Contributors mailing list archives

contributors@odoo-community.org

Re: Solution: set up fail2ban for Odoo, if Odoo is running behind a proxy

by
IT IS AG, Joerg Lorenz
- 14/01/2019 12:21:13
Hi Jörg:

Great approach, as it appears as we seem to be the rare ones who really care about security :-)
Anyways, we have done likewise, but we are using a dual stage proxy setup hardened for tough internet publishing instead. 

Best regards, 

Joe


Von: "Jörg Ricardo Schumacher" <joerg.schumacher@ehanse.de>
An: "Contributors" <contributors@odoo-community.org>
Gesendet: Montag, 14. Januar 2019 12:56:58
Betreff: Solution: set up fail2ban for Odoo, if Odoo is running behind a proxy

Hello everyone,

I created an ansible role that will configure fail2ban correctly if Odoo
works behind a proxy, like Apache.

THE PROBLEM:

If Odoo is running behind a proxy like Apache, it is complicated to
extract meaningful log entries, as Odoo will only log 127.0.0.1 as IP.
Therefore, setting up fail2ban is complicated, because a rule that would
block 127.0.0.1 would essentially make the service unavailable.

THE IDEA:

Instead of logging the odoo.log, we can also parse the Apache access.log
and extract the real IP from there. This works, because a failed login
attempt will cause Odoo to re-send the page /web/login to the user,
resulting in an Apache log entry in the form of

7.120.35.25 - - [13/Jan/2019:22:52:25 +0000] "POST /web/login HTTP/1.1"
200 2514 "https://YOUR-DOMAIN.com/" "Mozilla/5.0 (X11; Ubuntu; ..


The role makes sure that Apache logs into a specific file by adding
respective entries to the VHOST, and then passes the path to that file
to fail2ban.

I hope this is useful! As I just started with Ansible, I would
appreciate pull requests / assistance to improve the role such that it
works with different Odoo versions (we use 8) and different webservers
(only Apache at the moment), or just cleans up the code.

Github: https://github.com/eHanse-IT/ansible-odoo-rules-for-fail2ban

Thanks and Brgds

Jörg


_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe