OpenERP-Apache-SSL

OpenERP-Apache with SSL:


I am writing here, how I configured openerp-apache for SSL support in Ubuntu 10.04

LTS.I believe, this could hold good for most debian based systems.

Installing openerp server and client:

You can read the official document in,

http://doc.openerp.com/install/linux/index.html

Installing apache and enabling supporting modules:

$ sudo apt-get install apache2

$ sudo a2enmod ssl

$ sudo a2ensite default-ssl

$ sudo /etc/init.d/apache2 restart

$ sudo a2enmod proxy

$ sudo a2enmod proxy_http

$ sudo a2enmod proxy_connect

$ sudo a2enmod proxy_ftp

$ sudo a2enmod headers

$ sudo /etc/init.d/apache2 restart

Generating keys and certificates:

Now you should see the default certificate and key files,
/etc/ssl/certs/ssl-cert-snakeoil.pem

/etc/ssl/private/ssl-cert-snakeoil.key
You may use openssl to generate your own certificates.

You can read more in,

https://help.ubuntu.com/8.04/serverguide/C/certificates-and-security.html

Web server configurations:

Edit /etc/apache2/ports.conf and add a new line,
Listen 443
Make sure you don’t have two entries for same port.
If you have static IP and domain name, edit the file /etc/hosts and add a new line,
127.0.0.1       localhost

127.0.1.1       selvam-laptop

MY_STATIC_IP    MY_DOMAIN

Proxy setting:

We will use reverse proxy here.

You can read more about reverse proxy in,

http://en.wikipedia.org/wiki/Reverse_proxy

To setup Reverse proxy,
Edit /etc/apache2/sites-available/default-ssl and add these lines in the last part.
<VirtualHost 127.0.0.1:443>

<Proxy *>

AddDefaultCharset off

Order deny,allow

Allow from all

</Proxy>

ProxyRequests Off
ProxyPass   /   http://127.0.0.1:8080/

ProxyPassReverse /   http://127.0.0.1:8080/

RequestHeader set “X-Forwarded-Proto” “https”
# Fix IE problem (http error 408/409)

SetEnv proxy-nokeepalive 1

</VirtualHost>

The same file should already contain the lines,

SSLEngine on

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Postgres permissions:

Add postgres user to the ssl-cert group by,

usermod -aG ssl-cert postgres

Change the permission of key file like below,

chmod -R 650 /etc/ssl/private/

It should look like,
drw-r-x— 2 root ssl-cert  4096 2010-10-26 00:14 private

Otherwise you may face error “Can not read server.key file, permission denied”

on postgres start.

To make sure the key file is accessible, login as postgres user and use,

$cat /etc/ssl/private/ssl-cert-snakeoil.key

The symbolic links from postgres will look like,

$  ls -l /var/lib/postgresql/8.4/main/s*

lrwxrwxrwx  1 postgres ssl-cert   36 2010-10-25 19:55 server.crt -> /etc/ssl/certs/ssl-cert-snakeoil.pem
lrwxrwxrwx  1 postgres ssl-cert   38 2010-10-25 19:55 server.key -> /etc/ssl/private/ssl-cert-snakeoil.key

Openerp-Web Configuration:

update the openerp-web.cfg with,

server.socket_host = “127.0.0.1”

tools.proxy.on = True

base_url_filter.on=True

base_url_filter.use_x_forwarded_host = False

base_url_filter.base_url = “https://127.0.0.1&#8221;

tools.csrf.on = False

Starting Server:

$ sudo /etc/init.d/apache2 restart

$ sudo /etc/init.d/postgresql-8.4 force-reload

Restart the openerp-web.

Restart the openerp-server as,

openerp-server –secure –cert-file=/etc/ssl/certs/ssl-cert-snakeoil.pem –pkey-file=/etc/ssl/private/ssl-cert-snakeoil.key

You can use -s to save configuration to ~/.openerp_serverrc

Now, you should be able to access,

https://127.0.0.1/ as well as http://127.0.0.1:8080.

Troubleshooting:

If you face any errors in accessing the final https://127.0.0.1/ site,

You could see the output of error log to figure out the issue,

$tail -f /var/log/apache2/error.log

References:
http://tipstricks.itmatrix.eu/?p=497
http://doc.openerp.com/install/linux/web/index.html
http://www.openerp.com/forum/topic20712.html

Advertisements

2 Comments (+add yours?)

  1. sjitendra
    Dec 23, 2010 @ 17:19:15

    Thank you.. It’s working..Nice Blog
    But, I have one problem… not accessing the website with domain name in lan excluding localhost machine for application

    Reply

  2. Mario Andrés Correa
    Feb 26, 2011 @ 21:34:39

    On it right now.. Good post! Gonna twitt it..

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: