In order to be PCI Compliant my database server need's to be seperate from my instance of Odoo.
Now i am running 3 Server's;
1x Nginx server proxying to Odoo,
1x Odoo Server with plenty of excess resources
1x Postgresql Server
My problem is due to the level of security i cant ssh tunnel so i need to connect odoo to postgres over SSL i have a wildcard certificate signed by StartSSL which is valid.
What setting would i need in my Odoo configuration to force it to use SSL whilst communicating with the database as the first step to making odoo PCI Compliant.
Secondly, I am running 2 seperate databases on one master code base install, When i use xmlrpcs it doesn't load in. Can any body post a sample working config as i also need to have the connection from the Nginx server and Odoo server to speak securly to finalise Odoo being able to be signed off on for PCI Compliant.
Any help would be apreciated :)
Odoo server doesn't support SSL communication with the database. To acheive this you will need to modify the way database connections are handeld by the server.
As a workaround, you can setup a TLS/SSL tunel between the database server and odoo server whcih will be transparent for the applications. Simplest way is to use ssl port forwarding, where you map the local port to a remot port over SSL, the generic form of the command is
ssh -L <local port>:<remote host name/ip>:<remote port> <host>
Hey Jordan, I decided to see if the configuration option db_ssl = True was valid and the server booted i used tcp dump on postgresql server with nothing connecting but Odoo. I ran this test multiple times each time with ssl being toggled on and off.reading the dump file with WiresharK V1.10.6 it shows that database connection encryption does workon remote server.
For those interested in replicating or implementing
In your odoo config file add db_ssl = True
In postgresql server ensure ssl is set to true in your postgresql.conf (Encrypted and Non Encrypted seem to run on same port)
In Postgresql server edit pg_hba.conf from host to hostssl on the correct line to force ssl or leave as host to default to unencrypted if there is an issue.
I have decided to stick a copy of nginx on the odoo server that way i don't have to worry about XMLRPCS as from what i am reading it is now deprected. This also allow's me to have fail2ban prevent DDos a little bit better.
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 3/2/15, 7:19 PM|
|Seen: 815 times|
|Last updated: 3/16/15, 8:10 AM|