Securing the i-doit web interface (HTTPS)

Setting up HTTPS

For secure access to i-doit — especially over the internet — HTTPS should be configured.

Apache VHost configuration

In the Apache VHost file (e.g. /etc/apache2/sites-available/i-doit.conf):

<VirtualHost *:443>
    ServerName idoit.company.com
    DocumentRoot /var/www/html/i-doit

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/idoit.crt
    SSLCertificateKeyFile /etc/ssl/private/idoit.key
</VirtualHost>

<VirtualHost *:80>
    ServerName idoit.company.com
    Redirect permanent / https://idoit.company.com/
</VirtualHost>

Then restart Apache:

sudo a2enmod ssl
sudo a2ensite i-doit
sudo systemctl restart apache2

Internet access

If i-doit should be accessible from external locations:

• HTTPS is mandatory — API keys and credentials are otherwise transmitted in plain text
• Use a reverse proxy (e.g. nginx) for additional security
• Configure firewall rules so only required ports (443) are open
• Consider VPN as an alternative to direct internet access

CSRF token (from v38)

From i-doit v38, CSRF token protection is configurable. The setting is located in the Admin Center under System Settings > Security > CSRF Token.

Detailed documentation: Security and protection in the Knowledge Base