Topic: SME-9.2, PostgreSQL-10.4, Collection RH-PHP70/RH-Python36 & Odoo-11

[michelandre]

Hi all,

SME Server: 9.2 fully updated
Mode: Server only
IP: 192.168.1.11
Odoo: version-11 in I-bay Primary in oddo directory.
Certificate: Let's Encrypt without cron testing for renewal.

I installed PostgreSQL-10.4, Collection RH-PHP70, Collection RH-Python36 and Odoo-11 on a SME Server 9.2.
All is working correctly. I can connect to Odoo-11 and do all kind of things.
The Collections don't interfere with the standard PHP or Python of the SME.

The only thing missing was the HTTPS to connect to Odoo-11.

After a lot of googling, I found out a solution by  adding the lines below between ###. They are the only modifications in httpd.conf.
I did it directly into /etc/httpd/conf/httpd.conf.
I know, I am not suppose to do it directly and do some templates but it is only for debugging.

All is working fine. Now I access Odoo with https without problems except one major one: I cannot access Server Manager any more as everything is redirected to port 8069 for Odoo.

toto.org/server-manager  || http://toto.org/server-manager || https://toto.org/server-manager || www.toto.org/server-manager etc...
"Not Found
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again."

I tried to move the added line in <VirtualHost 0.0.0.0:443> below the <Location /server-manager>...</Location>.
I still cannot access Server Manager.

Code: [Select]

<VirtualHost 0.0.0.0:80>
...
    DocumentRoot         /home/e-smith/files/ibays/Primary/html
    ScriptAlias /cgi-bin /home/e-smith/files/ibays/Primary/cgi-bin
    Alias       /files   /home/e-smith/files/ibays/Primary/files
    ######################################
    Redirect / https://toto.org/
    ######################################
...
<VirtualHost 0.0.0.0:443>
...
    DocumentRoot         /home/e-smith/files/ibays/Primary/html
    ScriptAlias /cgi-bin /home/e-smith/files/ibays/Primary/cgi-bin
    Alias       /files   /home/e-smith/files/ibays/Primary/files
    # SSL Directives
    SSLEngine on
    ################################################
    SSLCertificateFile /etc/dehydrated/certs/www.toto.org/cert.pem
    ProxyPass / http://localhost:8069/ retry=0
    ProxyPassReverse / http://localhost:8069/
    ################################################

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

    RequestHeader set X-Forwarded-Proto "https"
    ProxyPass /server-manager http://127.0.0.1:980/server-manager
    ProxyPassReverse /server-manager http://127.0.0.1:980/server-manager
    <Location /server-manager>
        order deny,allow
        deny from all
        allow from 127.0.0.1 192.168.1.0/255.255.255.0
    </Location>
...
I did a howto in 2015 about Odoo-7 (called OpenERP in those days).
This document is the one most downloaded from my site; 4-5 times as the next most downloaded one.
So, I decided to write an update with the most recent softwares and Collections so I won't have to do it again for some time.

As I wrote above, all is working fine with Odoo and https except using Server Manager...

Any help appreciated.

Michel-André

[ReetP]

You probably need to look at how I created a virtualhost with a reverse proxy for rocketchat.

Should give you an idea.

https://wiki.contribs.org/Rocket_Chat:Contrib

https://wiki.contribs.org/Rocket_Chat:Contrib#SSL_with_Proxypass

Look at the code in the contrib. You need a template/directory in httpd somewhere that matches the TemplatePath that contains your httpd settings for the virtualhost.

Also if you search the wiki there is loads on there:

https://wiki.contribs.org/SME_Server:Documentation:ProxyPass

You should not have to do anthing with the letsencrypt cert if you have the proxy settings correc.

[michelandre]

Hi ReetP,

Thank you so much for all those links. You did a lot of work for that Contrib.

As I do not want to touch my main SME Server, I will continue with my virtual machine and install "SSL with Proxypass" and it should do the job.

As Odoo require a lot of juice and I do not want to overload my main server, when all will be working and finished, I will do the exact complete manipulations I did on the virtual machine again on an dedicated internal server for Odoo and install also Proxypass on my main server to point to the internal server.

All the work you do for SME Server is very appreciated.

Thank you again, you made my month,

Michel-André

[ReetP]

Note if you use the method with TemplateProxyPath you will need a directory something like this:

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ProxyPassVirtualRocketchat

In there you can add the template fragments for your individual host.

it is the manual way of doing what you can do with https://wiki.contribs.org/Webapps-common

[michelandre]

Hi all,

Busy day with: https://wiki.contribs.org/Rocket_Chat:Contrib#SSL_with_Proxypass

* CERTIFICATE: SME Server.
- Server Manager:
###(Without nothing related to proxypass)
https://micronator-101.org/server-manager/
https: is there but say "not secure"
- Deleted all parameters and files related to the SME Certificate.
Server Manager:
https://micronator-101.org/server-manager/
https: is there but still say "not secure"

- Server Manager:
###(With proxypass)
https://micronator-101.org/server-manager/
https: is there but say "not secure"

- Odoo
https://odoo.micronator-101.org
https: is there
Accept certificate, then becomes: http://192.168.1.11:8069/web/login
Login is OK but only with http.
Redirection works OK

* CERTIFICATE: Let's Encrypt:
###(Without nothing related to proxypass)
- Server Manager
https://micronator-101.org/server-manager/
https: green all the way

###(With proxypass)
- Server Manager
https://micronator-101.org/server-manager/
https: green all the way

Odoo
https://odoo.micronator-101.org
https: is there but say "not secure"
Standard Primary html: This web site is under construction
No redirection.

https://odoo.micronator-101.org:8069
Échec de la connexion sécurisée
Une erreur est survenue pendant une connexion à odoo.micronator-101.org:8069. SSL a reçu un enregistrement qui dépasse la longueur maximale autorisée. Code d’erreur : SSL_ERROR_RX_RECORD_TOO_LONG

*** Code with SME Certificate ***

Code: [Select]

db yum_repositories set fws repository                        \
BaseURL http://repo.firewall-services.com/centos/\$releasever \
EnableGroups no GPGCheck yes                                  \
Name "Firewall Services"                                      \
GPGKey http://repo.firewall-services.com/RPM-GPG-KEY          \
Visible yes status disabled

signal-event yum-modify

yum install -y --enablerepo=fws  mod_proxy_wstunnel

signal-event remoteaccess-update

db domains set odoo.micronator-101.org domain                            \
                                 Description Odoo                        \
                                 Nameservers internet                    \
                                 TemplatePath ProxyPassVirtualOdoo       \
                                 ProxyPassTarget http://localhost:8069/

config setprop odoo rootURL odoo.micronator-101.org SSLProxy yes

signal-event remoteaccess-update

service odoo restart
*** Code with Let's Certificate *** The only difference

Code: [Select]

db domains set odoo.micronator-101.org domain                            \
                                 Description Odoo                        \
                                 TemplatePath ProxyPassVirtualOdoo       \
                                 ProxyPassTarget http://localhost:8069/  \
                                 letsencryptSSLcert enabled
I tried with: https://forums.contribs.org/index.php/topic,47795.0/all.html to no avail.

Next: I will try: https://wiki.contribs.org/Webapps-common.

Michel-André

[michelandre]

Hi all,

While googling for an answer for Server Manager not working in the original modified httpd.conf, I came across:

Code: [Select]

proxypass /toto !Using the ! to exclude a directoty and if you use ProxyPassMatch the same way to exclude a file.
So I tried different combination to exclude Server Manager but nothing is working.

Code: [Select]

...
ProxyPass "/server-manager" "!"
ProxyPass /server-manager !
ProxyPassMatch /server-manager$ !
...
Is there a specific file that Server Manager is calling?

Also, I came across: https://serverfault.com/questions/518355/how-to-exclude-an-url-for-apache-mod-proxy

Using this answer worked great for allowing LetsEncrypt into the default .well-known folder location for a virtualhost,
when using ProxyPass to show a chat server there. Add before the other directives: ProxyPass /.well-known !
ProxyPass /.well-known !

Which might be a must for Let's Encrypt?

Michel-André

[ReetP]

2 points.

One depends on what fragments you are using for your new virtual host

Second have you actually checked what  those fragments create in httpd.conf ?

[michelandre]

Hi all,

Previously I looked at the fragments of httpd but not so deeply. After the last reply of ReetP, I started to look at it again and finally found a way for the redirection with a custom-template: /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives.

Code: [Select]

{
    return "    # skipping SSL directives\n
    ########################
    # Redirection for Odoo.
    Redirect / https://toto.org/
    ########################
    " unless $port eq "443";

    return "" unless $modSSL{'status'} eq 'enabled';

    $OUT =  <<SSL_END;
    # SSL Directives
    SSLEngine on

    ########################
    # Redirection to port 8069
    ProxyPass / http://localhost:8069/ retry=0
    ProxyPassReverse / http://localhost:8069/
    ########################
SSL_END
}
I tried with Webapps-common with no luck.
I also tried with: /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts/ProxyPassContent.

Next problem is with Server Manager. I think that this one will be more tricky.
Maybe it is the directive: Redirect / https://toto.org/ because there are some redirections already for Server Manager towards port 980?

Any help appreciated,

Michel-André

[ReetP]

I think you have missed a trick...

I'll message when I'm back home in a bit

[ReetP]

OK, this is an old trick shown to me by Tony Keane many moons ago.

When you create a normal oodoo.yourdomain.com it uses the server-manager settings for yourdomain.com and it is just another host at yourdomain.com and treated accordingly, so as you have discovered, so you can't easily get past the server-manager.

So what we need is a host with it's own virtual host settings. But we can't do one host so we cheat and make a DOMAIN, with the name of the required host. And that is enough to fool the system....

We create a 'fakedomain'

In your server-manager add a new domain like oodoo.yourdomain.com (yes, literally a DOMAIN called that)

SME will create you a load of hosts such as:

www.oodoo.yourdomain.com
ftp.oodoo.yourdomain.com
etc.

You can remove all bar one if required (I just leave servername.oodoo.yourdomain.com)

Now when you update your httpd.conf you should find a completely separate virtualhost called oodoo.domain.com

For Letsencrypt make sure you have a DNS record for oodoo.domain.com - your virtual host should see that 'domain' and point it to the normal .well-known directory

So for instance I wanted rocketchat with a reverse proxy.

I created a new domain called chat.mydomain.com

It just has one host called myserver.chat.mydomain.com

If you have set the template path correctly as per the rocketchat stuff, you will get a completely separate virtual host like this:

<VirtualHost 0.0.0.0:80>

    ServerName chat.mydomain.com
    ServerAlias

Blah - no server-manager stuff, just your virtualhost templates

</VirtualHost>


<VirtualHost 0.0.0.0:443>

    ServerName chat.mydomain.com
    ServerAlias

Blah - no server-manager stuff, just your virtualhost templates

</VirtualHost>

So, it's a cheat, but it works.

As far as my users are concerned they go to chat.mydomain.com and they are happy

[michelandre]

Hi ReetP,

You're the Greatest with proxies and redirections!

Server Manager is accessible and the redirections are working perfectly. 

/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives

Code: [Select]

{
    if ( $port eq "80" && $virtualHost eq "odoo.toto.org")
    {
        $OUT .= "    \n";
        $OUT .= "    # Pour la redirection d'Odoo.\n";
        $OUT .= "    # Michel-André / 2016-06-22_15h00\n";
        $OUT .= "    Redirect / https://odoo.toto.org/\n";
    }

    return "    # skipping SSL directives\n" unless $port eq "443";
   
    return "" unless $modSSL{'status'} eq 'enabled';

    $OUT =  <<SSL_END;
    # SSL Directives
    SSLEngine on
    SSL_END

    if ( $virtualHost eq "odoo.toto.org" )
    {
        $OUT .= "    \n";
        $OUT .= "    # Pour la redirection vers le port 8069\n";
        $OUT .= "    # Michel-André / 2016-06-22_15h00\n";
        $OUT .= "    ProxyPass / http://localhost:8069/ retry=0\n";
        $OUT .= "    ProxyPassReverse / http://localhost:8069/\n";
    }

}
Now, before proclaiming total Victory, I have to test from the internet through my main server as a reverse-proxy.

Code: [Select]

# On main server to activate the reverse-proxy for toto.org
db domains set toto.org domain
db domains setprop toto.org Nameservers internet
db domains setprop toto.org ProxyPassTarget http://192.168.1.11/
db domains setprop toto.org TemplatePath ProxyPassVirtualHosts
signal-event domain-create toto.org
db domains show

# Deactivation
db domains delete toto.org
signal-event domain-modify
db domains show | grep  toto.org
db domains show

# On main server to activate the reverse-proxy for odoo.toto.org
db domains set odoo.toto.org domain
db domains setprop odoo.toto.org Nameservers internet
db domains setprop odoo.toto.org ProxyPassTarget http://192.168.1.11/
db domains setprop odoo.toto.org TemplatePath ProxyPassVirtualHosts
signal-event domain-create odoo.toto.org
db domains show

# Deactivation
db domains delete odoo.toto.org
signal-event domain-modify
db domains show | grep  odoo.toto.org
db domains show
Without you, it will have been a show stopper...

Thank you so much for the "secret" details of the "passe croche",

Michel-André

[ReetP]

No probs, but I can't claim the accolades. I am but a mortal merely standing on the shoulders of giants.

Big thank you to Tony (RIP mate... still think of you). Daniel for the mod_proxy and other ideas.

I'm no expert on apache configs either. Hate them! But this was more about tweaks to SME.

Be nice to have a proper system to manhandle virtual hosts. One day !!

One thing you can do is write it up on a wiki page if you get a minute.

Rgds
John

[michelandre]

Hi all,

One last problem...

According to: https://wiki.contribs.org/SME_Server:Documentation:ProxyPass

Code: [Select]

db domains set odoo.toto.org domain
db domains setprop odoo.toto.org Nameservers internet
db domains setprop odoo.toto.org ProxyPassTarget http://192.168.1.11/
db domains setprop odoo.toto.org TemplatePath ProxyPassVirtualHosts
signal-event domain-create odoo.toto.org
Accessing from the Internet with TOR.

- db domains setprop odoo.toto.org ProxyPassTarget http://192.168.1.11/
odoo.toto.org || http://odoo.toto.org || https://odoo.toto.org = This web site is under construction // default index.htm in Primary.

- db domains setprop odoo.toto.org ProxyPassTarget https://192.168.1.11/
odoo.toto.org || http://odoo.toto.org || https://odoo.toto.org = This web site is under construction // default index.htm in Primary.

- db domains setprop odoo.toto.org ProxyPassTarget http://192.168.1.11:8069/
https://odoo.toto.org/ = Bad Gateway \n The proxy server received an invalid response from an upstream server.
odoo.toto.org || http://odoo.toto.org = Login to Odoo is presented but not secure i.e. http://

Accessing locally it is always redirected to secure https://
So it is something with the reverse-proxy setting on the main server?

I checked httpd.conf on the internal server and under:

Code: [Select]

<VirtualHost 0.0.0.0:443>
    ServerName odoo.toto.org
...
    # SSL Directives
    SSLEngine on
   
    # Pour la redirection vers le port 8069
    # Michel-André / 2016-06-22_15h00
    ProxyPass / http://localhost:8069/ retry=0
    ProxyPassReverse / http://localhost:8069/
...If I put https://localhost:8069 - accessing locally, I will receive: ERR_SSL_PROTOCOL_ERROR.

https://wiki.contribs.org/SME_Server:Documentation:ProxyPass

Note: HTTP and HTTPS are set to yes by default, so there is no need to set it. Apart from that it is preferred to use no when you want it to be disabled, over on/off or enabled/disabled.

https://forums.contribs.org/index.php/topic,47741.msg236017.html#msg236017

...
From my digging, it looks like 35ProxyPass is old (mentioned in a bug from 2006), while ProxyPass SSL support was fixed in a later bug (in 2007), by which time the ProxyPass code had been moved to the virtual domains templates.
...
HTTP and HTTPS are set to yes by default, so there is no need to set it. Apart from that it is preferred to use no when you want it to be disabled, over on/off or enabled/disabled.
...

SO, instead of using db domains..., will it be better to create an extra odoo.toto.org domain on the main server and do the same thing as I did with a custom-template on the internal server?
Or am I missing something?

Any help appreciated to finally hoist the Victory Banner after a very long journey,

Michel-André

[ReetP]

Can't help right now as I'm out.

I thought this was all on the same host?

If not, which apps are running on which hosts?

Will try & take a look properly tomorrow

[michelandre]

Hi ReetP,

Thank you for your reply.

On the internal host, there is only Odoo running because it requires a lot of CPU power.

On the main server connected to the Internet there are 3 WordPress, Fail2an and PHP Collection from the Contribs - 5.6..7.1.

Michel-André