Running Odoo with https

It has gotten so easy to use https since https://letsencrypt.org/ opened up. Not only can you get free ssl certificates but even more important, automate the process! That’s how it should be!

I’m using Caddy. I’m assuming your Odoo server is already running. (for example, on 127.0.0.1:8069)

Also important, some requirements:

  • DNS is configured correctly, pointing to your (Caddy/Odoo) server
    • If incorrect, generating the certificates will not work!
  • Using Debian 8, using systemd
  • Caddy 0.9.3
  • Odoo 8
  • No other webserver running on ports 80 or 443 !

Install Caddy

Download the binary from https://caddyserver.com/ (Linux 64-bit) and extract the archive into /usr/local/bin.

“Configure” Caddy

There’s not much to configure but since I will run Caddy on startup I keep my config in /etc/caddy.

  • Create a config directory and add a user to run Caddy:
mkdir /etc/caddy
adduser --disabled-login caddy
  • Now create the config file /etc/caddy/Caddyfile and fill in your info:
odoo.harkx.com { # Your url should go here..
  proxy / http://127.0.0.1:8069 { # Fill in the correct port..
    header_upstream Host {host}
    }
  proxy /longpolling http://127.0.0.1:8072 { # in case you use it
    header_upstream Host {host}
    }
  gzip
}

This will make the following magic happen:

  • Listen on 80 and 443
  • Forward incoming connections on 80 to 443
  • Use HTTP/2
  • Renew your certificates when needed
  • Act as a proxy for Odoo on 127.0.0.1:8069

Configure certificates

We’ll be running Caddy as user “caddy” so we need to give it permission to bind to low ports as non-root user. Easily accomplished by runnning this command:

setcap cap_net_bind_service=+ep /usr/local/bin/caddy

I prefer to generate the certificates manually the first time. If something goes wrong you’ll be able to catch the error. (you won’t see it when running in daemon mode)

su caddy
/usr/local/bin/caddy -agree -email YOUREMAIL -conf=/etc/caddy/Caddyfile

The certificates are now located in: /home/caddy/.caddy/letsencrypt/sites/

Configure Caddy for auto startup

  • Create the caddy systemd service by adding this file to your system: /etc/systemd/system/caddy.service
[Unit]
Description=Caddy webserver
Documentation=https://caddyserver.com/
After=network.target

[Service]
User=caddy
Group=caddy
WorkingDirectory=/etc/caddy
LimitNOFILE=8192
ExecStart=/usr/local/bin/caddy -agree -email YOUREMAIL -conf=/etc/caddy/Caddyfile
Restart=on-failure
StartLimitInterval=600

[Install]
WantedBy=multi-user.target
  • Now make systemd aware of this new service: systemctl daemon-reload
  • Start the service: systemctl start caddy.service
  • Verify it’s running correctly: systemctl status caddy.service -l

That’s it, your Odoo instance is now being served over https.

Resources:

UPDATES

  • 20161011 : Changed Caddy parameter proxy_header to header_upstream.
  • 20161011 : Modified LimitNOFILE in systemd config to 8192 from 4096.

written by @harkx


Share

comments powered by Disqus