Start with the installation of NGINX
sudo apt-get install nginx
Create your cert and key
First create a temporary directory and move the files to their final resting place once they have been built (the first cd is just to make sure we are in our home directory to start with):
cd
mkdir temp
cd temp
Generate a new key, you will be asked to enter a passphrase and confirm:
openssl genrsa -des3 -out server.pkey 1024
Remove the passphrase by doing this, we do this because we don’twon’tto have to type this passphrase after every restart.
openssl rsa -in server.pkey -out server.key
Next we need to create a signing request which will hold the data that will be visible in your final certificate:
openssl req -new -key server.key -out server.csr
This will generate a series of prompts like this: Enter the information as requested. And finally we self-sign our certificate.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
We only need two of the files in the working directory, the key and the certificate. But before we can use them they need to have their ownership and access rights altered:
sudo chown root:www-data server.crt server.key
sudo chmod 640 server.crt server.key
[AdSense-A]
And then we put them in a sensible place:
sudo mkdir /etc/ssl/nginx
sudo chown www-data:root /etc/ssl/nginx
sudo chmod 710 /etc/ssl/nginx
sudo mv server.crt server.key /etc/ssl/nginx/
We now have the key and certificate on the final location. We can now tell nginx where the files are and how they will behave.
Create the nginx site configuration file
We create a new configuration file
sudo nano /etc/nginx/sites-available/openerp
with the following content:
IMPORTANT: You will need to change all references to openerpserver.example.com in the following file to either the domain name or static IP address of your server.
upstream webserver {
server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}
server {
listen 80;
server_name _;
# Strict Transport Security
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
server {
# server port and name
listen 443 default;
server_name openerpserver.example.com;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# ssl log files
access_log /var/log/nginx/openerp-access.log;
error_log /var/log/nginx/openerp-error.log;
# ssl certificate files
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
# add ssl specific settings
keepalive_timeout 60;
# limit ciphers
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://webserver;
# force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the OpenERP web service know that we're using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;
# by default, do not forward anything
proxy_redirect off;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the OpenERP web interface a bit.
location ~* /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://webserver;
}
}
We then will enable the new site configuration by creating a symbolic link in the /etc/nginx/sites-enabled directory.
sudo ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp
Change the OpenERP server configuration file
We now need to re-configure the openerp server in a way that non-encrypted services are not accessible from the outside world.
We will change the /etc/openerp-server.conf so that it will only except requests from nginx.
Just open then file and add 127.0.0.1 to the xmlrpc and netrpc interface lines as shown below.
sudo vi /etc/openerp-server.conf
[AdSense-B]
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1
Try the new configuration
Restart the services to load the new configurations
sudo service openerp-server restart
sudo service nginx restart
You should not be able to connect to the web client on port 8069 and the GTK client should not connect on either the NetRPC (8070) or XMLRPC (8069) services.
For web access you just need to visit https://openerpserver.example.com
Please adjust your ssl config. Your config is medium unsecure. (you can scan a server running with your config on ssllabls.com)
remove your # limit ciper section and therfore add this:
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers “ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4”;
ssl_prefer_server_ciphers on;
Further if you should generate own dh params with:
cd /etc/nginx/ssl/
openssl dhparam -out dhparams.pem 2048
chmod 600 dhparams.pem
and then add this to your config file:
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
Should this work also with Odoo v8, NGINX, and Ubuntu 14.04?
Hello André I have done all steps and I am getting the Welcome to nginx! webpage but I can’tget Odoo webpage. I don’tknow what is wrong.
If I remove
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1
from openerp-server.conf I can get the Odoo webpage in 8069 port. So Odoo is working.
If I write sudo nginx -c /etc/nginx/nginx.conf -t. nginx.conf syntax and test are ok. I am driving me crazy I don’tunderstand what is wrong. Maybe your experience can help me. Thank you.
Hey
We run now in a problem, that we get 504 Gateway Time-Out if we run some import stuff, that needs time…. In the back, the import will run anyway.. but in browser: 504…
Any hint how to increas time-out between nginx and openerp?
Thanks for fast response…
I tested some stuff and added this:
# increase proxy timeouts to prevent 504 Gateway Time-Out
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
whole script: http://paste.ubuntu.com/7489642/
will test also with bigger imports about 7000 records.. and give feedback 😉
Thanks a lot for this guide but I can’tget OpenERP7 / Gunicorn / Nginx working properly…
I’ve tried installing OpenERP7 globally (python setup.py install) and then running openerp-server and this way it runs OK. But trying to get OpenERP+Gunicon+Nginx is not working perfectly, I can access the server and create databases but when I try to install any module at the end I’m getting errors like except_osv: (‘Object Error’, “Object account.installer doesn’texist”) or sometimes timeout errors. I have tried increasing timeout params for gunicorn but it doesn’twork.
Any idea please.
How do i redirect the site for example http://www.test.site.com or test.site.com to https://test.site.com
Many thanks for this tutorial.
I had initial trouble making it work initially. Looking at http://nginx.org/en/docs/beginners_guide.html, putting the openerp file in the /etc/nginx/conf.d/ directory instead of /etc/nginx/sites-available made it work.
This on a 12.04 ubuntu server. nginx installation creates an /etc/nginx/nginx.conf default file which then scans all configuration files in the conf.d directory.
Best regards
Many Thanks Andre,
I also run gunicorn with –proxy-protocol option and now our server response is faster than google.com.
Regards.
Thanks for the thorough checklist! This article was instrumental in the success of our recent OpenERP re-deployment.
Hi,
Thanks for this tutorial but I have little issue :
the standard https port (443/tcp) is already used for other services. We decided to reverse proxy on port 8071 :
user browse to URL https://erp.domain.com:8071/ and nginx is setup to contact our openerp on http://127.0.0.1:8069
I just changed the listening port to
listen 8071 default
We have 2 DB within OpenERP (on for test and one for production), so If users browse to https//erp.domain.com:8071/?db=Production this is working like a charm
If users browse to https://erp.domain.com:8071/ the browser is told to redirect to http://erp.domain.com/?db=production which is not OK : both https and port 8071 have been stripped.
I guess this is nginx which rewrite the URL, how to fix this ?
Thanks for your help…
When you try to rewrite to one openerp server with 2 database you will keep the same problem. It’s just not working.
The best thing to do is create an extra openerp instance and give both of you openerp server separate postgres user (in this way you can only see the databases linked to this account)
Now make an extra nginx config file for a rewrite to the extra openerp instance and you’re up and running.
Hello Mr André Schenkels Thanks for your grate post i appreciate you. But i am not able to connect to server using Openerp app’s . it asking for port number i will give some port number like 8069, 443,80,5432. I am not able to connect what is the solution for this problem
please help me .
it’s working in browsers like charm but not able to connect to using apps
I am using Android apps
Works like a charm. Thanks for this.
Hey, long time but finally got a chance to say thank you. nginx is so nice and one day I googled: nginx openerp and I got here. Dream come true, because apache+openerp is like sleeping after booze.
Hello, good howto. Let me know if your OpenERP log show X-Forwarded-For (Client IP Address) on logs. I suspect it have a bug and dont log client ip, just proxy ip. Thank you!
Indeed, it just logs the proxying localhost.
So, which setting would allow Nginx+Odoo to log clients’ IP-s?
Indeed, it only shows the address of proxying localhost.
So, which setting would allow Nginx + Odoo to log real clients’ addresses?
Thank you for your excellent documentation.
With ufw disabled, everything works fine. However, when running ufw with the following rules (default deny), the OpenERP server can not be reached:
### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp –dport 22 -j ACCEPT
-A ufw-user-input -p udp –dport 22 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp –dport 443 -j ACCEPT
-A ufw-user-input -p udp –dport 443 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp –dport 80 -j ACCEPT
-A ufw-user-input -p udp –dport 80 -j ACCEPT
What am I missing – how do I need to set the rules? Many thanks.
I’m not an expert in UFW so it’s hard for me to provide you with the correct answer. You need port 443 and 80 and I see this in your config. You onle need to open th tcp ports on 443 and 80 not the UDP.
The config looks well. Does it work if you go directly to the https://
Are you sure your config file is loaded. Can you connect to the server through SSH after enabling firewall?
Worked perfectly for me too !
I’ve just upgraded my openerp 7 setup with “bzr pull”, and now nginx ssl proxy no longer works.
All I got is the “usual” firefox error page. Connecting directly to port 8069 works well. Maybe some openerp bug? Are you maybe experiencing this as well?
No I don’thave any problems. It’s maybee à problem with nginx configuration.
Thanks for your feedback. So I’ll try to better inspect nginx config.
Thanks for your documentation. It’s run perfectly.
Arnaud