How to: OpenERP 6.1, Ubuntu 10.04 LTS, nginx SSL Reverse Proxy

This article follows on (hopefully not unsurprisingly) from the basic 6.1 installation howto.

In this post I’ll describe one way of providing SSL encrypted access to your shiny new OpenERP 6.1 server running on Ubuntu 10.04 LTS.

This time I thought I’d use the nginx (pronounced like “Engine X”) webserver to act as a reverse proxy and do SSL termination for web, GTK client and WebDAV/CalDAV access. nginx is gaining in popularity and is now the second most popular web server in the world according to some figures. It has a reputation for being fast and lean – so it seemed like a good choice for a relatively simple job like this.

I’m indebted to xat for this post which provided the main configuration script for a reverse proxy on OpenERP 6.0. The changes I have made to xat’s original configuration are: different port number, some additional rewrite rules to support WebDAV and the new mobile interface, new location for static files.

NB: For the purposes of this how to, we’ll be using self-signed certificates. A discussion of the pros and cons of this choice is beyond the scope of this article.

Step 1. Install nginx

On your server install nginx by typing:

sudo apt-get install nginx

Next, we need to generate a SSL certificate and key.

Step 2. Create your cert and key

I create the files in a temporary directory then move them to their final resting place once they have been built (the first cd is just to make sure we are in our home directory to start with):


cd
mkdir temp
cd temp

Then we generate a new key, you will be asked to enter a passphrase and confirm:

openssl genrsa -des3 -out server.pkey 1024

We don’t really want to have to enter a passphrase every time the server starts up so we remove the passphrase by doing this:

openssl rsa -in server.pkey -out server.key

Next we need to create a signing request which will hold the data that will be visible in your final certificate:

openssl req -new -key server.key -out server.csr

This will generate a series of prompts like this: Enter the information as requested:

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:The Client’s Company

And finally we self-sign our certificate.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

We only need two of the files in the working directory, the key and the certificate. But before we can use them they need to have their ownership and access rights altered:


sudo chown root:www-data server.crt server.key
sudo chmod 640 server.crt server.key

And then we put them in a sensible place:


sudo mkdir /etc/ssl/nginx
sudo chown www-data:root /etc/ssl/nginx
sudo chmod 710 /etc/ssl/nginx
sudo mv server.crt server.key /etc/ssl/nginx/

Now the key and certificate are safely stored away, we can tell nginx where they are and what it should be doing…

Step 3. Create the nginx site configuration file

We create a new configuration file

sudo nano /etc/nginx/sites-available/openerp

with the following content:

Note: You will need to change all references to 10.0.0.26 in the following file to either the domain name or static IP address of your server. This was the IP address of the machine I built this test script on. It will not work unless changed to suit your own system!


upstream openerpweb {
    server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}

server {
    listen 80;
    server_name    10.0.0.26;

    # Strict Transport Security
    add_header Strict-Transport-Security max-age=2592000;

    rewrite ^/mobile.*$ https://10.0.0.26/web_mobile/static/src/web_mobile.html permanent;
    rewrite ^/webdav(.*)$ https://10.0.0.26/webdav/$1 permanent;
    rewrite ^/.*$ https://10.0.0.26/web/webclient/home permanent;
}

server {
    # server port and name
    listen        443 default;
    server_name   10.0.0.26;

    # Specifies the maximum accepted body size of a client request, 
    # as indicated by the request header Content-Length. 
    client_max_body_size 200m;

    # ssl log files
    access_log    /var/log/nginx/openerp-access.log;
    error_log    /var/log/nginx/openerp-error.log;

    # ssl certificate files
    ssl on;
    ssl_certificate        /etc/ssl/nginx/server.crt;
    ssl_certificate_key    /etc/ssl/nginx/server.key;

    # add ssl specific settings
    keepalive_timeout    60;

    # limit ciphers
    ssl_ciphers            HIGH:!ADH:!MD5;
    ssl_protocols            SSLv3 TLSv1;
    ssl_prefer_server_ciphers    on;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass    http://openerpweb;
        # force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
       
        # Let the OpenERP web service know that we're using HTTPS, otherwise
        # it will generate URL using http:// and not https://
        proxy_set_header X-Forwarded-Proto https;

        # by default, do not forward anything
        proxy_redirect off;
    }

    # cache some static data in memory for 60mins.
    # under heavy load this should relieve stress on the OpenERP web interface a bit.
    location ~* /web/static/ {
        proxy_cache_valid 200 60m;
        proxy_buffering    on;
        expires 864000;
        proxy_pass http://openerpweb;
    }

}

UPDATE: 04/04/2012. I have added a line to the above file: client_max_body_size 200m; thanks to Praxi for reminding me about this. The default setting is just 1MB which will stop users from uploading any files larger than that, including databases!

And then we can enable the new site configuration by creating a symbolic link in the /etc/nginx/sites-enabled directory.

sudo ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp

Step 4. Change the OpenERP server configuration file

The next step is to re-configure the OpenERP server so that non-encrypted services are not accessible from the outside world.

In /etc/openerp-server.conf the non-encrypted services will only listen on localhost, i.e. not from external connections so in effect only traffic from nginx will be accepted.

After opening the file for editing, just add 127.0.0.1 to the xmlrpc and netrpc interface lines as shown below.

sudo nano /etc/openerp-server.conf


xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

That’s it. Everything is now configured.

Step 5. Try it out

Restart the services to load the new configurations


sudo service openerp-server restart
sudo service nginx restart

You should not be able to connect to the web client on port 8069 and the GTK client should not connect on either the NetRPC (8070) or XMLRPC (8069) services.

For web access you just need to visit https://your-ip-or-domain and in the GTK client you will need to use port 443 (https) and choose the XMLRPC (Secure) protocol.

The nginx configuration above will also redirect any incoming requests for port 80 to port 443 (https) and it also makes sensible redirects for the mobile and WebDAV/CalDAV services. (From what I can gather however WebDAV clients really don’t handle redirects so this bit is probably not that useful). I think the best bet for WebDAV/CalDAV is just to provide the correct URL in the first place.

For CalDAV access then, the URL to a calendar will be something like this:

https://your-ip-or-domain/webdav/DB_NAME/calendars/users/USERNAME/c/CALENDAR_NAME

There you have it. In OpenERP 6.1 this job actually proved to be a little simpler than the previous version largely due to the integrated web interface. There are also fewer configuration changes required in openerp-server.conf.

Finally, I really wanted to try and make use of the WSGI support in OpenERP 6.1 instead of the method above, but my efforts to get this to work from nginx or Apache have so far ended in failure πŸ™ Obviously if anyone wants to provide a working config for that please feel free to add a comment and link.

Tags: , , , , ,

102 Comments

  • Juani says:

    Very Good !!! Thanks Alan.

    I will try …. πŸ˜‰

  • Moula says:

    Thank you very much ALAN.

  • Daniel Reis says:

    Many thanks. Got it running adding “–xmlrpc-interface=127.0.0.1 –netrpc-interface=127.0.0.1” to the server startup options. You can even keep an Apache2 server running on the machine if you change /etc/apache2/ports.conf, replacing “Listen *:80” with “Listen 127.0.0.1:80”. It’s funny that the –proxy-mode option is not needed…

  • Jorge Castro says:

    This would be an awesome thing to just charm up so that all Ubuntu users can just deploy it in 12.04. Your HOWTO is basically already the install hook. You could enter it in the charm contest!

    http://cloud.ubuntu.com/2012/02/juju-charm-contest-help-bring-free-software-into-the-cloud/

  • Nathan says:

    Thanks Alan. Nicely done (again) πŸ™‚

  • fhe says:

    Hi Allan,
    Have you ever considered adding your tutorials to doc.openerp.com?
    Best,

  • Roxly Rivero says:

    How many users can this type of installation can handle?
    Do you have some benchmarks and do you only use the web-client?

    Thanks.

    • Alan Lord says:

      Hi Roxly,

      Nope, I have no idea how many it will handle nor have I benchmarked it.

      For OpenERP 6.0 our customers have a mix of GTK and web. I suspect that from 6.1 onwards it will be more and more web-only based but there are still times when the GTK is faster (like having multiple open tabs).

  • Roxly Rivero says:

    But will it support load balancing?because for the 6.0.3 version, it just consumes one CPU out of four CPU available on our server using the installation from your tutorial.

    BTW, Thank you very much for this.
    I hope there will be also a tutorial on database migration from 6.0.3 to 6.1.
    Will help you with that if you plan to have it tested.

  • Mark says:

    Thank you for the tutorial.
    I need to switch the port (because I use multiple server / services behind a firewall.
    So I setup to use https:/my-own-domain:8080.
    It works with one little fault:
    If I call the url I get redirected to:
    http://my-own-domain/web/webclient/home
    If I call directly
    https://my-own-domain:8080/web/webclient/home
    everything is fine.

    Where do I setup this redirect?

    Regards Mark

    • Alan Lord says:

      The rewrites are in the 1st server block of the nginx site config file.

      Check the docs, if the second argument of a rewrite starts with a “http” then it is treated as a redirect. Also beware of the “permanent” clause…

      HTH

  • Diogo Duarte says:

    Great work Alan (again)!

    Do you now if it’s possible to set an url for each database? I already tried the ?dbname=database parameter and it didn’t work. Do you or someone know how this is done?

    Regards,
    Diogo Duarte

  • Ran into a problem self signing my cert. openssl said unable to write ‘random state’. Quick google led to Stack Overflow which said my .rnd file wasn’t owned by me. sudo rm ~/.rnd fixed it.

  • Tukcedo says:

    Unfortunately, in apache 6.1 doesn’t respond to proxying and there are no error messages in logs, simply a timed out connection. The setup is that a server listens on the outside and then sets up the connection to the internal server. This worked OK for 6.0 … Here’s the section on the apache server:

    SSLEngine On
    SSLCertificateFile /etc/apache2/blabla.pem
    SSlProxyEngine On
    ProxyPreserveHost On
    ProxyPass / http://192.168.1.14:8069/
    ProxyPassReverse / http://192.168.1.14:8069/
    RequestHeader set X_FORWARDED_PROTO ‘https’
    ServerName blabla.testsite.com
    TransferLog /var/log/apache2/proxy.log

    And the ERP config:

    db_host = False
    db_port = False
    db_user = openerp
    db_password = False
    xmlrpc_interface = 192.168.1.14
    netrpc_interface = 192.168.1.14
    logfile = /var/log/openerp/openerp-server.log

    Any help greatly appreciated!

  • Kreangsak says:

    I have a problems when click home icon on web

    it’s not redirect to https://localhost:8081/web/webclient/home

    but http://localhost/web/webclient/home and show ” Welcome to nginx! ” message

    ps. i use port 8081 for SSL

  • Attie says:

    The most concise useful and accurate tutorial I’ve ever followed online – on anything! You are a star.

  • Attie says:

    Following your previous tutorial for 6.0 using Apache, I had no problems, but following this one, when connecting to our site, it times out after a while. I then just fully type out the url as https://our.server.com/web/webclient/home.
    Before (on a 6.0 server I built using your apache tutorial), I was able to simply type our.server.com into the browser and it would load OpenERP login page.
    Not familiar with nginx so not sure where the problem could be.

    Any help would be great, thanks.

    • Alan Lord says:

      Hi Attie,

      That sounds like you didn’t get the re-write rules quite right… Check the whole file carefully for errors. Or better yet, cut and paste it.

      • Attie says:

        Hi Alan,

        Thanks for the prompt response.

        I double checked the file and did originally copy/paste.

        port 80 is not open externally
        even if if type https://our.server.com in it just responds say our.server.com/web/webclient/home is not available
        YET
        when I enter “https://our.server.com/web/webclient/home” directly into the browser Openerp web client is presented

        Please help

        • Alan Lord says:

          Sorry, there just isn’t enough information for me to help you much more.

          This nginx proxy configuration does work. You need to check your configuration carefully.

          • Praxi says:

            I ran into this also Alan. Mine started happening when I exposed my server externally only via 443.


            server {
            listen 192.168.1.61:80;
            server_name .openerp.sitename.com kgi-openerp 192.168.1.61;

            # Strict Transport Security
            add_header Strict-Transport-Security max-age=2592000;

            rewrite ^/mobile.*$ https://openerp.sitename.com/web_mobile/static/src/web_mobile.html permanent;
            rewrite ^/webdav(.*)$ https://openerp.sitename.com/webdav/$1 permanent;
            rewrite ^/.*$ https://openerp.sitename.com/web/webclient/home permanent;
            }

            server {
            # server port and name
            listen 192.168.1.61:443 default;
            server_name 192.168.1.61;

            Externally, if I type https://openerp.sitename.com in the browser, I get a redirect to http://openerp.sitename.com/web/webclient/home. Which of course doesn’t work, as I only allow 443 through the router. I can type https on the front of that and it works. I’ve played around a little bit with the nginx config, but haven’t quite figured out the winning piece πŸ™‚

          • Alan Lord says:

            Hi @Praxi,

            You will need to add another rewrite rule to the port 443 server block. OpenERP is sending that redirect and it is a pain to change it – we can use nginx to rewrite it though πŸ˜‰

            Try adding

            rewrite ^/$ https://$host/web/webclient/home redirect;

            Somewhere inside the ssl server {} block.

            When you are happy it is working you can change the “redirect” option to make it a permanent (301) redirect rather than a temporary.

  • Wayne says:

    Thanks, nice article!
    Always better when these howtos are explained rather than just a set of commands!

  • sophie says:

    I follow your guide to install openerp-6.1-1 and after that this guide, everything seems to work but when I want to start the base modules (crm,accounting etc) it doesn’t work the page loads but nothing happens.

    Does anyone know what I did wrong?

  • Praxi says:

    I ran into an issue trying to restore a database. Failed every time, no matter what I tried. After going through the various error logs, I found this in the nginx log;

    [error] 1712#0: *20248 client intended to send too large body:

    After some mild googling I added this;

    #Max attachment size
    client_max_body_size 200m;

    • Alan Lord says:

      Thanks Praxi πŸ™‚

      I forgot to write that into the article. It happened to one of our customers last week and took me a little while to find what was causing the problem.

  • ralf says:

    Hi Alan,
    first a great thank you for your great tutorial.

    But I still havea little problem:
    Because of multiple servers I have to distinguish them with portnumbers.
    This is done in the router, i.e. the port forwarding is always set to 443. The nginx-conf listens on port 443.
    But a call to https:/my-own-domain:444 results in a redirect to https:/my-own-domain/web/webclient/home.
    Using https:/my-own-domain:444/web/webclient/home it works fine.
    The only rewrites I could find are in the server block belonging to http.

    Any hints how to solve this problem?

    Regards Ralf

  • Kwasi says:

    Hi Alan,

    this is a great tutorial that covers all the bases. it work well for me.

    Thanks,
    Kwasi

  • jk says:

    Hallo
    Thanks, the web page give me error 0, a page blocker with message your version not supported when i try to log in , how to i remove this error

  • Kwasi says:

    Allan,

    i’m trying to connect to my openERP server via the Thunderbird plugin, but the standard ports dont seem to work (8071, 8069 etc). I have install the nginx ssl reverse proxy. which port do i now use to connect?

    Thanks,
    Kwasi

    • Alan Lord says:

      If I recall correctly, the last time I tried the Thunderbird extension for OpenERP it didn’t work over SSL.

      Please try it and let us know how you get on, the port is 443 (this is the standard port for https traffic).

      • Kwasi says:

        Alan,
        I tried the 443 port both on the thnderbird and Openoffice plugin but dont seem to be communication with the server. I got a “connection to server fail. please check server parameters” error message.
        thanks for the help.

  • sophie says:

    Did someone got the openoffice plugin to work? I try to connect but it doesn’t work. I tried the different port 8069,8070,8071 and different protocols but it doesn’t work.

    Did someone get it to work?

  • Christian says:

    Does this part of the guide works with the 6.0.x server / web server ? I have just installed 6.0.4 on ubuntu 12.04 and cant for now update DB to 6.1 but, would like to set it up with nginx

  • Nathan says:

    Hi Alan, I’m having trouble connecting the Outlook plugin to OpenERP running on nginx via SSL. I realise it’s outside the scope of your tutorial, but do you know if it is possible? Outlook seems to have an issue with the self signed certificate. Any help appreciated πŸ™‚

    Cheers,
    Nathan

    • Ingmar says:

      Hi Nathan,

      I was having the same problem and although I searched the web up and down, nothing I tried helped. Besides, I was also having the Thunderbird and OpenOffice plugin non-connect problems kwasi and Sophie report further up, a real show stopper!

      In the end I removed the localhost only restriction for xmlrpc_interface and netrpc_interface from openerp-server.conf. Since nginx is still running and serving SSL to OpenERP I routinely connect via https and only have the Outlook, Thunderbird and OpenOffice plugins connect via XML-RPC port 8069. From a security standpoint this is definitely second best, but I simply tightened down the firewall to reject any nonlocal IPs for ports 8069 to 8071 and since I only allow VPN connections from the outside anyway, I have a local IP then as well and noone else ~should~ be able to get in anyway… πŸ˜‰

      Mind you this only works for non-exposed hosts, but from your post I gather that this is what you have.

      • Alan Lord says:

        Guys,

        Certainly the OpenOffice report tool doesn’t work over ssl. I reported a bug for this ages ago: https://bugs.launchpad.net/openobject-addons/+bug/761784 (There is a patch at the bottom of the bug report – might be worth trying). We do not use this tool, we tend to use Aeroo Reports instead.

        For Thunderbird, again it isn’t something I have tried but there is a branch on launchpad to add SSL support: https://code.launchpad.net/~openerp-dev/openobject-addons/thunderbird-ssl-issue. So that might be worth looking into a bit more.

        Took me 10 seconds to find these via google πŸ˜‰

        • Ingmar says:

          Yeah, thanks for the hiding πŸ˜‰ but I had actually also found and tried both …

          The SSL patch for the OpenOffice Plugin in fact works over 443 with your nginx configuration, so this is the good news for anyone who ~only~ needs that. I don’t, I was only testing it and will go for Aeroo.

          The SSL version of the Thunderbird plugin definitely is not compatible with any newer version of TB. The install.rdf says max_version is 3.1 and even after I “tweaked” it into allowing 12.* the plugin showed (nicer looking) menus than the current non-SSL version, but did not accept any input at all, so this is a complete no-go at least for now.

          So I tried (desperately) to get a secure xmlrpc connection going only to find that no matter what I entered in the config file, OpenERP 6.1. simply does not open 8071. When I checked into this I found an interesting Launchpad posting of yours (https://bugs.launchpad.net/openobject-server/+bug/936831) where the final verdict actually is that xmlrpcs over 8071 is dead in 6.1 – at least as long as it is not in productsion release. Are we not, duuh…? – What a waste of time…

          But I only gave up when I could not find any way to get Outlook to accept anything other than a trusted certificate for the OpenERP plugin. I even tried using my cacert server certificates, but OL then (correctly) complained that my *.lan domain was not what the server cert said. I am sadly no Linux or SSL expert and since all available information on OL and self signed certs pertained to Exchange and NOT to Addins I eventually gave up, because even if I had managed to get OL to work, I would still be one TB down from having my setup work. I think that my solution is a fair compromise, right?

  • Eric says:

    Is there a way to use DigiCert or Verisign as the SSL certificate with OpenERP? Or I have to used your approach?

    If I use your approach, will that be an issue when my 1st time users try to access the erp website. Normally ssl is not recognised by browser, it will show the “understand the risk” thing and add exception. What do you think?

    • Alan Lord says:

      Of course you can use a signed certificate if you wish.

      • Eric says:

        So I can use the same approach like above? wonder which step should I replace with the signed cert that i bought? Any help? Thanks.

        • Alan Lord says:

          Hi Eric,

          there are two lines in the nginx config that point to the certificate and the key. As long as you have put them somewhere that nginx can read (make sure the permissions are right) then just edit those lines to point to your new files.

          As you have asked these questions, if you are using a signed certificate because you are providing public access, I would recommend you get an expert to look at your server configuration before connecting it to the Internet.

  • Ingmar says:

    Alan,

    I wanted to thank you for this absolutely phantastic How-To. I don’t think that I have ever seen anything so concise, knowledgable and right to the point, not to mention visually pleasing… πŸ˜‰

    Besides, only being an “on-and-off linuxer”, your howto and the comments that followed taught me a trick or two, so thanks to all of you!

    Ingmar

  • Jondki says:

    Hallo I was talking about how to update the security patches and the codes, in the instances where we have bugs.

  • Eric says:

    Weird, I followed the tutorial exactly. The 1st part works (non HTTPS), but 2nd part can’t work. It shows in firefox “page cannot be displayed”.

    I am not sure what’s wrong? I check the log files, no errors. Not sure I am referring to the right log files too? any help? Thanks.

  • Pascal says:

    Hello
    It looks like making the job, but:
    -can’t access WebDAV.
    -can’t access caldav
    -redirection does not do the right job with https but does it with http.

    What can I test or where to be carrefull?

    • Alan Lord says:

      Access to the DAV services over https does work using the config above.

      Have you installed the right modules in your OpenERP database?
      Have you edited the rewrite rules for the right destination?

      rewrite ^/webdav(.*)$ https://10.0.0.26/webdav/$1 permanent;

      I’ve used a linux command line application called cadaver to test access to DAV services.

      Also, try an alternative DAV client too. According to Google, several are broken with respect to 301 and 302 redirects.

      • Pascal says:

        thank you
        Did you config your firewall in a particular way?
        the mine drops deny 8069 and 8071 and anly accept 80, 443 and ssh.

        About the directive rewrite : what I observe is that when I go to http://…../mobile or /webdav or nothing, nginx rewrite in https://…./web_mobile… /webdave/ or /web/webclient. That’s ok. But if I go to https://…/mobile, it rewrite in https://…../web/webclient/…. That’s not ok, does it?

        All other functionnality are ok and your explanations was (are) infinitely helpfull. Many thanks.

  • Bodays says:

    Hello Alan,

    I tried to apply SSl through apache on my openerp 6.1 without succes… I saw your tuto regarding SSl via nginx and then I tried it.
    I’m getting stucked after trying to restart nginx with the following message:
    NB: I changed your configuration IP (10.0.0.26) by 127.0.0.1 and then by the static IP of the machine (ubuntu 12.04 hosted via AWS).

    Restarting nginx: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
    nginx: [emerg] still could not bind()
    nginx.

    Do you have any idea ?

    Thanks in advance

    Bodays

  • Bodays says:

    I understood the pb… I guess.
    I tried to uninstall apache but is still in use and the process also… Do you know haw to make a clean uninstallation of apache?

  • Bodays says:

    After stopping the apache service, it’s working but it shows me “welcome page” of nginx instead of openerp. But the URL seems to be the good one : http://mydomain/web/webclient/home πŸ™

    • Alan Lord says:

      Usually when you remove an application daemon from Ubuntu it will stop. If apache didn’t stop (still resident in memory? Check first; look at your process list) then you could just kill it with:

      sudo killall apache2

    • Mickael says:

      You have to rename /etc/nginx/sites-available/default into something like /etc/nginx/sites-available/default_old:

      sudo mv default default_old

      and then it will work

  • Pambudi Satria says:

    Alan, can I install OpenERP 6.1 using Apache as webserver, then how to setup the configuration files? Is it same with OpenERP 6.0 web-client configuration files?

    • Alan Lord says:

      No it is not the same.

      There isn’t a separate openerp-web.conf file fir 6.1. Others have used apache as a reverse proxy and reported that it works but I have not tried it.

  • Liudas says:

    I faced problem with server time-out’ing. Couse my server is not the fastest in the world. the solution is to add configuration line “proxy_read_timeout 300;” (300 stands for seconds) somewhere after first string “location” in “/etc/nginx/sites-available/openerp” file. The reason is that default proxy read value is 60 s, and if openerp server doesn’t respond to nginx in this time (generating reposrts or installing modules) – nginx closes connection between client and server. Hope this will help someone.

    For more info: http://wiki.nginx.org/HttpProxyModule#proxy_read_timeout

  • Eli Anderson says:

    First of all, I would also like to express my thanks for this guide Alan. This, as well as the install guide, was invaluable to me.

    I ran into some problems when trying to use the auth_openid module with nginx, and it seemed to be because /auth_openid/login was being rewritten to /web/webclient/home. To resolve it I changed the line in the nginx configuration that reads:
    rewrite ^/.*$ https://myopenerpurl/web/webclient/home permanent;
    to:
    rewrite ^/.*$ https://myopenerpurl$request_uri? permanent;

    This is the first I have ever really used nginx so I’m not sure if this configuration change will have other undesired consequences, but it seems to work so far.

    • r00tm4n says:

      I would like to know if it is possible to know the real
      IP of the host connecting to openerp through ngnix reverse
      proxy?

      The problem is that i need to do something with Remote IPs
      conecting to my openerp installation.

      Any help would be very much apreciated.

      hugs,

      r00tm4n

  • Pambudi Satria says:

    Hi Alan,

    I faced problem with accessing openerpweb using network outside of my office. There is a message “HTTP Error 403: Forbidden”, do you know how to fix this problem?

  • Felipe says:

    I have some problems when trying to print long(heavy) reports >400 pages, i tried to fix it by increasing the buffers and timeouts in the /etc/nginx/sites-available/openerp configuration file, but it didn’t work,

    the error message shown is
    SyntaxError: JSON.parse: unexpected non-whitespace character after JSON data

    I know that is the length(size) of the report because i can print the same report with less data.

    any help is appreciated.
    thx for the nice tutorials btw.

  • LeBreton says:

    Thanks,
    Just installed OpenERP and enabled SSL (self-signed) on a VPS with Ubuntu 12.04 server using your tutorials step-by-step for 10.04, works for me πŸ™‚ Thanks for sharing again !

    • LeBreton says:

      @Alan
      Hi, have encountered a hitch, dont know if it’s a bug, or has to do with fact that I followed instructions using 12.04:
      Only thing not working is connecting with gtk-client using https://my.IP:443 or any otherone of regular ports.
      https://my.IP:443 Web-client and mobile work fine, after adding/extepting certificate πŸ˜‰ .
      There are only few non recent bug repports on gtk-client ssl connect issues but reffering to 6.0 and and/or windows gtk, leaving me none wiser….

      Thanks in advance for taking time to read and respond,
      regards

      • LeBreton says:

        Oops ! dont reply to this, just solved it, had forgotten to add exception to thunderbird, once added it connected ok !

        • Eric says:

          I can’t make thunderbird to connect. Keeps showing this error Server unreachable or login Failed, please check your connection settings

          my settings as follows:

          server – https://192.168.1.5:443
          database – mycompany
          username – admin
          password – password123

          is the above correct? how do you make it work? my web version is working properly. just can’t get thunderbird to connect.

          i am using thunderbird 15.0.1.

          Any help? Thanks.

  • Eric says:

    I can’t, the field is disabled, if i click on change button, then i set the port to nothing but with secure xml-rpcs, i will get this error:-

    You Must Enter Server Name and a Port!

    Any help? Thanks.

    • Alan Lord says:

      Oh I see.

      Sorry then, I have not used the Thunderbird extension for OpenERP. They did have an issue with the OpenOffice Report Designer not supporting ssl so maybe they have the same issue here?

      Have you search the bug tracker on launchpad?
      Can you get the TB extension working to your system over http first to prove the OpenERP server is working properly first?

      • Eric says:

        i already installed the ssl on my openerp. I don’t think i want to reinstall all over again πŸ™

  • RubenFdez says:

    I have problem with Manage Databases, I cant backup a database. This is the error:

    Client Traceback (most recent call last):
    File “/home/xxxxx/openerp-6.1-1/openerp/addons/web/common/http.py”, line 260, in dispatch
    r = method(controller, self, **self.params)
    TypeError: backup() got an unexpected keyword argument ‘drop_db’

  • Vinay Yadav says:

    Hello Admin
    I want to run multiple sub domain on one nginx server and each sub domain will link with one db , can it possible?

  • Andres Calle says:

    Hi there!
    Excellent blog!, congrats and thanks.

    I am trying to go a step further with nginx trying to proxy several OpenERP servers running on separated machines, but I am having trouble separating each of them, I am trying

    location /serverone {
    proxy_pass http://serverone;
    }

    location /servertwo {
    proxy_pass http://servertwo;
    }

    But it is not working…. I want to identify each server by adding a “/servername” right after the host name… any clue???

  • Alan,

    Thanks for your comments on LinkedIn for my request for an Idiot’s guide for OpenERP on EC2.
    I do have some updates for you…

    I Crossed the finish line but no trophy yet… πŸ™

    I executed all the steps mentioned above on an EC2 ubunutu Micro Instance.
    My OpenERP server is running perfectly. The last 2 lines of the log are :

    2013-01-17 19:42:58,382 7016 INFO ? openerp: OpenERP server is running, waiting for connections…
    2013-01-17 19:42:58,384 7016 INFO ? openerp.service.wsgi_server: HTTP service (werkzeug) running on 0.0.0.0:8069

    The trouble is:

    I am not able to launch the OpenERP application from my browser. I type these in my address bar:

    http://MyElasticIPGoesHere:8069
    or
    http://http://MyElasticIPGoesHere:8069:8069

    The result for both is that it just does not connect.. Good old Chrome says
    “Oops! Google Chrome could not connect MyElasticIPGoesHere:8069”

    In my AWS console SecurityGroup rules, I have already allowed port 80 for HTTP.
    My AWS security group rules look like this :

    Ports Protocol Source quicklaunch-1
    22 tcp 0.0.0.0/0
    80 tcp 0.0.0.0/0

    I have not mapped my EC2 instance to a load balancer nor have I set up any Autoscaling that is mentioned in the AWS documentation. I’m not able to put the AWS documentation together in my head very well in terms of their settings to simply launch my application from the browser. I am not sure what to do from this point onwards.

    I am new to both AWS and OpenERP. Please could you help me out on this? What am I missing?

    Best Regards,
    Pasha

  • OK. I just solved the issue myself.. I just had to allow port 8069 as well in my AWS security group.!!!
    How much more stupid could I get…

    My securitygroup rules look like this now.

    Ports Protocol Source quicklaunch-1
    22 tcp 0.0.0.0/0
    80 tcp 0.0.0.0/0
    8069 tcp 0.0.0.0/0

    I can launch using both Elastic IP and the static IP…

    Thanks a lot for your “how-to”. This is a great service to the open source ERP world.. Thank you again from the bottom of my heart.

  • Vassy says:

    I used this tutorial for OpenERP 7.0. I made the following adjustments:

    …..
    # rewrite ^ / mobile. * $ https://domain-name.tld/web_mobile/static/src/web_mobile.html permanent;
    # rewrite ^ / webdav (. *) $ https://domain-name.tld/webdav/ $ 1 permanent;
      rewrite ^ /. * $ https://domain-name.tld/ permanent;
    …..

    and everything works perfectly on 7.0

  • Mustafa Rawi says:

    Just wanted to confirm your methodology on OpenERP 7 stable on Ubuntu 12.10 (Quantal). I even managed to make nginx work as a frontend server with Apache 2 in the backend.

    I also approve what Vassy said about replacing the third rewrite rule. I suspect the same goes for the first two as well. I’ll try to test WebDav and its rewrite rule and inform you about the results. Sorry if I am not fast enough as I am manipulating our live server.

  • Arnaud says:

    Hi , I’ ve installed openERP 7.0, I used nginx for ssl http access. It works fine thanks Alan.
    I would like access DB with Pentaho, I’ m systematically refused, I ‘ ve tried different port: 5432, 443, 8069 with the firewall disabled.
    may I have to change the parameter in /etc/nginx/sites-available/openerp.
    Thanks

    • Alan Lord says:

      Interesting…

      I think first I would just get Pentaho talking to the db without SSL. You will need to re-configure Postgres to support remote connections.

      Then, once it is working I would add the reverse proxy configuration. It’s not something I have done before but that is an interesting idea.

      The other way you could do it for Pentaho is to nail up a “stunnel” and pass the data through that!

  • nexo says:

    Hi Alan,

    After following your guidance I was able to have openerp 6.1 up and running using nginx SSL Reverse Proxy and my domain.com but after a couple of hours, the service was suddenly unavailable,I could enable the service again by 1. stoping both openerp-server and nginx service,2. creating again both server.crt server.key files and puting them in /etc/ssl/nginx directory, 3. starting both openerp-server and nginx service, and finally 4. rebooting the server, i test it again and it was working properly but after a couple of hours unfortunately the services was unavailable again.

    The error message appearing in the browser is as follow:

    503. ThatÒ€ℒs an error.

    The service you requested is not available at this time.

    Service error -27. ThatÒ€ℒs all we know.

    Any suggestion or hint about this issue?

    Regards,

    Nexo

    • Alan Lord says:

      Sorry @nexo – that sounds very odd.

      I’ve had systems running for months with this setup with no issues whatsoever.

      You’ll need to investigate further by looking through various log files and what not, but it’s not one I am familiar with unfortunately.

      • nexo says:

        it’s a shame to hear that Alan, thanks anyway.

        Any suggestion about the logs I should check up? just a starting point.

        regards,

        Nexo

Leave a Reply

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>