OpenERP Reverse Proxy using nginx Server
OpenERP Reverse Proxy installation guide. With this few steps I am are going to explain how to use nginx to secure your OpenERP 6.1 installation.
This commands are based on Debian Squeeze, but most of the configuration files will work on any Linux Operating System.
Installing nginx
On your server console to install nginx type:
apt-get install nginx
Create self signed certificate
If you plan to buy a certificate you should skip this step. Otherwise here is how to create your self signed certificate.
Create a temporary folder into your home directory:
cd mkdir openerpssl cd openerpssl
We are going to generate new key where you will be asked for a passphrase. Then you need to remove the passphrase so you will not be prompt to enter it every time you start your server. Create signing request which will hold the data that will be visible in your certificate. And finally we self-sign your certificate.
openssl genrsa -des3 -out openerp.pkey 1024 openssl rsa -in openerp.pkey -out openerp.key openssl req -new -key openerp.key -out openerp.csr openssl x509 -req -days 365 -in openerp.csr -signkey openerp.key -out openerp.crt
Now store them into more secure location set ownership and access rights
chown root:www-data openerp.crt openerp.key chmod 640 openerp.crt openerp.key mkdir /etc/ssl/openerpssl chown www-data:root /etc/ssl/openerpssl chmod 710 /etc/ssl/openerpssl mv openerp.crt openerp.key /etc/ssl/openerpssl/
Create configuration file for nginx
Create new configuration file and put this configuration
vi /etc/nginx/sites-available/openerp
upstream openerpserver { server 127.0.0.1:8069 weight=1 fail_timeout=300s; } server { listen 80; server_name erp.yourdomain.com; # Strict Transport Security add_header Strict-Transport-Security max-age=2592000; # For version 6.1 use: rewrite ^/mobile.*$ https://erp.yourdomain.com/web_mobile/static/src/web_mobile.html permanent; rewrite ^/webdav(.*)$ https://erp.yourdomain.com/webdav/$1 permanent; rewrite ^/.*$ https://erp.yourdomain.com/web/webclient/home permanent; # For version 7 use: rewrite ^/.*$ https://erp.yourdomain.com/ permanent; } server { # server port and name listen 443 default; server_name erp.yourdoamin.com; # Specifies the maximum accepted body size of a client request, # as indicated by the request header Content-Length. client_max_body_size 200m; # ssl log files access_log /var/log/nginx/openerp-access.log; error_log /var/log/nginx/openerp-error.log; # ssl certificate files ssl on; ssl_certificate /etc/ssl/openerpssl/openerp.crt; ssl_certificate_key /etc/ssl/openerpssl/openerp.key; # add ssl specific settings keepalive_timeout 60; # limit ciphers ssl_ciphers HIGH:!ADH:!MD5; ssl_protocols SSLv3 TLSv1; ssl_prefer_server_ciphers on; # increase proxy buffer to handle some OpenERP web requests proxy_buffers 16 64k; proxy_buffer_size 128k; location / { proxy_pass http://openerpserver; # force timeouts if the backend dies proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # set headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; # Let the OpenERP web service know that we're using HTTPS, otherwise # it will generate URL using http:// and not https:// proxy_set_header X-Forwarded-Proto https; # by default, do not forward anything proxy_redirect off; } # cache some static data in memory for 60mins. # under heavy load this should relieve stress on the OpenERP web interface a bit. location ~* /web/static/ { proxy_cache_valid 200 60m; proxy_buffering on; expires 864000; proxy_pass http://openerpserver; } }
ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp
Make the changes to your OpenERP server configuration file
Change the following lines to block non-encrypted traffic from outside
vi /etc/openerp-server.conf
xmlrpc_interface = 127.0.0.1 netrpc_interface = 127.0.0.1
Restart the services and we OpenERP Reverse Proxy working!
/etc/init.d/openerp restart /etc/init.d/nginx restart
When you try to access http://erp.yourdomain.com you should be redirected to https://erp.yourdomain.com and have secure communication with your OpenERP Server.
For accessing from the GTK Client you should also use 443 and choose XML-RPC secure because we have disabled access to ports 8069 and 8070 from outside world.
More on OpenERP
More on nginx
Dear Nikola, Thank you for your great documentation. Works perfectly. Just one question with respect to the firewall. We use Ubuntu’s ufw and have the following ports open (default=deny): ### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 22 -j ACCEPT -A ufw-user-input -p udp –dport 22 -j ACCEPT ### tuple ### allow any 80 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 80 -j ACCEPT -A ufw-user-input -p udp –dport 80 -j ACCEPT ### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 443 -j ACCEPT -A… Read more »
what are your firewall settings for your lo interface? you should have access to localhost 8069 to be able to communicate with OpenERP from your nginx upstream:
upstream openerpserver {
server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}
and also with your PostgreSQL server port 5432.
I’ve never used ufw don’t know if your localhost interface is open by default in iptables i’m openning all traffic to lo interface:
iptables -A INPUT -i lo -j ACCEPT
Here is my finple firewall that i use: https://www.vionblog.com/simple-linux-firewall/
Regards
Hi Nikola Have a question, hope you can help…. I have the latest Ubuntu server installed in my VMworkstation 9. OpenErp is running nicely and I use this config above for demo purposes.(having a windows web-client and Ubuntu OpenErp server on one machine. For the Ubuntu server there is a nic with a static address defined on 192.168.1.18 so I can access openerp website on the ubuntu server from a windows explorere by http:\192.168.1.18:8069 Now I am not an Ubuntu expert at all, so I followed above instructions to demo the ssl interface, but I struggle with the server_name field… Read more »
if you are using OpenERP 7 change your port 80 to this:
——————–
server {
listen 80;
server_name 192.168.1.18;
# Strict Transport Security
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://192.168.1.18/ permanent;
}
————-
this will redirect your http requests to https. You can always try https://192.168.1.18/ and see if your ssl configuration is working.
Regards
Hi Nikola, Thanks for your answer, It seems that I still doing something wrong, but can not find it,, hope you can see whats wrong in the code below,, the openerp main windows still apears when going to website http://192.168.1.18:8069 Going to https://192.168.1.18 does not display a page. upstream openerpserver { server 127.0.0.1:8069 weight=1 fail_timeout=300s; } Server { listen 80; server_name 192.168.1.18; # Strict Transport Security add_header Strict-Transport-Security max-age=2592000; rewrite ^/.*$ https://192.168.1.18/ permanent; } server { listen 443 default; server_name 192.168.1.18; # Specifies the maximum accepted body size of a client request, # as indicated by the request header Content-Length.… Read more »
Hi Nikola,,
Good news,, I replaced the two statements proxy_pass http://192.168.1.18 and replace the with the name of the Ubuntu Server so… proxy_pass http://openerpserver; (hope that was the intention of it)
https://192.168.1.18 is now working. GREAT
The original http://192.168.1.18:8069 is also still working.. is there a way to easily block this address so enforcing the use of the https address only ?
Thanks for this super post and your help !!!
Gerard
proxy_pass http://openerpserver; is a reference for your upstream name on the top of this config.
—————-
upstream openerpserver {
server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}
—————
In the upstream you are connecting to 127.0.0.1:8069 and if you change xmlrpc_interface = 127.0.0.1 in your config file this will be the only way to access your OpenERP, you will NOT be able to access http://192.168.1.18:8069
Regards,
NIkola
Thanks, this is working well for me. Just had to tweak it a little bit as my main domain was used for wp. Question: the web site builder available at Odoo (vers 8) is not available for the 7.0 version right? Thanks in advance and thanks for keeping this up.
No, it’s not available in version 7 only in version 8.
Regards
@Nikola Stojanoski Hi again. I found really some good starting blocks here to initialize my setup. If I may I want to ask you a small help. I have a openerp8 (odoo) running (finally). I do not want to setup ssl yet as I will have from my registrar. My need is the following: – so far I can only connect with the IP address:8069. OpenErp8 working fine. – I want to use simply a domain name. xxxxxxx.com – I am running on a VPS (digital ocean), with DNS declared and nginx running. I tried to follow your tutorial but… Read more »
try this into your nginx config:
location / {
proxy_pass http://openerpserverip:8069;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for
proxy_redirect off;
}
this will proxypass to your URL that you can open if it works you can then tweak the config and see which part fails.
Regards
thx man, it works when I remove the following:
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for
proxy_redirect off;
When I do add these lines, nginx fail to restart.
Hi Nikola. Thanks for sharing. ¿What can you comment about having some odoo servers running each on a virtualenv and serving on different ports, through an nginx proxy? ¿could it be done?