Skip to content

Running CiviCRM behind a firewall

Running CiviCRM behind a firewall provides greater security but it means that users who have not been specifically given access cannot reach your CiviCRM site.

There are various solutions if you do wish to expose forms from your site through the firewall including CiviProxy and creating separate forms on you front end server and importing or using code to bring the data in.

Configuring your site to work behind a firewall

CiviCRM can expect the server to be able to communicate with external sites or urls which will not be possible behind a firewall, in most cases. In order to avoid this causing slowness or user problems you should

1) Disable System Checks that need to pass through the firewall 2) Potentially use embedded images in your wysiwig editor

System Checks

System checks are checks the system runs once a day or so to check your site configuration. Some of these, like the version check, rely on accessing information from an external site which cannot be reached through the firewall. As these often run when a user logs on and can take a while to time out these unsuccessful System Checks can impact user experience.

There is no UI to disable them permanently but it is possible to do so with the api. The status preferences are potentially tracked in the civicrm_status_preference table. If no action has been taken to pause or disable them then rows will not exist but if they have previously been 'snoozed' there will be row. To disable them entirely it is necessary to create or update the row and set is_active to FALSE. Since we are either updating OR creating we use the save action.

Disable status preferences through the api

In the above example output like this is generated (this is the javascript version which can be run through the console in your browser). Note in this case I'm disabling the following:

/**
 * These checkes time out, slowly, due to our browser cert config, might be OK on some firewalled sites:
 * checkResourceUrl
 * checkUploadsAreNotAccessible
 * checkDirectoriesAreNotBrowseable
 * 
 * These 2 rely on crossing the firewall
 * checkVersion,
 * checkExtensions,
 * 
 * Many firewalled sites also manage scheduled jobs 'their own way' & so should disable the cron check.
 * checkLastCron
 */
CRM.api4('StatusPreference', 'save', {
records: [
    [{"name":"checkResourceUrl"}], 
    [{"name":"checkUploadsAreNotAccessible"}], 
    [{"name":"checkDirectoriesAreNotBrowseable"}], 
    [{"name":"checkVersion"}], 
    [{"name":"checkExtensions"}], 
    [{"name":"checkLastCron"}]],
defaults: {"is_active":false},
match: ["name"]
});

Use embedded images in your Wysiwig

If you create an email with an image on a server behind a firewall and send that to users they will not be able to access the image if it has been uploaded via your wywisig and is at a url behind the firewall. One approach is to use ckeditor5 with the option to use embedded images enabled under Administer->Customize Data and Screens->Display Preferences.

With this enabled the code to create the image is sent with the email (this can make for larger emails)

ckeditor5 with embedded images