Howto Properly expose the public Ticket website

Bastian · May 28, 2020, 1:25pm

Hi @all,

I’m currently trying to only expose the public ticket interface to the internet.
But there are some problems I’m facing.

I’ve tried to expose it using another Directory entry in my dolibarr.conf apache2 config file and two separate Aliases.

When I add this, I can reach the public interface on the given URL. So far ok

BUT: I can also reach my dolibarr installation from the internet, what I don’t want.

If I then disable the access via traffic from the public IP to my main dolibarr folder like this:

<Directory /usr/share/dolibarr/htdocs>
    <IfVersion >= 2.3>
    <RequireAll>
      Require all granted
      Require not ip my.public.ip.address
    </RequireAll>

I can still reach the public ticket sites, but all dependencies like styles and images can not be loaded anymore.

My dolibarr.conf for the two folders looks like this:

# Apache config file for Dolibarr
<IfModule mod_alias.c>
Alias /dolibarr /usr/share/dolibarr/htdocs
Alias /tickets /usr/share/dolibarr/htdocs/public/ticket
</IfModule>

# Directory for web pages
<Directory /usr/share/dolibarr/htdocs>
        <IfVersion >= 2.3>
        <RequireAll>
          Require all granted
          Require not ip my.public.ip.address
        </RequireAll>
        </IfVersion>

    DirectoryIndex index.php
    Options +FollowSymLinks +Indexes

    ErrorDocument 401 /dolibarr/public/error-401.php
    ErrorDocument 404 /dolibarr/public/error-404.php

    <IfModule mod_php5.c>
      php_flag magic_quotes_gpc Off
      php_flag register_globals Off
    </IfModule>
</Directory>

<Directory /usr/share/dolibarr/htdocs/public/ticket>
        <IfVersion >= 2.3>
        Require all granted
        </IfVersion>

    DirectoryIndex index.php
    Options +FollowSymLinks +Indexes

    ErrorDocument 401 /dolibarr/public/error-401.php
    ErrorDocument 404 /dolibarr/public/error-404.php

    <IfModule mod_php5.c>
      php_flag magic_quotes_gpc Off
      php_flag register_globals Off
    </IfModule>

</Directory>

Any help is greatly appreciated

Regards
Bastian

langlais115 · May 29, 2020, 8:47am

Hi Bastian,

I would use VirtualHost and SSL instead of relying on Directory like so:

# Apache config file for Dolibarr
<IfModule mod_ssl.c>
    # This virtual host will be available only from internal netwrok
    <VirtualHost dolibarr.mycompanie.com:443>
        # Get your free certificate from https://letsencrypt.org/getting-started/
        SSLCertificateFile /etc/letsencrypt/live/YOURCERT_HERE
        SSLCertificateKeyFile /etc/letsencrypt/live/YOURCERT_HERE

    
        # Directory for web pages
        <Directory /usr/share/dolibarr/htdocs>

            <RequireAll>
                # Put your internal ip range below
                Require ip 192.168.0.0/24
            </RequireAll>
        
            DirectoryIndex index.php
            Options +FollowSymLinks +Indexes
        
            ErrorDocument 401 /dolibarr/public/error-401.php
            ErrorDocument 404 /dolibarr/public/error-404.php
        
            <IfModule mod_php5.c>
                php_flag magic_quotes_gpc Off
                php_flag register_globals Off
            </IfModule>
        </Directory>
    </VirtualHost>

    # This host will be available from anywhere
    <VirtualHost ticket.mycompanie.com:443>
        SSLCertificateFile /etc/letsencrypt/live/YOURCERT_HERE
        SSLCertificateKeyFile /etc/letsencrypt/live/YOURCERT_HERE
    
        ServerName ticket.mycompanie.com
        ServerAdmin webmaster@localhost
        DocumentRoot /usr/share/dolibarr/htdocs/public/ticket
        <Directory /usr/share/dolibarr/htdocs/public/ticket>
            <IfVersion >= 2.3>
                Require all granted
            </IfVersion>
    
            DirectoryIndex index.php
            Options +FollowSymLinks +Indexes
    
            ErrorDocument 401 /dolibarr/public/error-401.php
            ErrorDocument 404 /dolibarr/public/error-404.php
    
            <IfModule mod_php5.c>
                php_flag magic_quotes_gpc Off
                php_flag register_globals Off
            </IfModule>
    
        </Directory>
    </VirtualHost>
</IfModule>

Bastian · May 29, 2020, 11:54am

Hi and thanks @langlais115 for your reply.
I’ll try to configure it like that.

But for that I need to adjust my dolibarr config to ssl as well, right?
By now I run it only inside my company on a local server over http

Is it even possible to keep the internal version on :80 / http and only the external on :443 / https?

Regards
Bastian

langlais115 · May 29, 2020, 2:42pm

About the HTTP/HTTPS yes you can.
Just change the config of your virtual host accordingly to your need.

Bastian · May 29, 2020, 8:05pm

wow this was a lot of work to do

First of all: now it works!

I have the ticket interface exposed to the wild. While the rest is only accessible from within my LAN.

But I had to:

install certbot for lets encrypt
fetch a lets encrypt certificate using DNS records challenge (because port 80/443 cannot be exposed for that purpose)
play around with a lot of apache settings like enabling SSL (a2enmod)

But how can I now use the https server in my local network as well? The server is locally reachable under another name (or IP directly). So the certificate I got from lets encrypt for my public domain name will lead to a warning screen, that the certificate doesn’t match the host name.

Is there any way to achieve that?

Thanks again
Bastian

langlais115 · May 30, 2020, 9:31am

I’m glad it works for your ticketing system

And Yes, you are right, my bad. If your dolibarr instance is internal only, you will not be able to use Lets encrypt cert.

So what to do in this case?
Well you have 3 choices:

If you have an internal server certificate, then use it to generate a Cert and use it on your dolibarr instance.
Create a self sign certificate, but this will generate a warring on every client that will access the site. (I wouldn’t recommend this, even it encrypt the traffic and secure the exchange between the server and clients it does scare the users a lot to see the warning message)
Just don’t use SSL and go for HTTP. Depending of the size of your company you should be fine with that.

PS: Just one last recommendation as your ticketing system is facing the internet, don’t forget to harden your apache config and to install fail2ban. This should put you on the safe side.

Bastian · June 4, 2020, 6:15am

Thanks again for you reply.

I think for now I go with number 3
This should be sufficient.

Thanks for the tip with fail2ban. I’ll do that!

Best regards
Bastian

Bastian · June 4, 2020, 2:08pm

Hi again,

fail2ban is installed. Server is behnd a IPFire firewall with only port 443 exposed.
So should be good (hopefully)

Best regards
Bastian