Contributors mailing list archives
Re: Solution: set up fail2ban for Odoo, if Odoo is running behind a proxyby
Anybox, Pierre Verkest
Thanks about sharing your ansible roles.
At anybox we are using haproxy as loadbalancer a front of our reverse proxy(nginx) that manage the ssl certificat.
We do not use haproxy as man in the middle so configured on tcp mode so it can't read headers. So to get the real IP
about the end user we are using proxy protocole: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt which
allow to forword the end user IP. Then you have to configure your apache/niginx to add this IP in a x forward for header
which is a common practice.
Then some kind of odoo module should be able to add that ip in logs if it's not already settable if you feel apache
access.log not enough accurate to manage what you want !
Le lun. 14 janv. 2019 à 13:27, Joerg Lorenz <firstname.lastname@example.org> a écrit :
Hi Jörg:Great approach, as it appears as we seem to be the rare ones who really care about security :-)Anyways, we have done likewise, but we are using a dual stage proxy setup hardened for tough internet publishing instead.Best regards,JoeVon: "Jörg Ricardo Schumacher" <email@example.com>
An: "Contributors" <firstname.lastname@example.org>
Gesendet: Montag, 14. Januar 2019 12:56:58
Betreff: Solution: set up fail2ban for Odoo, if Odoo is running behind a proxyHello everyone, I created an ansible role that will configure fail2ban correctly if Odoo works behind a proxy, like Apache. THE PROBLEM: If Odoo is running behind a proxy like Apache, it is complicated to extract meaningful log entries, as Odoo will only log 127.0.0.1 as IP. Therefore, setting up fail2ban is complicated, because a rule that would block 127.0.0.1 would essentially make the service unavailable. THE IDEA: Instead of logging the odoo.log, we can also parse the Apache access.log and extract the real IP from there. This works, because a failed login attempt will cause Odoo to re-send the page /web/login to the user, resulting in an Apache log entry in the form of 18.104.22.168 - - [13/Jan/2019:22:52:25 +0000] "POST /web/login HTTP/1.1" 200 2514 "https://YOUR-DOMAIN.com/" "Mozilla/5.0 (X11; Ubuntu; .. The role makes sure that Apache logs into a specific file by adding respective entries to the VHOST, and then passes the path to that file to fail2ban. I hope this is useful! As I just started with Ansible, I would appreciate pull requests / assistance to improve the role such that it works with different Odoo versions (we use 8) and different webservers (only Apache at the moment), or just cleans up the code. Github: https://github.com/eHanse-IT/ansible-odoo-rules-for-fail2ban Thanks and Brgds Jörg