ANDR SCHENKELS

BUSINESS CONSULTANT | DEVELOPER | ODOO (FORMERLY OPENERP)

HOW TO: INSTALL OWNCLOUD 8.0 |

UBUNTU 14.04
ANDR SCHENKELS, 10 APRIL 2015

NGINX

OPENERP

INSTALL ODOO 8 | UBUNTU 14.04 |

WKHTMLTOPDF | FORMERLY OPENERP
ANDR SCHENKELS, 21 JANUARY 2015

OPENSOURCE

REVERSE SSL PROXY USING NGINX

WITH OPENERP V7 | UBUNTU 12.04
LTS
ANDR SCHENKELS 7 JANUARY 2013

SHARE ON:

Start with the installation of NGINX

sudo apt-get install nginx

Create your cert and key

First create a temporary directory and move the files to their final resting place once they have been
built (the first cd is just to make sure we are in our home directory to start with):

cd
mkdir temp
cd temp

Generate a new key, you will be asked to enter a passphrase and confirm:

openssl genrsa -des3 -out server.pkey 1024

Remove the passphrase by doing this, we do this because we dont wont to have to type this passphrase
after every restart.

openssl rsa -in server.pkey -out server.key

Next we need to create a signing request which will hold the data that will be visible in your final
certificate:

openssl req -new -key server.key -out server.csr

This will generate a series of prompts like this: Enter the information as requested. And finally we selfsign our certificate.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

We only need two of the files in the working directory, the key and the certificate. But before we can use
them they need to have their ownership and access rights altered:

sudo chown root:www-data server.crt server.key

sudo chmod 640 server.crt server.key
[AdSense-A]

And then we put them in a sensible place:

sudo mkdir /etc/ssl/nginx

sudo chown www-data:root /etc/ssl/nginx
sudo chmod 710 /etc/ssl/nginx
sudo mv server.crt server.key /etc/ssl/nginx/

We now have the key and certificate on the final location. We can now tell nginx where the files are and
how they will behave.

Create the nginx site configuration file

We create a new configuration file

sudo nano /etc/nginx/sites-available/openerp

with the following content:

IMPORTANT: You will need to change all references to openerpserver.example.com in the

following file to either the domain name or static IP address of your server.

upstream webserver {
server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}

server {
listen 80;
server_name _;

# Strict Transport Security

add_header Strict-Transport-Security max-age=2592000;

rewrite ^/.*$ https://$host$request_uri? permanent;

}

server {
# server port and name
listen 443 default;
server_name openerpserver.example.com;

# Specifies the maximum accepted body size of a client request,

# as indicated by the request header Content-Length.
client_max_body_size 200m;

# ssl log files

access_log /var/log/nginx/openerp-access.log;
error_log /var/log/nginx/openerp-error.log;

# ssl certificate files

ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;

# add ssl specific settings

keepalive_timeout 60;

 # limit ciphers
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols SSLv3 TLSv1;
ssl_prefer_server_ciphers on;

# increase proxy buffer to handle some OpenERP web requests

proxy_buffers 16 64k;
proxy_buffer_size 128k;

location / {
proxy_pass http://webserver;
# force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

# Let the OpenERP web service know that we're using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;

# by default, do not forward anything

proxy_redirect off;
}

# cache some static data in memory for 60mins.

# under heavy load this should relieve stress on the OpenERP web interface a bi
t.
location ~* /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;

 proxy_pass http://webserver;
}

We then will enable the new site configuration by creating a symbolic link in the
/etc/nginx/sites-enabled directory.

sudo ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp

Change the OpenERP server configuration file

We now need to re-configure the openerp server in a way that non-encrypted services are not
accessible from the outside world.
We will change the /etc/openerp-server.conf so that it will only except requests from nginx.
Just open then file and add 127.0.0.1 to the xmlrpc and netrpc interface lines as shown below.

sudo vi /etc/openerp-server.conf

[AdSense-B]

xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

Try the new configuration

Restart the services to load the new configurations

sudo service openerp-server restart

sudo service nginx restart

You should not be able to connect to the web client on port 8069 and the GTK client should not connect
on either the NetRPC (8070) or XMLRPC (8069) services.
For web access you just need to visit https://openerpserver.example.com

SHARE THIS:

More

RELATED

How to: NGINX Reverse Proxy

| Owncloud 6 | Ubuntu 14.04
6 June 2014
In "breaking"

Reverse Proxy with ODOO 8 |

NGINX | Ubuntu 14.04 LTS |
longpolling
29 December 2014
In "breaking"

How To: OpenERP 6.1 from

Launchpad | Gunicorn |
NGINX | Ubuntu 12.04
16 May 2013
In "Installation"

TAGS:
NGINX

OPENERP

PROXY

UBUNTU

PREVIOUS POST

NEXT POST

INSTALL OPENERP 7 FROM DEB

PACKAGE | UBUNTU 12.04 | UBUNTU
12.10

ABOUT THE AUTHOR

MAKE YOUR OPENERP V7.0 FASTER |

USE POSTGRESQL 9.2

ANDR SCHENKELS

RELATED POSTS

RELATED POSTS
ODOO V9 INSTALL SCRIPT | UBUNTU 14.04
ANDR SCHENKELS, 14 SEPTEMBER 2015

ODOO V9 INSTALL SCRIPT | GITHUB | UBUNTU 15.04 | SYSTEMD

ANDR SCHENKELS, 14 SEPTEMBER 2015

HOW TO: INSTALL OWNCLOUD 8.0 | UBUNTU 14.04

ANDR SCHENKELS, 10 APRIL 2015

25 COMMENTS

CHICKAHOONA
27 July 2015 at 12:03 Reply

Please adjust your ssl config. Your config is medium unsecure. (you can scan a server
running with your config on ssllabls.com)
remove your # limit ciper section and therfore add this:
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSAAES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSAAES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSADES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
Further if you should generate own dh params with:
cd /etc/nginx/ssl/
openssl dhparam -out dhparams.pem 2048
chmod 600 dhparams.pem
and then add this to your config file:
ssl_dhparam /etc/nginx/ssl/dhparams.pem;

CLIFFKUJALA
11 December 2014 at 06:01 Reply

Should this work also with Odoo v8, NGINX, and Ubuntu 14.04?

SIMON
11 October 2014 at 17:23 Reply

Hello Andr I have done all steps and I am getting the Welcome to nginx! webpage but
I cant get Odoo webpage. I dont know what is wrong.
If I remove
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1
from openerp-server.conf I can get the Odoo webpage in 8069 port. So Odoo is working.
If I write sudo nginx -c /etc/nginx/nginx.conf -t. nginx.conf syntax and test are ok. I am driving
me crazy I dont understand what is wrong. Maybe your experience can help me. Thank you.

THOMAS WINTELER
19 May 2014 at 18:27 Reply

Hey
We run now in a problem, that we get 504 Gateway Time-Out if we run some import
stuff, that needs time. In the back, the import will run anyway.. but in browser: 504
Any hint how to increas time-out between nginx and openerp?
Thanks for fast response

THOMAS WINTELER
19 May 2014 at 19:13 Reply

I tested some stuff and added this:

# increase proxy timeouts to prevent 504 Gateway Time-Out
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
whole script: http://paste.ubuntu.com/7489642/
will test also with bigger imports about 7000 records.. and give feedback

IW

21 March 2014 at 20:31 Reply

Thanks a lot for this guide but I cant get OpenERP7 / Gunicorn / Nginx working
properly
Ive tried installing OpenERP7 globally (python setup.py install) and then running
openerp-server and this way it runs OK. But trying to get OpenERP+Gunicon+Nginx is not
working perfectly, I can access the server and create databases but when I try to install any
module at the end Im getting errors like except_osv: (Object Error, Object account.installer
doesnt exist) or sometimes timeout errors. I have tried increasing timeout params for
gunicorn but it doesnt work.
Any idea please.

ALI
15 March 2014 at 01:23 Reply

How do i redirect the site for example http://www.test.site.com or test.site.com to

https://test.site.com

YVES NICOLAS
31 January 2014 at 22:11 Reply

Many thanks for this tutorial.

I had initial trouble making it work initially. Looking at
http://nginx.org/en/docs/beginners_guide.html, putting the openerp file in the
/etc/nginx/conf.d/ directory instead of /etc/nginx/sites-available made it work.
This on a 12.04 ubuntu server. nginx installation creates an /etc/nginx/nginx.conf default file
which then scans all configuration files in the conf.d directory.
Best regards

M. BARSI
11 January 2014 at 13:38 Reply

Many Thanks Andre,

I also run gunicorn with proxy-protocol option and now our server response is faster
than google.com.
Regards.

DEVVYN MURPHY
9 October 2013 at 23:43 Reply

Thanks for the thorough checklist! This article was instrumental in the success of our
recent OpenERP re-deployment.

ANONYMOUS
3 September 2013 at 15:41 Reply

Hi,
Thanks for this tutorial but I have little issue :
the standard https port (443/tcp) is already used for other services. We decided to reverse
proxy on port 8071 :
user browse to URL https://erp.domain.com:8071/ and nginx is setup to contact our openerp on
http://127.0.0.1:8069
I just changed the listening port to
listen 8071 default
We have 2 DB within OpenERP (on for test and one for production), so If users browse to
https//erp.domain.com:8071/?db=Production this is working like a charm
If users browse to https://erp.domain.com:8071/ the browser is told to redirect to
http://erp.domain.com/?db=production which is not OK : both https and port 8071 have been
stripped.
I guess this is nginx which rewrite the URL, how to fix this ?
Thanks for your help

ANDR SCHENKELS
4 September 2013 at 06:53 Reply

When you try to rewrite to one openerp server with 2 database you will keep the
same problem. Its just not working.
The best thing to do is create an extra openerp instance and give both of you openerp
server separate postgres user (in this way you can only see the databases linked to this
account)
Now make an extra nginx config file for a rewrite to the extra openerp instance and
youre up and running.

MSREDDY
5 September 2013 at 10:50 Reply

Hello Mr Andr Schenkels Thanks for your grate post i appreciate you. But
i am not able to connect to server using Openerp apps . it asking for port
number i will give some port number like 8069, 443,80,5432. I am not able to
connect what is the solution for this problem
please help me .
its working in browsers like charm but not able to connect to using apps
I am using Android apps

JEROEN
2 September 2013 at 07:21 Reply

Works like a charm. Thanks for this.

ANONYMOUS
19 July 2013 at 23:16 Reply

Hey, long time but finally got a chance to say thank you. nginx is so nice and one day I
googled: nginx openerp and I got here. Dream come true, because apache+openerp is
like sleeping after booze.

KRAM3R
18 July 2013 at 17:56 Reply

Hello, good howto. Let me know if your OpenERP log show X-Forwarded-For (Client IP
Address) on logs. I suspect it have a bug and dont log client ip, just proxy ip. Thank
you!

ANONYMOUS
18 December 2014 at 15:20 Reply

Indeed, it just logs the proxying localhost.

So, which setting would allow Nginx+Odoo to log clients IP-s?

ANTON
18 December 2014 at 15:29 Reply

Indeed, it only shows the address of proxying localhost.

So, which setting would allow Nginx + Odoo to log real clients addresses?

CHRISTOPHER
11 May 2013 at 10:27 Reply

Thank you for your excellent documentation.

With ufw disabled, everything works fine. However, when running ufw with the
following rules (default deny), the OpenERP server can not be reached:
### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp dport 22 -j ACCEPT
-A ufw-user-input -p udp dport 22 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp dport 443 -j ACCEPT
-A ufw-user-input -p udp dport 443 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp dport 80 -j ACCEPT
-A ufw-user-input -p udp dport 80 -j ACCEPT
What am I missing how do I need to set the rules? Many thanks.

ANDR SCHENKELS
13 May 2013 at 06:52 Reply

Im not an expert in UFW so its hard for me to provide you with the correct answer. You
need port 443 and 80 and I see this in your config. You onle need to open th tcp ports on
443 and 80 not the UDP.
The config looks well. Does it work if you go directly to the https://
Are you sure your config file is loaded. Can you connect to the server through SSH after
enabling firewall?

Q
29 April 2013 at 13:14 Reply

Worked perfectly for me too !

LUCA
2 April 2013 at 16:56 Reply

Ive just upgraded my openerp 7 setup with bzr pull, and now nginx ssl proxy no
longer works.
All I got is the usual firefox error page. Connecting directly to port 8069 works well. Maybe
some openerp bug? Are you maybe experiencing this as well?

ANDR SCHENKELS
7 April 2013 at 19:22 Reply

No I dont have any problems. Its maybee problem with nginx configuration.

LUCA
8 April 2013 at 09:05 Reply

Thanks for your feedback. So Ill try to better inspect nginx config.

ARNAUD

19 January 2013 at 00:23 Reply

Thanks for your documentation. Its run perfectly.

Arnaud

LEAVE A REPLY
Enteryourcommenthere...

RECENT
ODOO v9 install script | Ubuntu 14.04
ODOO v9 install script | Github | Ubuntu 15.04 | systemd
How to: Install Owncloud 8.0 | Ubuntu 14.04
Install ODOO 8 | Ubuntu 14.04 | wkhtmltopdf | formerly OpenERP
Reverse Proxy with ODOO 8 | NGINX | Ubuntu 14.04 LTS | longpolling

FOLLOW ME ON TWITTER
Tweets

Follow

Planet PostgreSQL @planetpostgres

22 Sep
Hubert 'depesz' Lubaczewski: Waiting for 9.6 Allow per-tablespace
effective_io_concurrency postgr.es/p/352
Retweeted by Andr Schenkels
Expand

Husen Daudi @husendaudi

22 Sep
@jaynvora Don't tell me that #ODOO9 has Customer and Supplier
Payment option removed #Disappointed @anajuaristi @nhomar
Retweeted by Andr Schenkels
Expand

Jay Vora @jaynvora

22 Sep
The new IT Asset Module is #ODOO9 useless without integration
with account assets. Don't know why they add this module in APP
@jaynvora
Retweeted by Andr Schenkels
Expand

nginx web server @nginxorg

22 Sep
#NGINX 1.9.5 has been released w/ support for HTTP/2 via the
ngx_http_v2_module! Check it out: bit.ly/1CxB3vm
Retweeted by Andr Schenkels
Expand

SISalp @SISalp
Odoo V9 Warning ! General accounting improvements are in
community. Reports and integrations are in Enterprise.

22 Sep

Retweeted by Andr Schenkels

Expand

GitLab @gitlab
22 Sep
GitLab 8.0 released! Biggest release ever: faster, reply-by-email, new
UI and integrated CI. Celebrate #gitlab
about.gitlab.com/2015/09/22/git
Retweeted by Andr Schenkels
Expand

Tweet to @andreschenkels

TOP POSTS & PAGES

ODOO v8 install script | Github | Ubuntu 14.04 LTS

Reverse Proxy with ODOO 8 | NGINX | Ubuntu 14.04 LTS | longpolling
ODOO v9 install script | Ubuntu 14.04
How To: Install and configure Pentaho BI Suite 5.1 CE | Ubuntu 14.04 | PostgreSQL 9.3
Install ODOO 8 | Ubuntu 14.04 | wkhtmltopdf | formerly OpenERP
ODOO v9 install script | Github | Ubuntu 15.04 | systemd
How To: Setup OpenLDAP with memberOf overlay | Ubuntu 12.04
Reverse SSL Proxy using NGINX with OpenERP v7 | Ubuntu 12.04 LTS
ODOO v7 install script | Github | Ubuntu 14.04 LTS
How to: NGINX Reverse Proxy | Owncloud 6 | Ubuntu 14.04

Reverse Proxy Apache

Fix Cache Bugs In Dev & Save Money.

It's 100% Free, Forever. Sign Up.

RECENT COMMENTS
krolltextilAlbert on Reverse Proxy with ODOO 8 | NGINX | Ubuntu 14.04 LTS | longpolling
Andr Schenkels on ODOO v9 install script | Github | Ubuntu 15.04 | systemd
Pere Castanyer Sard on ODOO v9 install script | Github | Ubuntu 15.04 | systemd
How-to: Install Pentaho biserver community edition (Ubuntu with PostgreSQL database) | BI
Mauricio Leite on How To: Install and configure Pentaho BI Suite 5.1 CE | Ubuntu 14.04 |
PostgreSQL 9.3
Marko on Contact

LINKS
Computerworld
ICTSTUDIO (my company)
Nefawa's Blog
NU.nl
Webwereld.nl

TAGS
9.0 12.04 14.04 BI CATCHALL CLOUD DEBIAN DEVELOPMENT EMULATOR EXCHANGE EXMERGE FONT
IMPORT INSTALL ITALIAANS KNOLSELDERIJ LICENTIE LINUX MINT MOZILLA MSX NGINX ODOO
OFFICE365 OPENERP OPENSOURCE OUTLOOK OWNCLOUD PENTAHO POSTGRESQL PROXY PUREE
RECEPT REPORTLAB RML SCRIPT SHORTCUTS SOEP SQL SUBVERSION SVN UBUNTU WHISKY
WINDOWS XML

CALENDAR
JANUARY 2013

DEC

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Copyright Andr Schenkels, All Rights Reserved.

Back to top

FEB