OpenERP Reverse Proxy using nginx Server


OpenERP Reverse Proxy installation guide. With this few steps I am are going to explain how to use nginx to secure your OpenERP 6.1 installation.

This commands are based on Debian Squeeze, but most of the configuration files will work on any Linux Operating System.

Installing nginx

On your server console to install nginx type:

apt-get install nginx

Create self signed certificate

If you plan to buy a certificate you should skip this step. Otherwise here is how to create your self signed certificate.

Create a temporary folder into your home directory:

cd
mkdir openerpssl
cd openerpssl

We are going to generate new key where you will be asked for a passphrase. Then you need to remove the passphrase so you will not be prompt to enter it every time you start your server. Create signing request which will hold the data that will be visible in your  certificate. And finally we self-sign your certificate.

openssl genrsa -des3 -out openerp.pkey 1024
openssl rsa -in openerp.pkey -out openerp.key
openssl req -new -key openerp.key -out openerp.csr
openssl x509 -req -days 365 -in openerp.csr -signkey openerp.key -out openerp.crt

Now store them into more secure location set ownership and access rights

chown root:www-data openerp.crt openerp.key
chmod 640 openerp.crt openerp.key
mkdir /etc/ssl/openerpssl
chown www-data:root /etc/ssl/openerpssl
chmod 710 /etc/ssl/openerpssl
mv openerp.crt openerp.key /etc/ssl/openerpssl/

Create configuration file for nginx

Create new configuration file and put this configuration

vi /etc/nginx/sites-available/openerp
upstream openerpserver {
    server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}

server {
    listen 80;
    server_name erp.yourdomain.com;

    # Strict Transport Security
    add_header Strict-Transport-Security max-age=2592000;

    # For version 6.1 use:
    rewrite ^/mobile.*$ https://erp.yourdomain.com/web_mobile/static/src/web_mobile.html permanent;
    rewrite ^/webdav(.*)$ https://erp.yourdomain.com/webdav/$1 permanent;
    rewrite ^/.*$ https://erp.yourdomain.com/web/webclient/home permanent;

    # For version 7 use:
    rewrite ^/.*$ https://erp.yourdomain.com/ permanent;
}

server {
    # server port and name
    listen 443 default;
    server_name erp.yourdoamin.com;

    # Specifies the maximum accepted body size of a client request,
    # as indicated by the request header Content-Length.
    client_max_body_size 200m;

    # ssl log files
    access_log /var/log/nginx/openerp-access.log;
    error_log /var/log/nginx/openerp-error.log;

    # ssl certificate files
    ssl on;
    ssl_certificate /etc/ssl/openerpssl/openerp.crt;
    ssl_certificate_key /etc/ssl/openerpssl/openerp.key;

    # add ssl specific settings
    keepalive_timeout 60;

    # limit ciphers
    ssl_ciphers HIGH:!ADH:!MD5;
    ssl_protocols SSLv3 TLSv1;
    ssl_prefer_server_ciphers on;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass http://openerpserver;
        # force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

        # Let the OpenERP web service know that we're using HTTPS, otherwise
        # it will generate URL using http:// and not https://
        proxy_set_header X-Forwarded-Proto https;

        # by default, do not forward anything
        proxy_redirect off;
    }

    # cache some static data in memory for 60mins.
    # under heavy load this should relieve stress on the OpenERP web interface a bit.
    location ~* /web/static/ {
        proxy_cache_valid 200 60m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://openerpserver;
    }
}
ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp

Make the changes to your OpenERP server configuration file

Change the following lines to block non-encrypted traffic from outside

vi /etc/openerp-server.conf
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

Restart the services and we OpenERP Reverse Proxy working!

/etc/init.d/openerp restart
/etc/init.d/nginx restart

 

When you try to access http://erp.yourdomain.com you should be redirected to https://erp.yourdomain.com and have secure communication with your OpenERP Server.

For accessing from the GTK Client you should also use 443 and choose XML-RPC secure because we have disabled access to ports 8069 and 8070 from outside world.

More on OpenERP

More on nginx



Subscribe
Notify of
guest
13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Christopher
Christopher
10 years ago

Dear Nikola, Thank you for your great documentation. Works perfectly. Just one question with respect to the firewall. We use Ubuntu’s ufw and have the following ports open (default=deny): ### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 22 -j ACCEPT -A ufw-user-input -p udp –dport 22 -j ACCEPT ### tuple ### allow any 80 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 80 -j ACCEPT -A ufw-user-input -p udp –dport 80 -j ACCEPT ### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 443 -j ACCEPT -A… Read more »

gerard
10 years ago

Hi Nikola Have a question, hope you can help…. I have the latest Ubuntu server installed in my VMworkstation 9. OpenErp is running nicely and I use this config above for demo purposes.(having a windows web-client and Ubuntu OpenErp server on one machine. For the Ubuntu server there is a nic with a static address defined on 192.168.1.18 so I can access openerp website on the ubuntu server from a windows explorere by http:\192.168.1.18:8069 Now I am not an Ubuntu expert at all, so I followed above instructions to demo the ssl interface, but I struggle with the server_name field… Read more »

gerard
10 years ago

Hi Nikola, Thanks for your answer, It seems that I still doing something wrong, but can not find it,, hope you can see whats wrong in the code below,, the openerp main windows still apears when going to website http://192.168.1.18:8069 Going to https://192.168.1.18 does not display a page. upstream openerpserver { server 127.0.0.1:8069 weight=1 fail_timeout=300s; } Server { listen 80; server_name 192.168.1.18; # Strict Transport Security add_header Strict-Transport-Security max-age=2592000; rewrite ^/.*$ https://192.168.1.18/ permanent; } server { listen 443 default; server_name 192.168.1.18; # Specifies the maximum accepted body size of a client request, # as indicated by the request header Content-Length.… Read more »

gerard
10 years ago

Hi Nikola,,
Good news,, I replaced the two statements proxy_pass http://192.168.1.18 and replace the with the name of the Ubuntu Server so… proxy_pass http://openerpserver; (hope that was the intention of it)

https://192.168.1.18 is now working. GREAT

The original http://192.168.1.18:8069 is also still working.. is there a way to easily block this address so enforcing the use of the https address only ?

Thanks for this super post and your help !!!
Gerard

Haider Alleg
9 years ago

Thanks, this is working well for me. Just had to tweak it a little bit as my main domain was used for wp. Question: the web site builder available at Odoo (vers 8) is not available for the 7.0 version right? Thanks in advance and thanks for keeping this up.

nstojanoski
nstojanoski
9 years ago
Reply to  Haider Alleg

No, it’s not available in version 7 only in version 8.

Regards

Haider Alleg
9 years ago

@Nikola Stojanoski Hi again. I found really some good starting blocks here to initialize my setup. If I may I want to ask you a small help. I have a openerp8 (odoo) running (finally). I do not want to setup ssl yet as I will have from my registrar. My need is the following: – so far I can only connect with the IP address:8069. OpenErp8 working fine. – I want to use simply a domain name. xxxxxxx.com – I am running on a VPS (digital ocean), with DNS declared and nginx running. I tried to follow your tutorial but… Read more »

nstojanoski
nstojanoski
9 years ago
Reply to  Haider Alleg

try this into your nginx config:

location / {
proxy_pass http://openerpserverip:8069;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for
proxy_redirect off;
}

this will proxypass to your URL that you can open if it works you can then tweak the config and see which part fails.

Regards

Haider Alleg
9 years ago
Reply to  nstojanoski

thx man, it works when I remove the following:

# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for
proxy_redirect off;

When I do add these lines, nginx fail to restart.

Néstor Gómez Muñoz
Néstor Gómez Muñoz
9 years ago

Hi Nikola. Thanks for sharing. ¿What can you comment about having some odoo servers running each on a virtualenv and serving on different ports, through an nginx proxy? ¿could it be done?

Advertisement