iSmooth Blog ERP OdooHow to Configure Odoo on Reverse Proxy with SSL Certificate

How to Configure Odoo on Reverse Proxy with SSL Certificate

12/09/2020
If you are going to run your business with Odoo ERP in a production environment, then there's no doubt that you need a software like Nginx to act as an intermediary between the clients and the server.

Moreover, this will allow you to acquire an SSL Certificate from Let's Encrypt for free with an efficient Reverse Proxy to enable your setup. In adition, you will be able to access your Odoo web interface while using your naked domain.


On one hand, a reverse proxy will direct the traffic driven through the common 80/443 ports right into the port used by your Odoo Server configuration. On the other hand, it will run an encrypted SSL session on Nginx to provide trusted and secure connection for all users.

Getting Started on Linux Ubuntu

If you follow this tutorial it really doesn't matter what distribution of Linux you are running. However, we initially started this series of articles with Odoo ERP installed on Ubuntu 20.04 LTS so that means the only difference will be the package manager for software installation.

Install Software Packages

sudo apt install nginx certbot python3-certbot-nginx

Enable Proxy Mode on Odoo Server

In fact, please make sure that you have entered the correct path of the config file for your particular case. Otherwise, if you are following our Odoo ERP series then it should be exactly as stated below. 
sudo nano /etc/odoo-server.conf

Now, ensure that you uncomment proxy_mode = True from the options available, or just input that line anywhere if it's not present. If you want to go next level with security measures. In addition, you can bind Odoo Server with local connections only and let the Revere Proxy handle the rest. 
proxy_mode = True
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

Enable Reverse Proxy with SSL on Nginx

Hey, lets make it clear that we're going to teach you here how to set the perfect Reverse Proxy with SSL connection for Odoo Server.

Prepare Nginx for SSL

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

Create SSL Snippets

We will start with Let's Encrypt configuration snippets. 
sudo nano /etc/nginx/snippets/letsencrypt.conf

Given the above, please insert the following inside the config file created: 
location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

After that, we have the SSL session and stapling configuration snippets. 
sudo nano /etc/nginx/snippets/ssl.conf

As a result, please insert the following inside the config file created: 
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

That sums it up as a whole for those snippets.

Configure Odoo Website on Nginx

Okay, please make sure right from now to change all occurrences of example.com with your own domain. 
sudo nano /etc/nginx/sites-available/example.com

Given the above, please insert the following inside the config file created: 
server {
    listen 80;

    server_name example.com;

    root /var/www/html;
    index index.nginx-debian.html;

    include snippets/letsencrypt.conf;

    location / {
        try_files $uri $uri/ =404;
    }
}

Well, now lets create another server block for production purposes, that's because the first one will only be used to generate the SSL Certificate and thus removed. 
sudo nano /etc/nginx/sites-available/example.com.production

As a result, please insert the following inside the config file created: 
# Odoo Servers
upstream odoo {
 server 127.0.0.1:8069;
}

upstream longpolling {
 server 127.0.0.1:8072;
}

# HTTP -> HTTPS
server {
    listen 80;
    server_name www.example.com example.com;

    include snippets/letsencrypt.conf;
    return 301 https://example.com$request_uri;
}

# WWW -> NON WWW
server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    proxy_read_timeout 720s;
    proxy_connect_timeout 720s;
    proxy_send_timeout 720s;

    # Proxy headers
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # log files
    access_log /var/log/nginx/odoo.access.log;
    error_log /var/log/nginx/odoo.error.log;

    # Handle longpoll requests
    location /longpolling {
        proxy_pass http://longpolling;
    }

    # Handle direct requests
    location / {
       proxy_redirect off;
       proxy_pass http://odoo;
    }

    # Cache static files
    location ~* /web/static/ {
        proxy_cache_valid 200 90m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://odoo;
    }

    # Gzip
    gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
    gzip on;
}

Last, you need to enable the web server block we have just created. 
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo service nginx reload

That's it for this part. Go next!

Generate SSL Certificate from Let's Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. What should we care about? It will enable the SSL connection on Nginx for us once we run a few commands.

Create SSL Certificate

sudo certbot certonly --agree-tos --email yourname@gmail.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

Enable Odoo Website for Production

sudo rm -rf /etc/nginx/sites-available/example.com
sudo mv /etc/nginx/sites-available/example.com.production /etc/nginx/sites-available/example.com
sudo service nginx reload
sudo service odoo restart

Automate Certificate Renewal

sudo nano /etc/letsencrypt/renewal/example.com.conf

Given the above, please insert the following line right below [renewalparams] inside the config file: 
renew_hook = systemctl reload nginx

This will act as a renewal hook that will automatically reload the config files on Nginx once a new certificate has been issued. Thus, there will be no need for any interaction from your side anymore.
No Comments Speak Your Mind

Connect

If you like our content, please consider buying us a coffee.
Thank you for your support!
Buy Me a Coffee

Explore

Discussion