Monday, November 24, 2014

Using Apache with Odoo 8 and Ubuntu 14.04

Odoo with Apache SSL Proxy
I wanted to get this done last week and I got through all my testing, but just did not get the article done.  But here is the second post on how to setup a ssl proxy for Odoo, this time using Apache.  While my personal preference would be to use Nginx based on the research I have done, I still wanted to create this article because there are a lot of folks that feel more comfortable with Apache.


The premise is still the same since Odoo runs over a non-standard port (8069). You probably want make it easier for you and your users, having a reverse proxy setup in order to accept the connect at port 80 or 443.  We will restrict Odoo to only the localhost still running at port 8069.  Since we try to be somewhat secure we will actually run everything over https (SSL) in order to protect the traffic.  So we will redirect regular web traffic (http) to secure web (https).  In the event that someone bookmarked Odoo at

Since I still want to focus on the security aspect even though this is a test box :).  I will be setting up SSL Certificates similar to what I did during the Nginx test.

If you have not already installed the Ubuntu 14.04 LTS 64-bit server you can do that easily using my prior post.  Also if you have not already installed Odoo version 8 you can do that as well by following the blog post for that install.  If you don't want to use Apache you can always use Nginx.

The goal of this post are to 
1) install Apache and its dependencies
2) Generate SSL keys to be able to use https

2) Configure the system to accept traffic on the IP address over port 443 and redirect it to Odoo.  We will also redirect port 80 to port 443

If you are ready lets get started

As always the first thing we are going to do is make sure Ubuntu is up to date...in case you don't remember from last time you can use run the commands below:

sudo apt-get update
sudo apt-get upgrade

Now we need to install Apache specifically Apache 2.  Six dependencies will also get installed all seven totaling about 5.2M. Slightly larger than our Nginx install and more dependencies but still overall fairly small and it installs quickly.

sudo apt-get install apache2

Next we need to enable the Apache modules which are required for our proxy to work.


sudo a2enmod proxy_http headers rewrite ssl

Now that we have installed Apache and the required modules enabled, we need to generate your certificates.  The OpenSSL command will be used to generate an RSA private key and Certificate Signing Request (CSR).  We will be generating self-signed certificate for our testing purposes or for internal use.

First we have to generate our RSA private key. We will be creating our key with 2048 bit RSA key which is encrypted using Triple DES.  We will be putting our certificate and keys in /etc/apache2/ssl similar to what we did for Nginx before.  We have to create the ssl directory inside /etc/apache2 since it does not exist.

sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl

sudo openssl genrsa -des3 -passout pass:odoo -out server.temp.key 2048


You should change the password located after the pass: to something more secure :).  Also if you leave out -passout pass:odoo then you will be prompted to enter a password and then asked to verify your password.

----------------------------------
OPTIONAL ONLY FOR USING WITH CERTIFICATE AUTHORITY
If you are going to use with a certificate authority like Verisign or Thawte.  You will need to create a CSR file to upload to your certificate authority.   If you do this process you will be prompted for various information you will need to give in order to have the certificate created and be valid.

sudo openssl req -new -passin pass:odoo -key server.key -out server.csr

The resulting file will be used with certificate authority to generate you a certificate for you server.  I wont be doing through those steps today.

-----------------------------------

Back to your self-signed certificate generation.

Now that you have created your key you will want to remove the password from the key.  Technically it is more secure to have the password, but the problem becomes reality.  If you leave the password in the certificate then anytime the system is rebooted or Apache is restarted you will be prompted for the password.  This becomes extremely inconvenient and I have seen it impact business since the person with the password or access to the system was not around during an reboot. There are ways to make it work but then you have to put the password into a file and while you can restrict it where only root has access if there are any issues you will get prompted and unfortunately my experience is it fails at the most inopportune time.  Therefore I don't recommend leaving the certificate password protected.  Essentially removing Triple DES is what removes the password. So we are going to remove Triple DES. The ONLY downside is if your system is compromised and someone steals your key you will need to reissue the key.  Not a big deal if you are using self-signed certificates. Also if your systems is compromised, you should probably be creating new keys anyway. :)

Because I wanted to show you how to create the CSR we will have to do this next part with two steps instead of one.  The first command changes the name of the file from server.key to server.temp.key.  The second command removes Triple DES thus removing the password.

sudo mv server.key server.temp.key

sudo openssl rsa -in server.temp.key -out server.key

Now we can remove the temporary key

sudo rm server.temp.key

Next we are going to create our  CSR similar to what we did above in the optional section but this one is for our self-signed certificate.

sudo openssl req -new -key server.key -out server.csr

Last we have to generate the self-signed certificate.  In the -days option tells you how long this certificate will be valid.  You can set it for longer, but one year is typically pretty good.  One recommendation is that you should put an event on your calendar to remind you a few days before the certificate expires so you will remember to generate a new cert before that one expires or no one will be able to get to your Odoo server.

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Now that you have your keys and certificate we have to setup Apache and Odoo in order to directly access your Odoo server via a secure port (https) and no longer need to connect to port 8069.  There are three main sections of this file.  The first allows for https (secure web) connections.  It is the proxy to your Odoo server.  The next section allows connections to http (non secure web) connections and redirects them to https.  The last section takes requests on the traditional Odoo port 8069 but only on the IP address (or hostname) of the server.  I did this because sometimes people get applications up and running for "testing" and people for what ever reason either bookmark the URL and it gets cached.  So the thought is rather than have to deal with users later, if I just accept the URL as they know it and redirect it to where I want it to go (https) then it reduces my stress.  This does mean we have to change the configuration of Odoo which we will do in the next section.

Note when creating your file, you MUST leave the extension as .conf.  If you don't Apache will not acknowledge the file even if you have done everything else correctly.

sudo vi /etc/apache2/sites-available/odoo.conf


-------------------Beginning of odoo.conf file-------------------------------

                SSLEngine on
                SSLProxyEngine on
                SSLCertificateFile      /etc/apache2/ssl/server.crt
                SSLCertificateKeyFile /etc/apache2/ssl/server.key
                SSLProxyEngine On
                ProxyPreserveHost On
                ProxyPass / http://127.0.0.1:8069/
                ProxyPassReverse / http://127.0.0.1:8069/

Redirect / https://10.0.1.43/

        Redirect / https://10.0.1.43/
-------------------End of odoo.conf file-------------------------------

We need to link our configuration file from the available directory to the enabled director.  This command essentially is like running an ln command but makes it easier for you.

sudo a2ensite odoo

Edit the /etc/apache2/ports.conf file in order to add port 8069 for the IP address of the server.

sudo vi /etc/apache2/ports.conf

Add the following immediately after the line Listen 80

Listen 10.0.1.43:8069

Now we have to modify the odoo-server.conf file to restrict Odoo to ONLY run on the localhost.

sudo vi /etc/odoo/odoo-server.conf


Search for this line xmlrpc_interface = 
Next question is how do I search in vi?  right after running the vi command above hit the / on your keyboard and then type xmlrpc_interface and hit Enter and it will take you to the right place. Then you can change it to this xmlrpc_interface = 127.0.0.1

You are almost complete all you have to do now is restart Apache and Odoo:

sudo /etc/init.d/odoo-server restart
sudo service apache2 reload

Now its time to test your work to make sure it works

Open up your browser and go to http://10.0.1.43 (change the IP address to point to your server).  You should get a page that looks like this:

Odoo v8 login screen


Now try going to http://10.0.1.43:8069 - This should redirect to https://10.0.1.43 and take you to the Odoo page:

Odoo v8 login screen


Last go directly to https://10.0.1.43 - You should again see your Odoo page once more :)

Odoo v8 login screen


Congratulations you have completed your Odoo version 8 install using Apache as a proxy server all running on Ubuntu 14.04 LTS 64-bit Server. 

On past articles I have recommended SecureCRT from VanDyke Software.  I actually got my copy of SecureCRT and I will be doing a review in the coming months after I have had a chance to use it for a while.  What I can say so far I have automated my login which has made it faster since I don't to type anything.  I just double click my host icon and it automatically logs me in.


I have had a couple other requests for installing Odoo on Debian, CentOS, and FreeBSD.  I will work through these over the coming weeks.  I will also begin going through some of the modules, installing and how to use them. If you have anything in particular you would like to see just send me an email and I will add it to the running list of ideas I have.

For those of you in the USA - have a Happy Thanksgiving, and for everyone else..don't work too hard this week.