Contributors mailing list archives

Re: Solution: set up fail2ban for Odoo, if Odoo is running behind a proxy

Tecnativa. S. L., Jairo Llopis Aracil
- 15/01/2019 08:41:25

El lun., 14 ene. 2019 a las 11:57, Jörg Ricardo Schumacher (<>) escribió:
Hello everyone,

I created an ansible role that will configure fail2ban correctly if Odoo
works behind a proxy, like Apache.


If Odoo is running behind a proxy like Apache, it is complicated to
extract meaningful log entries, as Odoo will only log as IP.
Therefore, setting up fail2ban is complicated, because a rule that would
block would essentially make the service unavailable.


Instead of logging the odoo.log, we can also parse the Apache access.log
and extract the real IP from there. This works, because a failed login
attempt will cause Odoo to re-send the page /web/login to the user,
resulting in an Apache log entry in the form of - - [13/Jan/2019:22:52:25 +0000] "POST /web/login HTTP/1.1"
200 2514 "" "Mozilla/5.0 (X11; Ubuntu; ..

The role makes sure that Apache logs into a specific file by adding
respective entries to the VHOST, and then passes the path to that file
to fail2ban.

I hope this is useful! As I just started with Ansible, I would
appreciate pull requests / assistance to improve the role such that it
works with different Odoo versions (we use 8) and different webservers
(only Apache at the moment), or just cleans up the code.


Thanks and Brgds


Post to:

Jairo Llopis