OpenERP Reverse Proxy using nginx Server


OpenERP Reverse Proxy installation guide. With this few steps I am are going to explain how to use nginx to secure your OpenERP 6.1 installation.

This commands are based on Debian Squeeze, but most of the configuration files will work on any Linux Operating System.

Installing nginx

On your server console to install nginx type:

apt-get install nginx

Create self signed certificate

If you plan to buy a certificate you should skip this step. Otherwise here is how to create your self signed certificate.

Create a temporary folder into your home directory:

cd
mkdir openerpssl
cd openerpssl

We are going to generate new key where you will be asked for a passphrase. Then you need to remove the passphrase so you will not be prompt to enter it every time you start your server. Create signing request which will hold the data that will be visible in your  certificate. And finally we self-sign your certificate.

openssl genrsa -des3 -out openerp.pkey 1024
openssl rsa -in openerp.pkey -out openerp.key
openssl req -new -key openerp.key -out openerp.csr
openssl x509 -req -days 365 -in openerp.csr -signkey openerp.key -out openerp.crt

Now store them into more secure location set ownership and access rights

chown root:www-data openerp.crt openerp.key
chmod 640 openerp.crt openerp.key
mkdir /etc/ssl/openerpssl
chown www-data:root /etc/ssl/openerpssl
chmod 710 /etc/ssl/openerpssl
mv openerp.crt openerp.key /etc/ssl/openerpssl/

Create configuration file for nginx

Create new configuration file and put this configuration

vi /etc/nginx/sites-available/openerp
upstream openerpserver {
    server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}

server {
    listen 80;
    server_name erp.yourdomain.com;

    # Strict Transport Security
    add_header Strict-Transport-Security max-age=2592000;

    # For version 6.1 use:
    rewrite ^/mobile.*$ https://erp.yourdomain.com/web_mobile/static/src/web_mobile.html permanent;
    rewrite ^/webdav(.*)$ https://erp.yourdomain.com/webdav/$1 permanent;
    rewrite ^/.*$ https://erp.yourdomain.com/web/webclient/home permanent;

    # For version 7 use:
    rewrite ^/.*$ https://erp.yourdomain.com/ permanent;
}

server {
    # server port and name
    listen 443 default;
    server_name erp.yourdoamin.com;

    # Specifies the maximum accepted body size of a client request,
    # as indicated by the request header Content-Length.
    client_max_body_size 200m;

    # ssl log files
    access_log /var/log/nginx/openerp-access.log;
    error_log /var/log/nginx/openerp-error.log;

    # ssl certificate files
    ssl on;
    ssl_certificate /etc/ssl/openerpssl/openerp.crt;
    ssl_certificate_key /etc/ssl/openerpssl/openerp.key;

    # add ssl specific settings
    keepalive_timeout 60;

    # limit ciphers
    ssl_ciphers HIGH:!ADH:!MD5;
    ssl_protocols SSLv3 TLSv1;
    ssl_prefer_server_ciphers on;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass http://openerpserver;
        # force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

        # Let the OpenERP web service know that we're using HTTPS, otherwise
        # it will generate URL using http:// and not https://
        proxy_set_header X-Forwarded-Proto https;

        # by default, do not forward anything
        proxy_redirect off;
    }

    # cache some static data in memory for 60mins.
    # under heavy load this should relieve stress on the OpenERP web interface a bit.
    location ~* /web/static/ {
        proxy_cache_valid 200 60m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://openerpserver;
    }
}
ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp

Make the changes to your OpenERP server configuration file

Change the following lines to block non-encrypted traffic from outside

vi /etc/openerp-server.conf
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

Restart the services and we OpenERP Reverse Proxy working!

/etc/init.d/openerp restart
/etc/init.d/nginx restart

 

When you try to access http://erp.yourdomain.com you should be redirected to https://erp.yourdomain.com and have secure communication with your OpenERP Server.

For accessing from the GTK Client you should also use 443 and choose XML-RPC secure because we have disabled access to ports 8069 and 8070 from outside world.

More on OpenERP

More on nginx



13
Leave a Reply

avatar
5 Comment threads
8 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
5 Comment authors
Néstor Gómez MuñoznstojanoskiHaider AlleggerardNikola Stojanoski Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Christopher
Guest
Christopher

Dear Nikola, Thank you for your great documentation. Works perfectly. Just one question with respect to the firewall. We use Ubuntu’s ufw and have the following ports open (default=deny): ### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 22 -j ACCEPT -A ufw-user-input -p udp –dport 22 -j ACCEPT ### tuple ### allow any 80 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 80 -j ACCEPT -A ufw-user-input -p udp –dport 80 -j ACCEPT ### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in -A ufw-user-input -p tcp –dport 443 -j ACCEPT -A… Read more »

gerard
Guest

Hi Nikola Have a question, hope you can help…. I have the latest Ubuntu server installed in my VMworkstation 9. OpenErp is running nicely and I use this config above for demo purposes.(having a windows web-client and Ubuntu OpenErp server on one machine. For the Ubuntu server there is a nic with a static address defined on 192.168.1.18 so I can access openerp website on the ubuntu server from a windows explorere by http:\192.168.1.18:8069 Now I am not an Ubuntu expert at all, so I followed above instructions to demo the ssl interface, but I struggle with the server_name field… Read more »

Haider Alleg
Guest

Thanks, this is working well for me. Just had to tweak it a little bit as my main domain was used for wp. Question: the web site builder available at Odoo (vers 8) is not available for the 7.0 version right? Thanks in advance and thanks for keeping this up.

nstojanoski
Guest
nstojanoski

No, it’s not available in version 7 only in version 8.

Regards

Haider Alleg
Guest

@nstojanoski Hi again. I found really some good starting blocks here to initialize my setup. If I may I want to ask you a small help. I have a openerp8 (odoo) running (finally). I do not want to setup ssl yet as I will have from my registrar. My need is the following: – so far I can only connect with the IP address:8069. OpenErp8 working fine. – I want to use simply a domain name. xxxxxxx.com – I am running on a VPS (digital ocean), with DNS declared and nginx running. I tried to follow your tutorial but nginx… Read more »

nstojanoski
Guest
nstojanoski

try this into your nginx config:

location / {
proxy_pass http://openerpserverip:8069;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for
proxy_redirect off;
}

this will proxypass to your URL that you can open if it works you can then tweak the config and see which part fails.

Regards

Haider Alleg
Guest

thx man, it works when I remove the following:

# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for
proxy_redirect off;

When I do add these lines, nginx fail to restart.

Néstor Gómez Muñoz
Guest
Néstor Gómez Muñoz

Hi Nikola. Thanks for sharing. ¿What can you comment about having some odoo servers running each on a virtualenv and serving on different ports, through an nginx proxy? ¿could it be done?

Advertisement