Erik, thanks for responding.

On Mon, Dec 24, 2018 at 9:43 PM Erik Huelsmann <ehuels@gmail.com> wrote:

Hi!

Good! Feel free to drop in whenever you feel like it. The channel may not always be active, but I'm usually monitoring activity. You're most likely active during my nights (I'm in Europe), but I'll try to respond as early on the day as possible.

I forgot to mention, I'm on IRC these days as Aussie_matt (registered name) or pilot_aus (unregistered).

 

Ok. So, I take it your desire is to run the setup in the Debian VM? Or are you looking at installing in a CentOS VM?

Sorry, yes, I'll use a Debian OS guest VM, on a Centos host OS.

Sure. No problem. Is the server which hosts the VMs web-facing? (Hmm, reading on, I think your point with the fixed IP is probably that it is webfacing indeed.)

Not currently, I only have it running internally on our network: But I wish to have LedgerSMB, and one other web app, to be accessible from outside: I don't know the ins and outs of VPN's, but I suspect that makes it tricky for the accountant to login. Web facing is more practical, but more open to web threats? I could be wrong on that.

 

I would like LedgerSMB to be web facing to allow me to

A: work from home at times

B: The accountant to log in and work when required (usually year end).

I have a setup like that myself too, so we can make that work :-)

Awesome!

Which version of LedgerSMB did you install? Do I remember that you're installing 1.5?

I believe you're correct it was 1.5, as the apt repo wasn't able to do 1.6 for some reason at this point in time: Dependency related IIRC.

All advice most appreciated. I may need my hand held significantly at first, especially in regards to networking and security.

In order to run a secure setup, there's one very important thing you need to have: a TLS/SSL Certificate. That will help keep the password going over the wire, secure.

Another thought that I have is: when you want to expose only LedgerSMB's web interface to the outside world, it's probably best to set up an extremely strict firewall/iptables setup which forwards/filters just the one single required port. Another idea would be to set up a (reverse) proxy: an HTTP server running on an already public VM which forwards the traffic to an internal server unaccessible to the internet.

Ah yes. Ok, so on my home Nextcloud install (internal only) I was able to create and use a self signed cert, but if we're going net facing, and the accountant is going to access it, I'm guessing using Let's Encrypt or similar is worth chasing up?

I'm all for locking firewalls down tight: I still don't fully understand the reverse proxy concept: But I'm sure I can be guided :)

 

Many ideas. Please follow-up or join #ledgersmb!

I've come down sick over the break, so am yet to return to the shop to look at doing anything:

I guess my first step is to install a Debian OS vm, and get the APT repo hooked in and installed: Take a snapshot, then we can proceed?

 

Regards,

--

Bye,

Erik.

Many thanks.

http://efficito.com -- Hosted accounting and ERP.

Robust and Flexible. No vendor lock-in.