Contributors mailing list archives

contributors@odoo-community.org

Browse archives

Avatar

Solution: set up fail2ban for Odoo, if Odoo is running behind a proxy

by
joerg.schumacher
- 14/01/2019 12:54:56
Hello everyone,

I created an ansible role that will configure fail2ban correctly if Odoo
works behind a proxy, like Apache.

THE PROBLEM:

If Odoo is running behind a proxy like Apache, it is complicated to
extract meaningful log entries, as Odoo will only log 127.0.0.1 as IP.
Therefore, setting up fail2ban is complicated, because a rule that would
block 127.0.0.1 would essentially make the service unavailable.

THE IDEA:

Instead of logging the odoo.log, we can also parse the Apache access.log
and extract the real IP from there. This works, because a failed login
attempt will cause Odoo to re-send the page /web/login to the user,
resulting in an Apache log entry in the form of

7.120.35.25 - - [13/Jan/2019:22:52:25 +0000] "POST /web/login HTTP/1.1"
200 2514 "https://YOUR-DOMAIN.com/" "Mozilla/5.0 (X11; Ubuntu; ..


The role makes sure that Apache logs into a specific file by adding
respective entries to the VHOST, and then passes the path to that file
to fail2ban.

I hope this is useful! As I just started with Ansible, I would
appreciate pull requests / assistance to improve the role such that it
works with different Odoo versions (we use 8) and different webservers
(only Apache at the moment), or just cleans up the code.

Github: https://github.com/eHanse-IT/ansible-odoo-rules-for-fail2ban

Thanks and Brgds

Jörg


Reference