Configure Odoo for SSL on Debian.

TLS guide your Odoo platofrm.

RobertKet

The easiest way to get a free SSL cert is by using LetsEncrypt and letting certbot automate the process you can find the link to configure it here: https://certbot.eff.org/#debianjessie-apache. You can configure Odoo itself using the following guide for debian: https://www.odoo.com/documentation/9.0/setup/install.html .

Afterwards you'd need to restart your server and configure your apache 2. If you followed the default procedure for your certificates and odoo configuration and you have properly configured your DNS provider to redirect to your website youshould be ready to start configuring your iptables and Apache2 configuration.

First you'll want to ensure your iptables are installed and properly configured to allow HTTP, HTTPS, SSH and a few other services based on your desired configuration. A configuration like below should be adequate for everything and pretty close to the default for an Odoo configuration.

target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:9987
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:9987
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:8069 

You can add a rule through the CLI using the following command

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Always end your configuration with 

iptables -A INPUT -j DROP

And save with.

sudo service iptables save


You'll then want to go to your Apache directory and modify your enabled sites, certbot would have automatically generated new configuration files. You can rename these if you'd like or leave them as the default.  (/etc/apache2/sites-enabled).

cd /etc/apache2/sites-enabled


Run the following commands real quick to enable the apache features you'll need.

a2enmod ssl
a2enmod rewrite
a2enmod proxy_http
a2enmod headers


You'll need to modify the following files within the directory.

000-default-le-ssl.conf  000-default.conf


Your default-le-ssl should look similar to this:

<IfModule mod_ssl.c>

<VirtualHost *:443>

# The ServerName directive sets the request scheme, hostname and port that

# the server uses to identify itself. This is used when creating

# redirection URLs. In the context of virtual hosts, the ServerName

# specifies what hostname must appear in the request's Host: header to

# match this virtual host. For the default virtual host (this file) this

# value is not decisive as it is used as a last resort host regardless.

# However, you must set it for any further virtual host explicitly.

#ServerName www.example.com

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

# error, crit, alert, emerg.

# It is also possible to configure the loglevel for particular

# modules, e.g.

#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are

# enabled or disabled at a global level, it is possible to

# include a line for only one particular virtual host. For example the

# following line enables the CGI configuration for this host only

# after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf

SSLCertificateFile /etc/letsencrypt/live/www.ketech.org/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/www.ketech.org/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

ServerName www.ketech.org

ServerAlias ketech.org

ServerAlias www.rketron.net

ServerAlias rketron.net

ProxyRequests Off

<Proxy *>

Order deny,allow

Allow from all

</Proxy>

ProxyPass / http://ketech.org:8069/

ProxyPassReverse / http://ketech.org:8069/

<Location />

Order allow,deny

Allow from all

</Location>

</VirtualHost>

</IfModule>


Your 000-default.conf should look similar to this:

<VirtualHost *:80>

# The ServerName directive sets the request scheme, hostname and port that

# the server uses to identify itself. This is used when creating

# redirection URLs. In the context of virtual hosts, the ServerName

# specifies what hostname must appear in the request's Host: header to

# match this virtual host. For the default virtual host (this file) this

# value is not decisive as it is used as a last resort host regardless.

# However, you must set it for any further virtual host explicitly.

#ServerName www.example.com

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

# error, crit, alert, emerg.

# It is also possible to configure the loglevel for particular

# modules, e.g.

#LogLevel info ssl:warn

Redirect permanent / https://www.ketech.org/

TransferLog /var/log/apache2/transfer.erp.your-domain.at.log

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are

# enabled or disabled at a global level, it is possible to

# include a line for only one particular virtual host. For example the

# following line enables the CGI configuration for this host only

# after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Once you've configured these it should be as simple as running the following command.

sudo service apache2 restart

You should then have a full site enabled SSL certificate on Odoo.