Quite recently I tried to protect my self-hosted InvoiceNinja by allowing only IP addresses from my country. Since I made that change, I started to have funny results with the InvoiceNinja. Everytime I tried to edit Quote/Invoice, the system throws Error: 500.
I contacted my hosting support and they removed the IP block by country config and it worked fine right after. Maybe that’s not even related.
Could it be I can’t protect my InvoiceNinja by limiting access by IP addresses, since the app may need to communicate with your servers? If so, could you please provide your required IP addresses, so we could whitelist those as well? Thanks!
What are you using to generate your PDFs? if you are using PhantomJS you’d need to allow their servers to access your installation. This sounds like the issue, your system is crashing when it can’t get the PDF.
It seems like there’s a problem whilst trying to use InvoiceNinja + PhantomJSCloud + blocking access by IP. For this purpose PhantomJSCloud is willing to offer a commercial proxy service that provides static IP, because most probably they heavily rely on load balancing.
Since applications like InvoiceNinja should never be exposed widely on the Internet for safety reasons, is there any other reliable way to harden safety for our application?
Alternatively, replacing PhantomJSCloud with PhantomJS seems the only valid workaround for this?
I would understand if I’d use SnapPDF with Headless Chrome to generate the PDFs locally - no need for any SaaS, hence no need for whitelisting. That’s option #1.
But to make it 100% clear that I understood the option #2 correctly: if I limit the access to my InvoiceNinja only to certain IPs, how does the white label license (that includes the hosted PDF option you provide) still allow me to use PDF generation with such access restriction enabled?
With our hosted PDF service, your Ninja installation will send a html payload to our server which we convert on the fly into a pdf and return to you in the same request.
As your installation opens the connection - you don’t require a whitelisting as such.
Inside the request you send the white label license authenticates with our servers granting you PDF generating abilities.
Good, I understand it’s most probably the asynchronous JS connection.
And lastly, what are the main benefits of choosing hosted PDF option as opposed to SnapPDF?
Was it made only in case SnapPDF is not accessible on some servers?
I just tested generating the PDFs with SnapPDF installed properly on my server and it worked normally, but as soon as we blocked the access by allowing only certain IPs due to security reasons, the Error: 500 appeared again. Is there any other open connection required for InvoiceNinja to work properly with such restriction, or this may be some caching issue?
@david, @hillel: Do you know perhaps what I’m doing wrong in my steps above? I would really like to use InvoiceNinja, but this issue really stops me from using it safely. Thank you.