I look around in the posts and did not find what this was about. I am running invoice ninja in a subfolder of a Joomla root.
Joomla site manages access via the .htaccess file. A problem occurs when trying to access the client portal.
What is interesting is that the Joomla .htaccess file is not triggerred when coming from the client section (Client portal). But when I press the view client portal from the invoice menu, Joomla .htaccess is indeed triggerred and it tries to get a category or refuse acceess to the subfolder. Note that I can also see the portal behind the joomla message (See picture)
The question is:
How can I modify the Joomla “.htaccess” file to leave requests made in that subfolder alone (/billing) and not parsed or validate these request as being part of Joomla?
That’s incredibly insecure. InvoiceNinja should not be running under joomla; it’s a standalone LAMP app. The www dir must be the public/ folder otherwise you’re exposing your .env file and all your files/configuration
It is all good but this does not help the topic. On a shared hosting there is other ways to isolate your files. The question is about .htaccess of joomla interfering with the ninja invoice install.
I’ve decided to move the install files into a sub-domain (sub-directory) at same level of public_html. Moved the files, change the root folder public/. Everything was workin fine.
I updated the app and now thing are somehow locked (See image)
On the right you can see a health check i’ve done before and fixed some stuff. I also forced an update to make sure all is good.
From image, you can see I am getting the following errors on Invoice Ninja v5.8.27-C155:
404: Not Found • Route does not exist
403: Forbidden •
It’s like I cannot save things anymore. I can naviguate and all, but if i change something in settings or pull an invoice, i get either the small popup in settings or the big white one in invoices, etc…
It is definitely the mod_security module. I have disabled the cpanel OWASP CRS v3.x for ModSec 2.9 (via pkg) and it w orks fine. So I assume that I should try to remove the domaine from the hits? Not sure how.
I will also try to enable the sub rules one by one and find which one it is.
UPDATE
OK, i narrowed it down to these few rules in the above mentionned package of cPanel:
This is a bit of a tricky thing. I scanned over the Joomla .htaccess and by default it routes everything to the index.php of Joomla.
Since you want to have things in the InvoiceNinja folder handled by Invoice Ninja, and not by Joomla, you’ll need to modify it so that it ignores that path.
However, I’m not using Apache much these days (mainly a Caddy guy), so not 100% sure that this would be correct. However, you might still get interference with the rules for Joomla and Invoice Ninja might also still assume it is installed in a top-level directory. It’s far from an ideal setup.
Concerning your mod_security module, I would suggest contacting your webhosting - they know the setup quite well and might know what the root cause is and how to solve it. mod_security can be a pain.
Thanks for taking the time to explain your thoughts. I kinda went another way, I moved the install in a subdomain and it works fine. For the mod_sec stuff I targeted it to a small bunch of rules. I never had problems so I think it might of got catched in the install process.