OpenERP Reverse Proxy using nginx Server

OpenERP Reverse Proxy installation guide. With this few steps I am are going to explain how to use nginx to secure your OpenERP 6.1 installation.

This commands are based on Debian Squeeze, but most of the configuration files will work on any Linux Operating System.


Installing nginx

On your server console to install nginx type:

apt-get install nginx

Create self signed certificate

If you plan to buy a certificate you should skip this step. Otherwise here is how to create your self signed certificate.

Create a temporary folder into your home directory:

mkdir openerpssl
cd openerpssl

We are going to generate new key where you will be asked for a passphrase. Then you need to remove the passphrase so you will not be prompt to enter it every time you start your server. Create signing request which will hold the data that will be visible in your  certificate. And finally we self-sign your certificate.

openssl genrsa -des3 -out openerp.pkey 1024
openssl rsa -in openerp.pkey -out openerp.key
openssl req -new -key openerp.key -out openerp.csr
openssl x509 -req -days 365 -in openerp.csr -signkey openerp.key -out openerp.crt

Now store them into more secure location set ownership and access rights

chown root:www-data openerp.crt openerp.key
chmod 640 openerp.crt openerp.key
mkdir /etc/ssl/openerpssl
chown www-data:root /etc/ssl/openerpssl
chmod 710 /etc/ssl/openerpssl
mv openerp.crt openerp.key /etc/ssl/openerpssl/

Create configuration file for nginx

Create new configuration file and put this configuration

vi /etc/nginx/sites-available/openerp
upstream openerpserver {
    server weight=1 fail_timeout=300s;

server {
    listen 80;

    # Strict Transport Security
    add_header Strict-Transport-Security max-age=2592000;

    # For version 6.1 use:
    rewrite ^/mobile.*$ permanent;
    rewrite ^/webdav(.*)$$1 permanent;
    rewrite ^/.*$ permanent;

    # For version 7 use:
    rewrite ^/.*$ permanent;

server {
    # server port and name
    listen 443 default;

    # Specifies the maximum accepted body size of a client request,
    # as indicated by the request header Content-Length.
    client_max_body_size 200m;

    # ssl log files
    access_log /var/log/nginx/openerp-access.log;
    error_log /var/log/nginx/openerp-error.log;

    # ssl certificate files
    ssl on;
    ssl_certificate /etc/ssl/openerpssl/openerp.crt;
    ssl_certificate_key /etc/ssl/openerpssl/openerp.key;

    # add ssl specific settings
    keepalive_timeout 60;

    # limit ciphers
    ssl_ciphers HIGH:!ADH:!MD5;
    ssl_protocols SSLv3 TLSv1;
    ssl_prefer_server_ciphers on;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass http://openerpserver;
        # force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

        # Let the OpenERP web service know that we're using HTTPS, otherwise
        # it will generate URL using http:// and not https://
        proxy_set_header X-Forwarded-Proto https;

        # by default, do not forward anything
        proxy_redirect off;

    # cache some static data in memory for 60mins.
    # under heavy load this should relieve stress on the OpenERP web interface a bit.
    location ~* /web/static/ {
        proxy_cache_valid 200 60m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://openerpserver;
ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp

Make the changes to your OpenERP server configuration file

Change the following lines to block non-encrypted traffic from outside

vi /etc/openerp-server.conf
xmlrpc_interface =
netrpc_interface =

Restart the services and we OpenERP Reverse Proxy working!

/etc/init.d/openerp restart
/etc/init.d/nginx restart


When you try to access you should be redirected to and have secure communication with your OpenERP Server.

For accessing from the GTK Client you should also use 443 and choose XML-RPC secure because we have disabled access to ports 8069 and 8070 from outside world.

More on OpenERP

More on nginx