.htaccess - Running Invoice Ninja in a subfolder


I look around in the posts and did not find what this was about. I am running invoice ninja in a subfolder of a Joomla root.

Joomla site manages access via the .htaccess file. A problem occurs when trying to access the client portal.

What is interesting is that the Joomla .htaccess file is not triggerred when coming from the client section (Client portal). But when I press the view client portal from the invoice menu, Joomla .htaccess is indeed triggerred and it tries to get a category or refuse acceess to the subfolder. Note that I can also see the portal behind the joomla message (See picture)

The question is:
How can I modify the Joomla “.htaccess” file to leave requests made in that subfolder alone (/billing) and not parsed or validate these request as being part of Joomla?

Thanks for helping


Sorry, this is the first I’ve heard of Joomla.

Hi, it is a CMS like wordpress.

What rule should I put in in my htaccess to let things through the the subfolder? Ideas?

That’s incredibly insecure. InvoiceNinja should not be running under joomla; it’s a standalone LAMP app. The www dir must be the public/ folder otherwise you’re exposing your .env file and all your files/configuration

It is all good but this does not help the topic. On a shared hosting there is other ways to isolate your files. The question is about .htaccess of joomla interfering with the ninja invoice install.

All right,

I’ve decided to move the install files into a sub-domain (sub-directory) at same level of public_html. Moved the files, change the root folder public/. Everything was workin fine.

I updated the app and now thing are somehow locked (See image)

On the right you can see a health check i’ve done before and fixed some stuff. I also forced an update to make sure all is good.

From image, you can see I am getting the following errors on Invoice Ninja v5.8.27-C155:

404: Not Found • Route does not exist
403: Forbidden •

It’s like I cannot save things anymore. I can naviguate and all, but if i change something in settings or pull an invoice, i get either the small popup in settings or the big white one in invoices, etc…

Any help would be appreciated.

Maybe you need to update the value of APP_URL in the .env file?


I just modified the following without success.
My install is a subdomain of dosplus.com called billing.dosplus.com

The cPanel domain root is billing.dosplus.com/public, so the domin points to the public folder set in the root with the others.

I changed the .env file path to make sure it reflects the proper settings for billing.dosplus.com

I changed the .htaccess file info.

It still denies changes. I made a completely fresh install and it does the same.

I also noticed that I can change info in invoice, cleint but everything inside the settings portion is locked.

Don’t ge tit…

It may help to disable mod_security

Oh well!

It is definitely the mod_security module. I have disabled the cpanel OWASP CRS v3.x for ModSec 2.9 (via pkg) and it w orks fine. So I assume that I should try to remove the domaine from the hits? Not sure how.

I will also try to enable the sub rules one by one and find which one it is.


OK, i narrowed it down to these few rules in the above mentionned package of cPanel:


This is a bit of a tricky thing. I scanned over the Joomla .htaccess and by default it routes everything to the index.php of Joomla.
Since you want to have things in the InvoiceNinja folder handled by Invoice Ninja, and not by Joomla, you’ll need to modify it so that it ignores that path.

I would add this above https://github.com/joomla/joomla-cms/blob/4.4-dev/htaccess.txt#96, and what you would need to add there is something like this:

RewriteCond %{REQUEST_URI} ^/billing/
RewriteCond %{REQUEST_URI} !^/billing/index\.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* /billing/index.php [L]

However, I’m not using Apache much these days (mainly a Caddy guy), so not 100% sure that this would be correct. However, you might still get interference with the rules for Joomla and Invoice Ninja might also still assume it is installed in a top-level directory. It’s far from an ideal setup.

Concerning your mod_security module, I would suggest contacting your webhosting - they know the setup quite well and might know what the root cause is and how to solve it. mod_security can be a pain.


Thanks for taking the time to explain your thoughts. I kinda went another way, I moved the install in a subdomain and it works fine. For the mod_sec stuff I targeted it to a small bunch of rules. I never had problems so I think it might of got catched in the install process.

More to follow… Thx again

1 Like