I’m interested in switching us over to InvoiceNinja from internal Quickbooks invoicing (emailed PDFs and slow-to-arrive checks), but I’d also like to be able to lock things down tighter than is possible for a cloud-hosted setup (e.g. firewall blocks by region of the world, possibly down to only allowing connections from our client’s office IPs, etc.). Also, with self-hosted I can monitor the connection logs myself.
Based on reading here, Wepay no longer supports the self-hosted option, Stripe classifies IT support services as “High Risk Businesses” in their Prohibited Businesses (we do managed services and limited VOIP for a small number of clients). I’ve not dug into Paypal’s options, Authorize.net or Gocardless, anyone have advice on what is and isn’t supported on self-hosted and doesn’t have tons of friction?
Edit: part of the reason for the lockdown would be if we’re going to use the beta ticketing system - I can control what gets put onto invoices (e.g. no login details!) but I can’t control what gets put into tickets the same way.
If you only want to allow internal connections, or connections from specific client offices, you could use the access controls built into Apache. I haven’t dug too deep into it myself, but https://httpd.apache.org/docs/2.4/howto/access.html should be able to get you started.
Although for it to work without constant monitoring, your clients would have to have static IPs, otherwise it could get annoying to update all the time. For internal addresses, you can just setup one of the Require arguments to use whatever IP scheme your internal network has setup (e.g. 192.168.1.0/24).
Thanks, the lockdown isn’t a huge issue - most clients do in fact have static IPs, and I might even be able to pull real-world IPs for a few dynamic ones out of our remote management system as well (or out of dynamic dns updates). I could do that at the Apache level, at the VM iptables level or at our edge router level. Still, I hadn’t thought about .htaccess-based simple authentication prior to getting to the per-customer login. That might actually work OK… I’m mostly concerned about any kind of grinding attacks or zero-day vulnerabilities.
The bigger concern is “How much hoop jumping am I maybe setting myself up for to accept credit cards?” I think Wepay and Stripe are the two lowest-friction options, but I’m not sure if any others have also done things like saying “No self-hosted instances.” I could just leave it as “Here’s your invoice, mail us a check” but there are obvious advantages to accepting cards as well.
As long as you have an SSL cert for it and make it https only, I wouldn’t think any of them would raise much of a fuss. After all, they wouldn’t have any real way of knowing if your self-hosted install was sitting in a corner of your office or in a pricey data center like a “real” website would be.
I may be off-base, but I’d imagine the only way they would have an issue is if they started seeing an unusually high number of chargebacks or the like.