Wednesday, November 19, 2014

Using Nginx with Odoo version 8 on Ubuntu 14.04 LTS 64-bit Server

Setup Odoo v8 with Nginx on Ubuntu 14.04


You probably noticed that in order to access Odoo you have to enter :8069 at the end of your IP or URL every time. Yes you could bookmark it, but will your users really want to do any of that and even if you are testing do you want to have to add it?  I am going to assume you probably don't.  With that in mind I am gong to publish two articles this week about how to setup a web proxy in front of your Odoo server, running on Ubuntu.  This article will focus on Nginx and the second will focus on Apache. While there are probably some more options out there these are the two most common.  Both are easy to setup and configure (within reason) but you can also do some very advanced things also, which we wont be doing in this post.

If you have not already installed the Ubuntu 14.04 LTS 64-bit server you can do that easily using my prior post.  Also if you have not already installed Odoo version 8 you can do that as well by following the blog post for that install.

The goal of this post are to 
1) install nginx and its dependencies
2) Generate SSL keys to be able to use https
2) Configure the system to accept traffic on the IP address over port 443 and redirect it to Odoo.  We will also redirect port 80 to port 443

If you are ready lets get started

As always the first thing we are going to do is make sure Ubuntu is up to date...in case you don't remember from last time you can use run the commands below:

sudo apt-get update
sudo apt-get upgrade

Now we need to install nginx.  Two dependencies will also get installed all three totaling about 1.2M so it should download and install fairly quickly

sudo apt-get install nginx

Now that we have installed nginx we need to generate your SSL certificates.  OpenSSL is used to generate an RSA private key and Certificate Signing Request (CSR).  In our case we will be generating self-signed certificate for our testing purposes or for internal use.

First we have to generate our RSA private key. We will be creating our key with 2048 bit RSA key which is encypted using Triple DES.

sudo openssl genrsa -des3 -passout pass:odoo -out server.temp.key 2048

You will see something similar to the screenshot below.  You should change the password located after the pass: to something more secure :).  Also if you leave out -passout pass:odoo then you will be prompted to enter a password and then asked to verify your password.

Creating your Server key

-----------------------------------
OPTIONAL ONLY FOR USING WITH CERTIFICATE AUTHORITY
If you are going to use with a certificate authority like Verisign or Thawte.  If you do this process you will be prompted for various information you will need to give in order to have the certificate created and be valid.


sudo openssl req -new -passin pass:odoo -key server.key -out server.csr

If you do this optional step it will look something like this:

Creating a CSR for a Certificate Authority

The resulting file will be used with certificate authority to generate you a certificate for you server.  I wont be doing through those steps today.
-----------------------------------

Back to your self-signed certificate generation.

Now that you have created your key you will want to remove the password from the key.  While yes it is more secure technically.  The problem become reality.  If you leave the password in the certificate then anytime the system is rebooted or Nginx is restarted you will be prompted for the password.  This becomes extremely inconvenient and I have seen it impact business since the person with the password or access to the system was not around during an outage. There are ways to make it work but then you have to put the password into a file and while you can restrict it where only root has access if there are any issues you will get prompted and unfortunately my experience is it fails at the most inopportune time.  Therefore I don't recommend leaving the certificate password protected.  Essentially removing Triple DES is what removes the password. So we are going to remove Triple DES. The ONLY downside if your system is compromised and someone steals your key you will need to reissue the key.  Not a big deal if you are using self-signed certificates.

Because I wanted to show you how to create the CSR we will have to do this next part with two steps instead of one.  The first command changes the name of the file from server.key to server.temp.key.  The second command removes Triple DES thus removing the password.

sudo mv server.key server.temp.key
sudo openssl rsa -in server.temp.key -out server.key

Now we can remove the temporary key

sudo rm server.temp.key

Next we are going to create our the CSR similar to what we did above in the optional section but this one is for our self-signed certificate.

sudo openssl req -new -key server.key -out server.csr

Last we have to generate the self-signed certificate.  In the -days option tells you how long this certificate will be valid.  You can set it for longer, but one year is typically pretty good.  One recommendation is that you should put an event on your calendar to remind you a few days before the certificate expires so you will remember to generate a new cert before that one expires or no one will be able to get to your Odoo server.

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Creating your SSL Certificate for Nginx and Odoo v8

Now that you have your keys and certificate we have to setup Nginx and Odoo in order to directly access your Odoo server via a secure port (https) and no longer need to connect to port 8069.  There are three main sections of this file.  The first allows for https (secure web) connections.  It is the proxy to your Odoo server.  The next section allows connections to http (non secure web) connections and redirects them to https.  The last section takes requests on the traditional Odoo port 8069 but only on the IP address (or hostname) of the server.  I did this because sometimes people get applications up and running for "testing" and people for what ever reason either bookmark the URL and it gets cached.  So the thought is rather than have to deal with users later, if I just accept the URL as they know it and redirect it to where I want it to go (https) then it reduces my stress.  This does mean we have to change the configuration of Odoo which we will do in the next section.

sudo vi /etc/nginx/sites-available/odoo.com


-------------------Beginning of odoo.com file-------------------------------
server {
    listen      10.0.1.43:443 default;
    server_name 10.0.1.43;

    access_log  /var/log/nginx/oddo.access.log;
    error_log   /var/log/nginx/oddo.error.log;

    ssl on;
    ssl_certificate     /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    keepalive_timeout   60;

    ssl_ciphers             HIGH:!ADH:!MD5;
    ssl_protocols           SSLv3 TLSv1;
    ssl_prefer_server_ciphers on;


    location / {
        proxy_pass  http://127.0.0.1:8069;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        proxy_buffer_size 128k;
        proxy_buffers 16 64k;
        proxy_redirect off;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header X-Forwarded-Proto https;
    }

    location ~* /web/static/ {
        proxy_buffering off;
        proxy_pass http://127.0.0.1:8069;
    }
}

# This allows for someone to go to http and get redirected to https automatically
server {
    listen      10.0.1.43:80;
    server_name 10.0.1.43;

    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^/.*$ https://$host$request_uri? permanent;
}
# This allows for someone who may have bookmarked the url with the 8069 port and redirects them to https automatically
server {
    listen      10.0.1.43:8069;
    server_name 10.0.1.43;

    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^/.*$ https://$host$request_uri? permanent;

}
-------------------End of odoo.com file-------------------------------

We need to link our configuration file from the available directory to the enabled director


sudo ln -s /etc/nginx/sites-available/odoo.com /etc/nginx/sites-enabled/odoo.com


Now we have to modify the odoo-server.conf file to restrict Odoo to ONLY run on the localhost.

sudo vi /etc/odoo/odoo-server.conf


Search for this line xmlrpc_interface = 
Next question is how do I search in vi?  right after running the vi command above hit the / on your keyboard and then type xmlrpc_interface and hit Enter and it will take you to the right place. Then you can change it to this xmlrpc_interface = 127.0.0.1

You are almost complete all you have to do now is restart Nginx and Odoo:

sudo /etc/init.d/odoo-server restart
sudo /etc/init.d/nginx restart

Now its time to test your work to make sure it works

Open up your browser and go to http://10.0.1.43 (change the IP address to point to your server).  You should get a page that looks like this:

Odoo v8 with Nginx over https


Now try going to http://10.0.1.43:8069 - This should redirect to https://10.0.1.43 and take you to the Odoo page:

Odoo v8 with Nginx over https

Last go directly to https://10.0.1.43 - You should again see your Odoo page once more :)

Odoo v8 with Nginx over https

Congratulations you have completed your Odoo version 8 install using Nginx as a proxy server all running on Ubuntu 14.04 LTS 64-bit Server.  My next post will be about how to do the same thing using Apache instead of Nginx.

On past articles I have recommended SecureCRT from VanDyke Software.  Up to this point I have been using Terminal from my Mac (as you may be able to tell). I will be changing it to SecureCRT for the Mac soon.  It has been a while since I have used it so I will use it for a while and then post a product review.  I am excited to be using it again and after reading some of the new features I am anxious to try it out once again.