In order to avoid all the information between the users' browsers and the Odoo server, that is to be sent in clear over the network, it is necessary to use the HTTPS protocol that encrypts the exchanges. Odoo cannot do this natively, and it is necessary to configure a reverse proxy that will handle the encryption and decryption on behalf of the Odoo server. This recipe shows how to use nginx
(http://nginx.net) for this.
You should know the public name of the server and configure your DNS accordingly. In this recipe, we will use odoo.example.com
as the name of your server.
If you want your Odoo instance to be visible by all browsers, you will need to get an SSL certificate signed by a recognized Certification Authority (CA). Using a self-signed certificate can also be made to work, but modern browsers tend to refuse these.
To generate an SSL key, you can use the following process:
openssl:
$ sudo apt-get install openssl
$ mkdir ~/sslkey $ openssl genrsa -out ~/sslkey/server.key 2048
$ openssl req -new -key ~/sslkey/server.key -out ~/sslkey/server.csr
~/sslkey/server.csr
, to a Certification Authority (CA) of your choice. The CA will send you back a file called server.crt
, which we will use in the recipe.In order to access your instance using HTTPS via nginx
, you need to follow these steps:
nginx
:# apt-get install nginx
/etc/nginx/sites-available/odoo-80
:server { listen [::]:80 ipv6only=off; server_name odoo.example.com; access_log /var/log/nginx/odoo80.access.log combined; error_log /var/log/nginx/odoo80.error.log; location / { rewrite ^/(.*) https://odoo.example.com:443/$1 permanent; } }
/etc/nginx/sites-available/odoo-443
:server { listen [::]:443 ipv6only=off; server_name odoo.example.com; ssl on; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; access_log /var/log/nginx/odoo443.access.log combined; error_log /var/log/nginx/odoo443.error.log; client_max_body_size 128M; gzip on; proxy_read_timeout 600s; index index.html index.htm index.php; add_header Strict-Transport-Security "max-age=31536000"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $http_host; location / { proxy_pass http://localhost:8069; proxy_read_timeout 6h; proxy_connect_timeout 5s; proxy_redirect http://$http_host/ https://$host:$server_port/; add_header X-Static no; proxy_buffer_size 64k; proxy_buffering off; proxy_buffers 4 64k; proxy_busy_buffers_size 64k; proxy_intercept_errors on; } location /longpolling/ { proxy_pass http://localhost:8072; } location ~ /[a-zA-Z0-9_-]*/static/ { proxy_pass http://localhost:8069; proxy_cache_valid 200 60m; proxy_buffering on; expires 864000; } }
/etc/nginx/sites-enabled/
:# ln -s /etc/nginx/sites-available/odoo80 /etc/nginx/sites-enabled/odoo80 # ln -s /etc/nginx/sites-available/odoo443 /etc/nginx/sites-enabled/odoo443
/etc/nginx/sites-enabled/default
:# rm /etc/nginx/sites-enabled/default
# mkdir -p /etc/nginx/ssl # chown www-data /etc/nginx/ssl # mv server.key server.crt /etc/nginx/ssl # chmod 710 /etc/nginx/ssl # chown root:www-data /etc/nginx/ssl/* # chmod 640 /etc/nginx/ssl/*
proxy_mode
:proxy_mode = True
odoo
instance and nginx
:# service odoo restart # service ng inx restart
We are using nginx as a reverse HTTP proxy. Incoming HTTP and HTTPS connections are handled by nginx, which delegates the processing of the requests to the Odoo server. The Odoo server is configured to only listen on the local loopback interface (127.0.0.1
) on port 8069
for normal requests (xmlrpc_port
) and port 8072
for the long polling requests (longpolling_port
). You may need to adapt the port numbers to your configuration.
The recipe sets up two files. The first one is the configuration for incoming connections on port 80
using the HTTP protocol. We don't want these because they are in clear text, meaning that the passwords can be sniffed. Therefore, we set up nginx to redirect the URLs permanently to port 443
using the encrypted HTTPS protocol.
The second file is a bit more complex and configures the way nginx should handle connections using the HTTPS protocol:
location /
block defines the default processing of incoming requests; they will be proxied to the Odoo server listening on port 8069
.location /longpolling
block handles queries made on URLs starting with /longpolling
, which are then forwarded to Odoo on port 8072
. These connections are used by the bus addon module to send notifications to the web client.location ~ /[a-zA-Z0-9_-]*/static/
block uses a regular expression to match the URLs of the static files of Odoo modules. These files are rarely updated, and so we ask nginx to cache them in order to lighten the load on the Odoo server.This recipe focuses on the nginx configuration. You may be more familiar with other tools such as the Apache web server and mod_proxy
. In this case, you can of course use these to achieve a similar setup.
3.135.239.111