Replies: 5 comments 10 replies
-
Hi! Do you mean the CDN files? How exactly would you want to limit them? We can probably host those locally instead of using CDNs (though CDNs are usually better with loading speed) |
Beta Was this translation helpful? Give feedback.
-
It seems like my attempts to use 'return 404;' in the nginx config worked except in WHMCS, invoices don't refresh to show as PAID any more. They are marked as paid in whmcs but no browser refresh happens on payment which could confuse the customer. Strange. I'd still like to lock down the main cart home page or return a blank/404. Exclude components makes the admin page the new root service for the domain in nginx. That would be fine but how can we add IP access control to the admin interface? Do some of the admin bits need to be reached by the clients browser/WHMCS when processing transactions? I think last time I checked they did. If that's the case IP access control may need to be implemented within bitcartcc right? |
Beta Was this translation helpful? Give feedback.
-
So I did a refresh of everything and enabled XMR. Great! I used BITCART_EXCLUDE_COMPONENTS=store and it worked, now only a login page is displayed. The problem is the WHMCS plugin fails to function now. Possibly it's using things from the store. Shouldn't it be API-only? I'll need to look at that code. I think for now, a way to blank out or install a redirect somewhere else on the index page for the domain/URL will be an improvement for hiding from crawlers/scanners. In the future we want the WHMCS plugin to only require the API. Right now, if I restrict the bitcart server to only be accessible from the WHMCS server , it also breaks the WHMCS plugin, the WHMCS users client machine is connecting directly to the bitcart server store for some stuff apparently but I'd need to look closer. Oh... another thing I noticed - connecting to the bitcart machine with a raw IP will still display everything with an SSL error, same for if other hostnames are used. so if another entirely unrelated hostname points to the server, everything will still work with an SSL error. it should just not work - ie, display a 404 error or something like that. some nginx config changes should fix it. |
Beta Was this translation helpful? Give feedback.
-
Also, a way to add in a robots.txt file or manipulate it through the GUI would be nice. I mean I can just add one in myself no problem but for other people tjhat don't work with docker and linux much... |
Beta Was this translation helpful? Give feedback.
-
Here are my changes to nginx.tmpl - not saying this is ok for a commit or anything - just showing you what i changed to drop a connection that isn't using the actual hostname of the store.
|
Beta Was this translation helpful? Give feedback.
-
I was hoping all requests would forward directly from my billing system to bitcartcc through curl etc, that would be easy, just restrict the bitcart nginx to allow my billing system. but it seems to use assets from all areas including /api and /admin (otherwise i could restrict one or both of these) .. I notice it's mostly .js files so I could try allowing access on *.js and a per file basis as needed but thought i'd get others thoughts on this. I'm trying to allow only the bare minimum to be accessible publicly to minimize exposure.
Beta Was this translation helpful? Give feedback.
All reactions