How to install OpenERP 6 on Ubuntu 10.04 LTS Server-2
2011-10-29 13:55
691 查看
Thisarticlefollowson(hopefullynotunsurprisingly)frompart1.
InthispostI’lldescribeourcurrentwayofprovidingSSLencryptedaccesstoashinynewOpenERPserverrunningonUbuntu10.04LTSServer.
We’reusingtheApachewebservertoactasaproxyanddoSSLterminationforwebclientaccessandforWebDAV/CalDAVaccess.TheGTKclientwillalsoberunningoveranencryptedXMLRPClinkdirectlytotheOpenERPServer.ApacheisthemostwidelyusedwebserverintheworldandthereisoodlesofdocumentationaboutitsoIdonotplantogointoanygreatdetailabouttheconfigurationchoices.OnedocumentthatisworthpointingouthoweveristheinformationabouthowtoconfigureandadministerApachespecificallyunderDebian/Ubuntu.ThewayApacheispackagedandsetupisquitedifferentfrommostotherLinuxdistributions.Averyusefuldocumentcanbefoundhere
NB:Forthepurposesofthishowto,we’llbeusingself-signedcertificates.Adiscussionoftheprosandconsofthischoiceisbeyondthescopeofthisarticle.
Nowwe’lltellapachethatwewanttouseafewmodules(mod_ssl,mod_proxy,mod_proxy_http,mod_headersandmod_rewrite[optional])thatarenotenabledbydefault:
Next,weneedtogenerateaSSLcertificateandkey.
Thenwegenerateanewkey,youwillbeaskedtoenterapassphraseandconfirm:
Wedon’treallywanttohavetoenterapassphraseeverytimetheserverstartsupsoweremovethepassphrasebydoingthis:
Nextweneedtocreateasigningrequestwhichwillholdthedatathatwillbevisibleinyourfinalcertificate:
Thiswillgenerateaseriesofpromptslikethis:Entertheinformationasrequested:
Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter‘.’,thefieldwillbeleftblank.
—–
CountryName(2lettercode)[AU]:
StateorProvinceName(fullname)[Some-State]:
LocalityName(eg,city)[]:
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:
OrganizationalUnitName(eg,section)[]:
CommonName(eg,YOURname)[]:
EmailAddress[]:
Pleaseenterthefollowing‘extra’attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:TheClient’sCompany
InthispostI’lldescribeourcurrentwayofprovidingSSLencryptedaccesstoashinynewOpenERPserverrunningonUbuntu10.04LTSServer.
We’reusingtheApachewebservertoactasaproxyanddoSSLterminationforwebclientaccessandforWebDAV/CalDAVaccess.TheGTKclientwillalsoberunningoveranencryptedXMLRPClinkdirectlytotheOpenERPServer.ApacheisthemostwidelyusedwebserverintheworldandthereisoodlesofdocumentationaboutitsoIdonotplantogointoanygreatdetailabouttheconfigurationchoices.OnedocumentthatisworthpointingouthoweveristheinformationabouthowtoconfigureandadministerApachespecificallyunderDebian/Ubuntu.ThewayApacheispackagedandsetupisquitedifferentfrommostotherLinuxdistributions.Averyusefuldocumentcanbefoundhere
/usr/share/doc/apache2.2-common/README.Debian.gzonyourserver.
NB:Forthepurposesofthishowto,we’llbeusingself-signedcertificates.Adiscussionoftheprosandconsofthischoiceisbeyondthescopeofthisarticle.
Step1.InstallApacheandrequiredmodules
Onyourserverinstallapache2bytypingsudoapt-getinstallapache2
Nowwe’lltellapachethatwewanttouseafewmodules(
sudoa2enmodsslproxy_httpheadersrewrite
Next,weneedtogenerateaSSLcertificateandkey.
Step2.Createyourcertandkey
Icreatethefilesinatemporarydirectorythenmovethemtotheirfinalrestingplaceoncetheyhavebeenbuilt(thefirstcdisjusttomakesureweareinourhomedirectorytostartwith):
cd mkdirtemp cdtemp
Thenwegenerateanewkey,youwillbeaskedtoenterapassphraseandconfirm:
opensslgenrsa-des3-outserver.pkey1024
Wedon’treallywanttohavetoenterapassphraseeverytimetheserverstartsupsoweremovethepassphrasebydoingthis:
opensslrsa-inserver.pkey-outserver.key
Nextweneedtocreateasigningrequestwhichwillholdthedatathatwillbevisibleinyourfinalcertificate:
opensslreq-new-keyserver.key-outserver.csr
Thiswillgenerateaseriesofpromptslikethis:Entertheinformationasrequested:
Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter‘.’,thefieldwillbeleftblank.
—–
CountryName(2lettercode)[AU]:
StateorProvinceName(fullname)[Some-State]:
LocalityName(eg,city)[]:
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:
OrganizationalUnitName(eg,section)[]:
CommonName(eg,YOURname)[]:
EmailAddress[]:
Pleaseenterthefollowing‘extra’attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:TheClient’sCompany
Andfinallyweself-signourcertificate.
opensslx509-req-days365-inserver.csr-signkeyserver.key-outserver.crt
Weonlyneedtwoofthefilesintheworkingdirectory,thekeyandthecertificate.Butbeforewecanusethemtheyneedtohavetheirownershipandaccessrightsaltered:
sudochownopenerp:rootserver.crtserver.key sudochmod640server.crtserver.key
Andthenweputtheminasensibleplace:
sudomkdir/etc/ssl/openerp sudochownopenerp:root/etc/ssl/openerp sudochmod710/etc/ssl/openerp sudomvserver.crtserver.key/etc/ssl/openerp/
Nowthekeyandcertificatearesafelystoredaway,wecantellApachewheretheyare:
Step3.CreatetheApachesiteconfigurationfile
WecreateanewVirtualHostconfigurationfilesudonano/etc/apache2/sites-available/openerp-ssl
withthefollowingcontent:
<VirtualHost*:443>
SSLEngineon
SSLCertificateFile/etc/ssl/openerp/server.crt
SSLCertificateKeyFile/etc/ssl/openerp/server.key
ProxyRequestsOff
<Proxy*>
Orderdeny,allow
Allowfromall
</Proxy>
ProxyViaOn
ProxyPass/webdav/
ProxyPassReverse/webdav/
<LimitOPTIONSPROPFINDGETREPORTMKACTIVITYPROPPATCHPUTMOVECOPYDELETELOCKUNLOCK>
OrderDeny,Allow
Allowfromall
SatisfyAny
</Limit>
</Location>
ProxyPass/
ProxyPassReverse/
</location>
RequestHeaderset"X-Forwarded-Proto""https"
#FixIEproblem(httpapacheproxydaverror408/409)
SetEnvproxy-nokeepalive1
</VirtualHost>
NotetherearetwoProxyconfigurations.Onefor
/webdav/andonefor
/.IfyoudonotintendtouseWebDAVorCalDAVthenyoucanremovethatsection.Butessentially,wearetellingapachethatWebDAVtrafficneedstogototheXMLRPCportontheOpenERPserver,andnormalwebtrafficneedstogotothewebclientthatislisteningonport8080.Theorderisalsoimportant.If
/camebefore
/webdav/thenitwouldn’twork.
Andthenwecanenablethenewsiteconfiguration.
sudoa2ensiteopenerp-ssl
Optionally,youcanusemod_rewritetoredirectanynormal(non-encrypted)webbrowsertraffictotheSSLport(443).
Todothis,addthefollowinglines(outsideofthe
<directory>configblocks)intothefile
/etc/apache2/sites-available/default
RewriteEngineon
RewriteCond%{SERVER_PORT}^80$
RewriteRule^(.*)$
Step4.ChangetheOpenERPserverandweb-clientconfigurationfiles
Thenextstepistore-configuretheOpenERPserverandWebclientsothatthenon-encryptedservicesarenotaccessiblefromtheoutsideworld.In
/etc/openerp-server.confthetwonon-encryptedserviceswillonlylistenonlocalhost,i.e.notfromexternalconnectionssoineffectonlytrafficfromApachewillbeaccepted.WealsotelltheXMLRPC-SSLservicewheretofindthenecessarykeyandcertificate.
Makethefollowingchanges:
sudonano/etc/openerp-server.conf
xmlrpc=True
xmlrpc_interface=127.0.0.1
xmlrpc_port=8069
netrpc=True
netrpc_interface=127.0.0.1
netrpc_port=8070
xmlrpcs=True
xmlrpcs_interface=
xmlrpcs_port=8071
secure_pkey_file=/etc/ssl/openerp/server.key
secure_cert_file=/etc/ssl/openerp/server.crt
IfyouwanttohaveWebDAV/CalDAVaccessaddthefollowingatthebottomoftheconfigfile.
[webdav]
enable=True
vdir=webdav
Theninthewebclientconfigfile/etc/openerp-web.confmakethefollowingchangessothatitalsoonlyacceptstrafficfromlocalhost:
sudonano/etc/openerp-web.conf
#Someserverparametersthatyoumaywanttotweak
server.socket_host=“127.0.0.1″
#SettoTrueifyouaredeployingyourAppbehindaproxy
#e.g.Apacheusingmod_proxy
tools.proxy.on=True
#IfyourproxydoesnotaddtheX-Forwarded-Hostheader,set
#thefollowingtothe*public*hosturl.
tools.proxy.base=‘https://your-ip-or-domain’
#SettofalsetodisableCSRFchecks
tools.csrf.on=False