I'm working for a company that hosts Odoo 8 on a Linux VPS server.The employees want to access Odoo from IP address
(ex. http://IP-addr:8069).But its not secure because if you type http://IP-addr:8069 it redirects to "/web/database/manager" from which anyone in the world can create or delete databases.
How can I a secure the entire Odoo website with login and password for the entire site and without redirecting to "/web/database/manager"?
Since nobody hasn't posted an answer on this yet I'll give you my thoughts / tips.
One way you could go is to simply remove the links in the pages (such as manage your databases) by modifying the xml file under the website module.
The only downside here is that if a user manually goes to /web/database/manager he will still be able to access this and has all the rights he wants. Provided that he knows the master password / finds a way to hack it, that is.
To ensure nobody can do this you could prevent this by adding an .htaccess file or write an access rule that prevents acces on this page from anywhere. You could then simply say that the page should only be showed (allowed) from within your server or from a given IP.
There is a module for this which you can find here: https://github.com/prakashsukraj/Odoo-DBRestrict
If you don't want to use a module you could use Nginx as a reverse proxy in front of Odoo and simply use Nginx rules to restrict access to those pages to certain fixed IP addresses.
There is a detailed question and example about this here: https://www.odoo.com/forum/help-1/question/how-to-show-the-manage-database-page-for-particular-user-like-administrator-in-openerp-v8-57036
I hope this helps you and answers all your questions.
Best of luck!
> define default database in config file ( db_filter = your_db_name )
> forbid showing other db's ( list_db = False )
> consider instaling odoo/openerp server to work behind reverse proxy ( apache, nginx or simmilar )
>> preferably with https and some user certificates required to login (redirect users without cert to some useless)
consider hiring some security cunsultant to do the job :) because lvl1&2 is only entry level of securing the production server...
Hope it helps : )
About This Community
|Asked: 1/1/15, 8:17 AM|
|Seen: 1411 times|
|Last updated: 3/16/15, 8:10 AM|