Start with the installation of NGINX
sudo apt-get install nginx
Create your cert and key
First create a temporary directory and move the files to their final resting place once they have been built (the first cd is just to make sure we are in our home directory to start with):
cd
mkdir temp
cd temp
Generate a new key, you will be asked to enter a passphrase and confirm:
openssl genrsa -des3 -out server.pkey 2048
Remove the passphrase by doing this, we do this because we don’twon’tto have to type this passphrase after every restart.
openssl rsa -in server.pkey -out server.key
Next we need to create a signing request which will hold the data that will be visible in your final certificate:
openssl req -new -key server.key -out server.csr
This will generate a series of prompts like this: Enter the information as requested. And finally we self-sign our certificate.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
We only need two of the files in the working directory, the key and the certificate. But before we can use them they need to have their ownership and access rights altered:
sudo chown root:www-data server.crt server.key
sudo chmod 640 server.crt server.key
And then we put them in a sensible place:
sudo mkdir /etc/ssl/nginx
sudo chown www-data:root /etc/ssl/nginx
sudo chmod 710 /etc/ssl/nginx
sudo mv server.crt server.key /etc/ssl/nginx/
We now have the key and certificate on the final location. We can now tell nginx where the files are and how they will behave.
Create the nginx site configuration file
We create a new configuration file
sudo vi /etc/nginx/sites-available/odoo8
with the following content:
IMPORTANT: This file will use all incoming server names on port 80 and port 443. If you want to use it on a specific webaddress change the servername _; in a servername yourwebaddress.com; on both places in the server listening to port 80 and the one listening to port 443.
upstream odoo8 {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo8-im {
server 127.0.0.1:8072 weight=1 fail_timeout=0;
}
## http redirects to https ##
server {
listen 80;
server_name _;
# Strict Transport Security
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
# server port and name
listen 443;
server_name _;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
# limit ciphers
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
#general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the OpenERP web service know that we’re using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;
# by default, do not forward anything
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass http://odoo8;
}
location /longpolling {
proxy_pass http://odoo8-im;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the OpenERP web interface a bit.
location /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo8;
}
}
We then will enable the new site configuration by creating a symbolic link in the /etc/nginx/sites-enabled directory.
sudo ln -s /etc/nginx/sites-available/odoo8 /etc/nginx/sites-enabled/odoo8
Change the OpenERP server configuration file
We now need to re-configure the openerp server in a way that non-encrypted services are not accessible from the outside world.
We will change the /etc/odoo-server.conf so that it will only except requests from nginx.
Just open then file and add 127.0.0.1 to the xmlrpc and netrpc interface lines as shown below.
sudo vi /etc/odoo-server.conf
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1
Try the new configuration
Restart the services to load the new configurations
sudo service odoo-server restart
sudo service nginx restart
You should not be able to connect to the web client on port 8069 and the GTK client should not connect on either the NetRPC (8070) or XMLRPC (8069) services.
Your ODOO server should be available now.
[…] seguido este tutorial http://www.schenkels.nl/2014/12/reverse-proxy-with-odoo-8-nginx-ubuntu-14-04-lts/ cómo hacer de proxy inverso para odoo con […]
[…] this tutorial I configured my Nginx like […]
nice tutorial , great job,but you did skip editing /etc/hosts to add your new created server name
Hello! Thanks for your How to!!
I have a question. I would like to use only one port, I don’twant to redirect from the port 80. Is that possible? I wrote a question for more details in stackoverflow
http://stackoverflow.com/questions/35770332/is-possible-to-use-ssl-in-odoo-with-nginx-avoiding-the-standard-ports-80-and-44
[…] this tutorial I configured my Nginx like […]
How would this be done for Odoo V9?
This is a great tutorial for Odoo V8. Do you know how this would need to change (if at all) for Odoo V9?
Hey there, first great tuto and all (best scripts, best explanation and I would be quite lost without your precious information.
Let me explain a bit my situation.
I had hard times dealing with error with longpolling. The server was always sending 111 connection refused 502 bad gateway when checking log error of ngninx.
What i did is to change the port from 8072 to 8069 in the nginx conf and now everything work fine (even the chatter refresh automaticaly 🙂
Now the nginx conf look like this
upstream odoo8 {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
upstream odoo8-im {
server 127.0.0.1:8069 weight=1 fail_timeout=0;
}
If perhaps you have time could you tell me why this change worked and what could be the impact of it ?(sorry i am no linux savy)
Thanks and best regards
I have done the setup described but arose one problem: when accessing to the site, it loops from http to https, then again to http and https, in total 4 redirections in order to acces to the page. I think there is missing one step, maybe edit the Odoo proxy pass or other one?
Hi by any chance do you have a tutorial or know how to run multiple copies of odoo using subdomain on the same server with 1 IP address
Instead of having
http://domain.com:8069
http://domain.com:8068
I want it to be
instance1.domain.com
instance2.doman.com
Great tutorial! Thanks.
Whoops, nevermind, still had a typo in my url…. Thanks!
Hi Andre, great tutorial, which helped us set up a secure Odoo system and website.
We have on problem: since setting up this reverse proxy with Nginx, all our pdf reports have lost their stylesheets. I have tried the solutions floating arount on the odoo website (web.base.report.url = http://127.0.0.1:8069) but to no avail.
Did you run into this issue yourself? Any idea on how to fix this?
Thanks!
What is your port configuration in /etc/odoo-server.conf for xmlrpc_port and netrpc_port ?
André
Following your steps everything work like a charm but…
I started to get JSON request handling error and i would like to ask if SSL has any influence con this.
And any idea?
Thanks!
Seba
1.) is it correct that the folder /etc/ssl/nginx is www-data:root and the files you put inside are the other way around www-data:root?
2.) sudo chown root:www-data server.crt server.key … I have a file server.csr on not server.crt … is that just a typo in your howto or do I have a problem?
sorry, #2 was my mistake. There is a crt file once you do it right
if I want to reach odoo under https://www.mywebaddress.com/odoo
I assume I have to replace
server_name_;
….with
mywebaddress.com/odoo;
right?
I am having 2 problems:
1.) going to my https://www.mywebaddress.com/odoo I get a 404
2.) I can reach my odoo server localy 192.168.1.x anymore (which happens as soon I have the xmlrpc_interface = 127.0.0.1 & netrpc_interface = 127.0.0.1 lines in my odoo-server.conf
I hope that it is not the design that you loose local access once using nginx, is it?
I meant I can not reach my odoo server locally anymore
If you remove the 127.0.0.1 part and restart the server you will be able to run it locally on port 8069.
The sample is made to use ODOO as https://odoo.domain.com and not https://www.domain.com/odoo
You will need a different NGINX set up if you really want it like that. More rewrites.
thanks for getting back to me
…do you happen know any source that describes such a nginx setup for accessing a locally installed odoo server through https://www.domain.com/odoo?
I thought that was what your blogpost was about
Hi, great howto (as always!), jus a small remark, you can disable SSLv3 by using this line to protect against “poodle”
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
I tried your solution and it works on Debian Wheezy. But when I tried the same thing on debian Squeez. For some reason it does not work. In nginx log I get these messages:
2015/05/07 07:20:17 [error] 6419#0: *6 open() “/var/www/longpolling/poll” failed (2: No such file or directory), client: IP_address, server: localhost, request: “POST /longpolling/poll HTTP/1.1”