Step 11. SSL

In this post I’ll describe our current way of providing SSL encrypted access to a shiny new OpenERP server running on Ubuntu 10.04 LTS Server.

We’re using the Apache webserver to act as a proxy and do SSL termination for web client access and for WebDAV/CalDAV access. The GTK client will also be running over an encrypted XMLRPC link directly to the OpenERP Server. Apache is the most widely used webserver in the world and there is oodles of documentation about it so I do not plan to go into any great detail about the configuration choices. One document that is worth pointing out however is the information about how to configure and administer Apache specifically under Debian/Ubuntu. The way Apache is packaged and set up is quite different from most other Linux distributions. A very useful document can be found here /usr/share/doc/apache2.2-common/README.Debian.gz on your server.

NB: For the purposes of this how to, we’ll be using self-signed certificates. A discussion of the pros and cons of this choice is beyond the scope of this article.

Step 11.1. Install Apache and required modules

On your server install apache2 by typing

sudo apt-get install apache2

Now we’ll tell apache that we want to use a few modules (mod_ssl, mod_proxy, mod_proxy_http, mod_headers and mod_rewrite [optional]) that are not enabled by default:

sudo a2enmod ssl proxy_http headers rewrite

Next, we need to generate a SSL certificate and key.

Step 11.2. Create your cert and key

I create the files in a temporary directory then move them to their final resting place once they have been built (the first cd is just to make sure we are in our home directory to start with):

cd
mkdir temp
cd temp

Then we generate a new key, you will be asked to enter a passphrase and confirm:

openssl genrsa -des3 -out server.pkey 1024

We don’t really want to have to enter a passphrase every time the server starts up so we remove the passphrase by doing this:

openssl rsa -in server.pkey -out server.key

Next we need to create a signing request which will hold the data that will be visible in your final certificate:

openssl req -new -key server.key -out server.csr

This will generate a series of prompts like this:

Enter the information as requested:

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: <-- The Client’s Company

And finally we self-sign our certificate.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

We only need two of the files in the working directory, the key and the certificate. But before we can use them they need to have their ownership and access rights altered:

sudo chown openerp:root server.crt server.key
sudo chmod 640 server.crt server.key

And then we put them in a sensible place:

sudo mkdir /etc/ssl/openerp
sudo chown openerp:root /etc/ssl/openerp
sudo chmod 710 /etc/ssl/openerp
sudo mv server.crt server.key /etc/ssl/openerp/

Now the key and certificate are safely stored away, we can tell Apache where they are:

Step 11.3. Create the Apache site configuration file

We create a new Virtual Host configuration file...

sudo nano /etc/apache2/sites-available/openerp-ssl

... with the following content:

<VirtualHost *:443>
   SSLEngine on
   SSLCertificateFile /etc/ssl/openerp/server.crt
   SSLCertificateKeyFile /etc/ssl/openerp/server.key
   ProxyRequests Off
 <Proxy *>
   Order deny,allow
   Allow from all
 </Proxy>
   ProxyVia On
   ProxyPass /webdav/ http://127.0.0.1:8069/webdav/
 <Location /webdav/ >
   ProxyPassReverse /webdav/
 <Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT MOVE COPY DELETE LOCK UNLOCK>
   Order Deny,Allow
   Allow from all
   Satisfy Any
 </Limit>
 </Location>
   ProxyPass / http://127.0.0.1:8080/
 <location / >
   ProxyPassReverse /
 </location>
   RequestHeader set "X-Forwarded-Proto" "https"
   # Fix IE problem (httpapache proxy dav error 408/409)
   SetEnv proxy-nokeepalive 1
</VirtualHost>

Note there are two Proxy configurations. One for /webdav/ and one for /. If you do not intend to use WebDAV or CalDAV then you can remove that section. But essentially, we are telling apache that WebDAV traffic needs to go to the XMLRPC port on the OpenERP server, and normal web traffic needs to go to the web client that is listening on port 8080. The order is also important. If / came before /webdav/ then it wouldn’t work.

And then we can enable the new site configuration.

sudo a2ensite openerp-ssl

Optionally, you can use mod_rewrite to redirect any normal (non-encrypted) web browser traffic to the SSL port (443).

To do this, add the following lines (outside of the <directory> config blocks) into the file /etc/apache2/sites-available/default:

RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

Step 11.4. Change the OpenERP server and web-client configuration files

The next step is to re-configure the OpenERP server and Web client so that the non-encrypted services are not accessible from the outside world.

In /etc/openerp-server.conf the two non-encrypted services will only listen on localhost, i.e. not from external connections so in effect only traffic from Apache will be accepted. We also tell the XMLRPC-SSL service where to find the necessary key and certificate.

Make the following changes:

sudo nano /etc/openerp-server.conf

xmlrpc = True
xmlrpc_interface = 127.0.0.1
xmlrpc_port = 8069
netrpc = True
netrpc_interface = 127.0.0.1
netrpc_port = 8070
xmlrpcs = True
xmlrpcs_interface =
xmlrpcs_port = 8071
secure_pkey_file = /etc/ssl/openerp/server.key
secure_cert_file = /etc/ssl/openerp/server.crt

If you want to have WebDAV/CalDAV access add the following at the bottom of the config file.

[webdav]
enable = True
vdir = webdav

Then in the web client config file /etc/openerp-web.conf make the following changes so that it also only accepts traffic from localhost:

sudo nano /etc/openerp-web.conf

# Some server parameters that you may want to tweak
server.socket_host = “127.0.0.1?
# Set to True if you are deploying your App behind a proxy
# e.g. Apache using mod_proxy
tools.proxy.on = True
# If your proxy does not add the X-Forwarded-Host header, set
# the following to the *public* host url.
tools.proxy.base = ‘https://your-ip-or-domain’
# Set to false to disable CSRF checks
tools.csrf.on = False

That’s it.

Step 11.5. Try it out

Restart the services to load the new configurations:

sudo service openerp-server restart
sudo service openerp-web restart
sudo service apache2 restart

You should not be able to connect to the web client on port 8080 and the GTK client should not connect on either the NetRPC (8070) or XMLRPC (8069) services. For the web access you just need to visit https://your-ip-or-domain and in the GTK client you will need to use port 8071 and choose the XMLRPC (Secure) protocol.

For CalDAV access the URL to a calendar will be something like this:

https://your-ip-or-domain/webdav/DB_NAME/calendars/users/USERNAME/c/CALENDAR_NAME

I hope that is helpful and obviously we’d love to hear comments and suggestions for improvements.

This page is licensed under a Creative Commons License.