Need help - Trying to install a webmail web app on the same server - No Go

Hey I hope someone can help me here… I know that Invoice Ninja has phenomenal security to prevent people from accessing areas of the site that they shouldnt be to prevent hackers etc, however, I need to install other sites on the same VPS server that Invoice Ninja runs on. Now, I have managed to do this for other sites in a very unorthodox way…

I installed phpMyAdmin into the /usr/share/www doc root, and since I had no problem loading that site without invoking the Invoice Ninja “Sorry, the page you are looking for could not be found.” page, I just added the other sites apache-sites.conf files entries to the /etc/phpmyadmin/apache2.conf and I have been able to use those sites.

However, I need to install RainLoop Web Mail on the same host, unfortunately, it’s apache config file “rainloop.conf” has entries in it that are not compatible with just pasting the configuration into the apache.conf so I have to add a new config to the /etc/apache2/sites-available/rainloop.conf

The contents of the config are below


<VirtualHost *:80>
     ServerAdmin admin@systopiansolutions.com
     DocumentRoot /var/www/html/rainloop/
     ServerName systopian-web1.com
     ServerAlias www.systopian-web1.com

     <Directory /var/www/html/rainloop/>
    Options +Indexes +FollowSymLinks +ExecCGI
    AllowOverride All
    Order deny,allow
    Allow from all
    Require all granted

     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

However, when I load this config into apache2 and restart apache, the server starts fine, but no matter what I do, I get the Invoice Ninja “Sorry, the page you are looking for could not be found.” page. Ny file system permissions are correct, and I did not see anything in any of the .htaccess files that would be causing this to occur.

I would greatly appreciate if someone can help me as soon as possible to come up with a solution that will allow me to keep the protections that Invoice Ninja provides to keep people from snooping around where they shouldn’t be, but allow me to make specific exceptions to those rules so that my other sites will run with out issue.

It would mean a great deal to get this working tonight as I have limited time to get this working before I have clients beating down my door.

Cheers!
JD

Sorry, I had forgotten to update this issue. I have resolved this by converting the appropriate entries from the /etc/apache2/sites-available/site.conf for the Web App I was trying to install, into the format that could be loaded in the /etc/phpmyadmin/apache.conf. For example instead of specifying a DocumentRoot as you would in a /etc/apache2/sites-available/site.conf, in the /etc/phpmyadmin/apache.conf I configured the <Directory> tag instead which acts very similarly, as well the rest of the formatting for the other variables you need to configure are specified differently. While some people may think that this is a very unorthodox way of doing this, it actually has provided a number of excellent benefits. The number one benefit for me is that I am able to configure all of my Web App Sites using the single /etc/phpmyadmin/apache.conf file. For each new Web App Site, I simply add a new <Directory> tag with the appropriate parameters and variables that are specific for the new site I am adding. While I could have made things a little neater by renaming the file to something more general, for me, it’s fine as it is. For some reason the I do not quite understand, this is also the only way that I can add a new Web App Site, that Invoice Ninja does not block access to any of the Sites directories or files when they are configured in the /etc/phpmyadmin/apache.conf file. However, if I attempt to install the exact same Web App Sites, but use the /etc/apache2/sites-available/site.conf file loaded into the /etc/apache2/sites-available directory, the security measures in place by Invoice Ninja that blocks a user access to any directory other then the ones allowed by Ninja, and the ones configured in /etc/phpmyadmin/apache.conf. I do not understand why this is, but it works out very well for my purposes, since I have a mix of Sites like Invoice Ninja which is both a Public Site and an Internal Site, I also have other Web App Sites that are strictly internal sites.

For those site, I have added an additional layer of security by configuring .htpasswd and Require Valid-User. This way on the internal sites, they must have a user / password that they must provide in the Credentials Dialog Box that pops up if they happed to find the obscure URLs for those sites. Only once they have satisfied those credentials can they then access the Web Apps own Account Login pages and I made sure that none of the accounts overlap between the Credentials Dialog Box and the Sites own login page system. Just one more Lock to get past to make it difficult for anyone wanting to access something they are not supposed to be.

So in summary, in order to work around this problem of Invoice Ninja’s very well done file system restrictions that are in place to keep prying eyes from accessing directories and files that they should not be, while still wanting to use the same server for other Web App Sites, the following changes were made.

The Invoice Ninja Directory / File Systems Restrictions do not stop the Web App from loading when they are configured in the /etc/phpmyadmin/apache.conf file, so long as you properly specify the <Directory> </Directory> tags, and provide the other appropriate tags and variable options required for the Web App Site you are trying to install. These parameters are required for the Options, Alias, DirectoryIndex, as well so that the Web App Site can find the PHP Base_Dir, any Modules it may require and if you want to Restrict anyone from even accessing those sites without first providing a set of credentials in the Dialog Box that popups, once they have satisfied that login challenge, they will then have to have an account in order to login to the specific Web App Site.

With these changes in place, I have been able to install any additional Web App Site that I need to in order to get around the problem of Invoice Ninja doing it’s job and securing all of my file systems that should not be accessible by anyone.

To end with a quick note, Invoice Ninja still does restrict all the directories and files that should not be accessed. The only areas that are overridden are the ones that have been specifically configured in the /etc/phpmyadmin/apache.conf. This sort of leaves me with a conundrum, and that is, that the only reason that I found out that this would override Invoice Ninjas restrictions, was that I needed to install phpMyAdmin on the same server. My first attempt was done using an installation guide that had my manually create a /etc/apache2/sites-available/site.conf file. However, when I did this, I was blocked by Invoice Ninja from accessing the DocRoot and the other areas required by phpMyAdmin. So I did some more digging and I actually went to phpMyAdmin website, and they provided a set of instructions that called for the DocumentRoot or in this case, the <Directory> tag to point to /etc/share/www/phpmyadmin and the actual apache config file for the Site was to be located in /etc/phpmyadmin/apache.conf. Once I installed it this way, I was able to access strictly the directoried allowed by the <Directory> tag.

So when I next went to install yet another Web App Site, and using the conventional way caused Invoice Ninja to restrict access to the DocumentRoot, I decided to try converting the parameters and tags, and then placing them in the /etc/phpmyadmin/apache.conf underneath the phpmyadmin configuration. Once I did that I was able to load the Web App Site in the Browser, and none of the required directories and files were being restricted. From that point on, I stopped trying to create an apache site conf file and instead, continued to add all new Sites to the /etc/phpmyadmin/apache.conf in their own sections.

I have had no problems since. Why this works this way I can not tell you. I also can not tell you if there was anything specifically done during the installation of phpMyAdmin, that would allow for the Web App Sites configured in its apache.conf file to be immune from the Invoice Ninja restrictions.

Lately, I do not know if anyone else who has this problem, goes and created a apache.conf file in the format that it uses for phpMyAdmin, meaning using the direct Tags, Variables, and Parameters, which is syntactically very different from the way you would create your /etc/apache2/sites-available site.conf, I do not know if this would just work by itself. I do not want to risk trying to test this, since all of my Web App Sites are up and running, and a few of them are public facing for my customers, and others are Systems Operations Sites required for my to offer the services that I do for my clients. So I have no way to test this.

I also do not know where to direct anyone for information on how to convert your /etc/apache2/sites-available site.conf files to the format that the /etc/phpmyadmin/apache.conf requires, as you can not use the same syntax interchangeably between the two config files. Attempting to do so will cause your apache instance to fail to restart.

And of course it is important to note that after any changes to any of the config files, in either location, those changes will not be picked up, and your new site will not be available until you have run the following commend.

systemctl restart apache2 - Note this is on a Ubuntu 18.04 TLS 64bit VPS Server. Your Linux flavor may have other command options, or even another Web Server.

System Details:
OS Details:
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

System Architecture:
Linux systopian-web1 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

PHP Info:
PHP Version: root@systopian-web1:/etc/apache2/sites-available# php -v
PHP 7.2.24-0ubuntu0.18.04.2 (cli) (built: Jan 13 2020 18:39:59) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-0ubuntu0.18.04.2, Copyright © 1999-2018, by Zend Technologies

Apache2 Info:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-09-16T12:58:48

Invoice Ninja Version:
V4.5.17 - Updated Today

If I can provide any additional information to either help anyone who may have run into this say issue, or if the Invoice Ninja Dev’s would like to help me understand why I need to install all new Web App Sites in the way I have described above so that they will work, without risking having to turn off any of the file system / file restrictions that Ninja very smartly has provided, I would be more then happy to provide any additional info if needed.