Contributors mailing list archives

contributors@odoo-community.org

Re: Solution: set up fail2ban for Odoo, if Odoo is running behind a proxy

by
Anybox, Pierre Verkest
- 14/01/2019 13:36:47
Hi,

Thanks about sharing your ansible roles.

At anybox we are using haproxy as loadbalancer a front of our reverse proxy(nginx) that manage the ssl certificat.
We do not use haproxy as man in the middle so configured on tcp mode so it can't read headers. So to get the real IP
about the end user we are using proxy protocole: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt which
allow to forword the end user IP. Then you have to configure your apache/niginx to add this IP in a x forward for header
which is a common practice.

Then some kind of odoo module should be able to add that ip in logs if it's not already settable if you feel apache
access.log not enough accurate to manage what you want !


regards,


Le lun. 14 janv. 2019 à 13:27, Joerg Lorenz <jlorenz@itis.de> a écrit :
Hi Jörg:

Great approach, as it appears as we seem to be the rare ones who really care about security :-)
Anyways, we have done likewise, but we are using a dual stage proxy setup hardened for tough internet publishing instead. 

Best regards, 

Joe


Von: "Jörg Ricardo Schumacher" <joerg.schumacher@ehanse.de>
An: "Contributors" <contributors@odoo-community.org>
Gesendet: Montag, 14. Januar 2019 12:56:58
Betreff: Solution: set up fail2ban for Odoo, if Odoo is running behind a proxy

Hello everyone,

I created an ansible role that will configure fail2ban correctly if Odoo
works behind a proxy, like Apache.

THE PROBLEM:

If Odoo is running behind a proxy like Apache, it is complicated to
extract meaningful log entries, as Odoo will only log 127.0.0.1 as IP.
Therefore, setting up fail2ban is complicated, because a rule that would
block 127.0.0.1 would essentially make the service unavailable.

THE IDEA:

Instead of logging the odoo.log, we can also parse the Apache access.log
and extract the real IP from there. This works, because a failed login
attempt will cause Odoo to re-send the page /web/login to the user,
resulting in an Apache log entry in the form of

7.120.35.25 - - [13/Jan/2019:22:52:25 +0000] "POST /web/login HTTP/1.1"
200 2514 "https://YOUR-DOMAIN.com/" "Mozilla/5.0 (X11; Ubuntu; ..


The role makes sure that Apache logs into a specific file by adding
respective entries to the VHOST, and then passes the path to that file
to fail2ban.

I hope this is useful! As I just started with Ansible, I would
appreciate pull requests / assistance to improve the role such that it
works with different Odoo versions (we use 8) and different webservers
(only Apache at the moment), or just cleans up the code.

Github: https://github.com/eHanse-IT/ansible-odoo-rules-for-fail2ban

Thanks and Brgds

Jörg


_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe


_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe



--
Anybox
Pierre Verkest
06 51 35 50 50
Github: petrus-v - Twitter: petrusv84