nobody account.

Keep Config files: TBD

Web Server Port: This specifies on which LAN port Web content will be served. Traditionally, the default HTTP port is 80. However, a conflict might occur if the httpd web server were configured to use the same port (See: Admin Access). Thus, it was decided port 85 would be the default for Nginx.

Upload file size limit: This enforces a hard-coded limit for the maximum amount of data to be uploaded in a single session.

Allow Remote Access: Enabling this chooses whether Nginx content will be visible from the WAN. If enabled, content is served on the same port as the LAN's “Web Server Port”.

Web Server Name: Here, enter the web server's name. (Default: Tomato).

Document Root Path: Here, specify the filesystem location of the root folder where content/pages are located.

Server Priority: This set the “nice” value for the nginx process. This value assigns the Webserver process a CPU priority, relative to other processes. Valid settings are between -20 (highest priority) and 19 (lowest priority).

Enable h5ai support: h5ai is a modern file indexer for HTTP webservers with focus on your file lists. Its php code displays plain file/folder lists in an a more nicely-formatted, easy-to-read way.

In order to benefit from h5ai, you must:

1. Enable the h5ai support option
2. Enable PHP on this menu
3. Download h5ai and copy the “_h5ai” folder directly under the Document Root Path

These fields let you add custom settings to tweak default behaviour. For more details, please consult the official Nginx documentation.

Use user config file: Here, choose whether a custom configuration file will be used. This will override some web interface settings.

User config file path: Here, specify a custom path for the nginx configuration file. The settings in this file will be active only if Use user config file is enabled. When Use user config file is disabled, the path remains in the field, but is inactive.

Example configuration of the HTTP section for an SSL server:

server {
listen 444 ssl;
server_name FreshTomato SSL;
access_log /var/log/nginx/access.log main;
http2 on;
ssl_certificate /etc/cert.pem;
ssl_certificate_key /etc/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /opt/etc/nginx/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security “max-age=63072000” always;
location / {
root /opt/share/www;
index index.html index.htm index.php ;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location /50x.html {
root /opt/share/www;
}
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
try_files $script_name = 404;
include /etc/nginx/fastcgi.conf;
fastcgi_param PATH_INFO $path_info;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
location ~ ^/(images|javascript|js|css|flash|media|static)/ {
root /opt/share/www;
expires 10d;
}
}
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
charset utf-8;
}