So since the client portal isn’t very easy to create a direct path in a virtual host… Here’s a trick to being able to provide a shortened url that doesn’t make your company portal easy to accidently show… well it’s still easy but at least it’s not horrible.
This tip is using apache2 as the web service platform. Nginx should be similar. This also assumes that you’re putting all your traffic through SSL… as you should be…
I’m currently playing with both using a single VirtualHost and multiple… basically I’m trying to figure out what provides the best and quickest outcome to do what I want to do. Here you’ll see a single VirtualHost entry for all ports I’m using.
Prerequisites:
- You’ll need to have sudo access to the virtual host and ports configuration files
- If your invoice server is NATted you’ll need to have the ability to modify port forwarding too… and follow the NAT specific directions too.
Step 1
You’ll have to have at least 2 ports listening. Pick one, like 8443 or 5000 or something and enter it into ports.conf by doing the following:
sudo su ← enter your sudo password. I do this so I don’t have to keep calling sudo, or sometimes forget to…
nano cd /etc/apache2/ports.conf
Inside ports.conf you’ll want to add the following under Listen 80
Listen 8443 --or whatever port is desired–
Save and close ports.conf
Step 2 (maybe)
Now you’re listening on that port. If you have the firewall enabled you’ll need to allow the port by doing:
ufw allow 8443 --or whatever port is desired–
Step 3
Now you want to modify your site configuration. For this I am assuming you have something called invoiceninja.conf… but you may be using something different… it’s what you used when you set up InvoiceNinja.
nano /etc/apache2/sites-available/invoiceninja.conf
Inside that .conf you’ll want to use the rewrite engine. Stick it right between ServerName and SSLEngine. You can modify as you wish but here’s my current conf for reference:
Public facing server conf:
<VirtualHost *:80 *:443 *:8443>
DocumentRoot /var/www/html/invoiceninja/public
ServerName sub.domain.com
RewriteEngine On
# Ensure HTTPS
RewriteCond %{SERVER_PORT} =80
RewriteRule ^(.*)$ https://sub.domain.com
# Redirect for direct client portal access
RewriteCond %{SERVER_PORT} =8443
RewriteRule ^(.*)$ https://sub.domain.com/client/login
SSLEngine on
SSLCertificateFile /etc/ssl/cert.pem
SSLCertificateKeyFile /etc/ssl/key.pem
SSLCertificateChainFile /etc/ssl/cert.pem
<Directory /var/www/html/invoiceninja/public>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Server behind NAT conf:
Now this is assuming that you are already port forwarding from WAN TCP port 600 to your server at TCP port 443. You’ll want to have 2 port forwarding rules. One to your 443 that you’ll use as the redirect (to ensure that even if your clients use HTTP it’ll still force it to HTTPS without causing issues like apache complaining that you’re trying to send HTTPS over HTTP) and then one for the client portal. Notice you don’t need to name TCP 600 because it’s just a redirect to 443 which is named. Anything that’s in that VirtualHost line needs to be listening or else it won’t work. You will use port 600 to access your company portal while 8443 will redirect straight to /client/login.
<VirtualHost *:80 *:443 *:8443>
DocumentRoot /var/www/html/invoiceninja/public
ServerName sub.domain.com
RewriteEngine On
# Ensure HTTPS
RewriteCond %{SERVER_PORT} =80
RewriteRule ^(.*)$ https://sub.domain.com
# Redirect for direct portal access
RewriteCond %{SERVER_PORT} =8443
RewriteRule ^(.*)$ https://sub.domain.com:600/client/login
SSLEngine on
SSLCertificateFile /etc/ssl/cert.pem
SSLCertificateKeyFile /etc/ssl/key.pem
SSLCertificateChainFile /etc/ssl/cert.pem
<Directory /var/www/html/invoiceninja/public>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
After this you’ll need to enable the rewrite module by doing or else it will just complain:
a2enmod rewrite
Now check to make sure your syntax is OK and fix any syntax problems:
apachectl configtest
And then finally…
systemctl restart apache2
Finished!
Now you have a more simple sub.domain.com:8443 to give to your clients instead of a potentially problematic very specific https://sub.domain.com/client/login.
There’s a lot that can be done with the virtual host file and I’ll probably keep playing with it to make it look and work better. Personally I’d love to have a separate root path for the client portal to make it even easier… but this works and at least makes it harder for your clients to stumble into your company portal login page…