Error: 500 whilst editing the Quote/Invoice template

Quite recently I tried to protect my self-hosted InvoiceNinja by allowing only IP addresses from my country. Since I made that change, I started to have funny results with the InvoiceNinja. Everytime I tried to edit Quote/Invoice, the system throws Error: 500.

I contacted my hosting support and they removed the IP block by country config and it worked fine right after. Maybe that’s not even related.

Could it be I can’t protect my InvoiceNinja by limiting access by IP addresses, since the app may need to communicate with your servers? If so, could you please provide your required IP addresses, so we could whitelist those as well? Thanks!

Hi,

@david do you have any ideas?

Are there any details about the 500 error in storage/logs/

What are you using to generate your PDFs? if you are using PhantomJS you’d need to allow their servers to access your installation. This sounds like the issue, your system is crashing when it can’t get the PDF.

1 Like

According to hosting support, they just briefly informed me they’ve noticed some issues with mod_security.

I use a registered PhantomJS with generated key. Therefore I should contact them here to ask for their IP range for whitelisting?

yes, you’ll want to whitelist any IPs you want to access your host.

@david, could you please jump in, since you are surely more familiar with how your system works (the developer seems a bit surprised):

You’ll want to talk to these guys i think

https://phantomjscloud.com/?gclid=CjwKCAjwhOyJBhA4EiwAEcJdcSz8A7QuQaBYjZfYnWcC_DnnClEMFP9HrzyHGsgpdNhSB81Y-GZDihoCGq8QAvD_BwE

It seems like there’s a problem whilst trying to use InvoiceNinja + PhantomJSCloud + blocking access by IP. For this purpose PhantomJSCloud is willing to offer a commercial proxy service that provides static IP, because most probably they heavily rely on load balancing.

Since applications like InvoiceNinja should never be exposed widely on the Internet for safety reasons, is there any other reliable way to harden safety for our application?

Alternatively, replacing PhantomJSCloud with PhantomJS seems the only valid workaround for this?

@Jazz,

If you have a white label license you can use our hosted PDF generation service.

You won’t have to use a whitelist to use this service.

https://invoiceninja.github.io/docs/self-host-troubleshooting/#hosted-invoice-ninja-pdf-generation

I would understand if I’d use SnapPDF with Headless Chrome to generate the PDFs locally - no need for any SaaS, hence no need for whitelisting. That’s option #1.

But to make it 100% clear that I understood the option #2 correctly: if I limit the access to my InvoiceNinja only to certain IPs, how does the white label license (that includes the hosted PDF option you provide) still allow me to use PDF generation with such access restriction enabled?

@Jazz

With our hosted PDF service, your Ninja installation will send a html payload to our server which we convert on the fly into a pdf and return to you in the same request.

As your installation opens the connection - you don’t require a whitelisting as such.

Inside the request you send the white label license authenticates with our servers granting you PDF generating abilities.

1 Like

Good, I understand it’s most probably the asynchronous JS connection.

And lastly, what are the main benefits of choosing hosted PDF option as opposed to SnapPDF?
Was it made only in case SnapPDF is not accessible on some servers?

I just tested generating the PDFs with SnapPDF installed properly on my server and it worked normally, but as soon as we blocked the access by allowing only certain IPs due to security reasons, the Error: 500 appeared again. Is there any other open connection required for InvoiceNinja to work properly with such restriction, or this may be some caching issue?

most likely is sounds like the dns resolution of the company logo isn’t succeeded due to the firewall rules you have implemented.

The system needs to be able to resolve the logo url path.

ensure you are whitelisting teh DNS resolver i guess…

You mean the InvoiceNinja logo that appears on each PDF?

I think @david is referring to the custom company logo.

Would the LOCAL_DOWNLOAD .env property be an option here?

https://invoiceninja.github.io/docs/env-variables

local_download will help prevent this i think.

  1. add the LOCAL_DOWNLOAD=true to .env
  2. unprotect the InvoiceNinja
  3. open any PDF Preview for any Quote/Invoice (generated by SnapPDF)
  4. go to Settings > Invoice design > Adjustment and review > select your template > EDIT
  5. go back to the Dashboard
  6. protect access to the InvoiceNinja only for given IPs
  7. go to Settings > Invoice design > Adjustment and review > select your template > EDIT

Then after a few seconds Error: 500 appears.

It seems the LOCAL_DOWNLOAD trick doesn’t work.

@david, @hillel: Do you know perhaps what I’m doing wrong in my steps above? I would really like to use InvoiceNinja, but this issue really stops me from using it safely. Thank you.