Odoo - Apache 2.4 Inverse Proxy HowTo

The problem

Port 8069
SSL certificate management
One IP, multiple Odoo applications
One Odoo, multiple domains

The solution

Reverse proxy
- Manage HTTP connections from one or more IPs
- Manage SSL certificate
- Select Odoo application to connect
Available technology
- Apache httpd (we will use this in this case)
- Nginx

Install Apache 2.4 in Ubuntu 14.04

Apache 2

Install Apache 2 in prefork mode using Debian Package system

sudo apt-get install -y apache2 apache2-utils apache2-mpm-prefork

Enable rewrite and SSL modules

sudo a2enmod rewrite
sudo a2enmod ssl

Install Apache 2.4 in Ubuntu 14.04

Default ServerName

Define ServerName directive and ports where Apache2 will listen

TCP/80: HTTP
TCP/443: HTTPS

sudo nano /etc/apache2/ports.conf

1 ServerName proxy.example.com
2 Listen 80
3 <IfModule mod_ssl.c>
4     Listen 443
5 </IfModule>

Install Apache 2.4 in Ubuntu 14.04

Secure Apache2

Set several directives to secure Apache

Deny access to root directory
Do not show Apache tokens
Do not show Apache signature on error pages
Disable trace
Deny access to CVS folders

Install Apache 2.4 in Ubuntu 14.04

Secure Apache2

sudo nano /etc/apache2/conf-enabled/security.conf

 1 <Directory />
 2    Options None
 3    AllowOverride None
 4    Order Deny,Allow
 5    Deny from all
 6 </Directory>
 7 ServerTokens Prod
 8 ServerSignature Off
 9 TraceEnable Off
10 <DirectoryMatch "/(\.svn|\.git)">
11    Deny from all
12    Satisfy all
13 </DirectoryMatch>

Install Apache 2.4 in Ubuntu 14.04

ModSecurity

Enable headers module

sudo a2enmod headers

Install Apache 2 ModSecurity Rules

sudo apt-get install -y libapache2-modsecurity modsecurity-crs

Install Apache 2.4 in Ubuntu 14.04

ModSecurity

Include ModSecurity rules

sudo nano /etc/modsecurity/rules.conf

1 <IfModule security2_module>
2     Include "/usr/share/modsecurity-crs/*.conf"
3     Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
4 </IfModule>

Install Apache 2.4 in Ubuntu 14.04

ModSecurity

Enable Secure Rules Engine

sudo nano /etc/modsecurity/modsecurity.conf-recommended

1 # SecRuleEngine DetectionOnly
2 SecRuleEngine On

Install Apache 2.4 in Ubuntu 14.04

ModSecurity

Enable all base and optional rules

cd /usr/share/modsecurity-crs
for f in `ls --color=never base_rules/ | grep modsecurity`; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f activated_rules/$f; done
for f in `ls --color=never optional_rules/ | grep modsecurity`; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$f activated_rules/$f; done

Install Apache 2.4 in Ubuntu 14.04

Default page

sudo mv /var/www/html/index.html /var/www/html/index-orig.html
sudo nano /var/www/html/index.html

 1 <!DOCTYPE html>
 2 <html lang="en">
 3     <head>
 4         <meta charset="utf-8">
 5         <title>Default</title>
 6     </head>
 7     <body>
 8         <p>Defaul page for server: proxy.example.com</p>
 9     </body>
10 </html>

Download this file: index.html

Install Apache 2.4 in Ubuntu 14.04

Default HTTP virtual host

sudo nano /etc/apache2/sittes-available/default.conf

 1 <VirtualHost *:80>
 2    ServerAdmin webmaster@example.com
 3    ServerName odoo.example.com
 4 
 5    DocumentRoot /var/www/html
 6 
 7    <Directory /var/www/html>
 8       Options None
 9       AllowOverride None
10 
11       # RedirectMatch temp ^/(.*)$ http://otherhost.otherdomain.com
12 
13       # Access control by IP or IP range
14       # Order deny,allow
15       # Deny from all
16       # Allow from 10.xx.0.0/16 127.0.0.0/255.0.0.0 ::1/128
17 
18       # Allow all
19       Order allow,deny
20       Allow from all
21    </Directory>
22 
23    ErrorLog /var/log/apache2/default.error.log
24    LogLevel warn
25 
26    CustomLog /var/log/apache2/default.access.log combined
27 </VirtualHost>

Download this file: default.conf

Install Apache 2.4 in Ubuntu 14.04

Default HTTPS virtual host

sudo nano /etc/apache2/sittes-available/default-ssl.conf

 1 <VirtualHost *:443>
 2    ServerAdmin webmaster@example.com
 3    ServerName odoo.example.com
 4 
 5    DocumentRoot /var/www/html
 6 
 7    <Directory /var/www/html>
 8       Options None
 9       AllowOverride None
10 
11       # RedirectMatch temp ^/(.*)$ http://otherhost.otherdomain.com
12 
13       # Access control by IP or IP range
14       # Order deny,allow
15       # Deny from all
16       # Allow from 10.xx.0.0/16 127.0.0.0/255.0.0.0 ::1/128
17 
18       # Allow all
19       Order allow,deny
20       Allow from all
21    </Directory>
22 
23    ErrorLog /var/log/apache2/default-ssl.error.log
24    LogLevel warn
25 
26    CustomLog /var/log/apache2/default-ssl.access.log combined
27 </VirtualHost>

Download this file: default-ssl.conf

Install Apache 2.4 in Ubuntu 14.04

HTTP Proxy

Enable HTTP Proxy module

a2enmod proxy_http

Protect configuration files

Only Root (and Root group) can access configuration files

sudo chown -R root:root /etc/apache2
sudo chmod -R o-rwx /etc/apache2

Restart Apache 2 service

sudo service apache2 restart