Community mailing list archives

community@mail.odoo.com

Re: dbfilter question

by
Andi Becker
- 11/17/2015 20:31:20
Limiting access to the database manager is a great idea.

in your vhost settings (ifyou are using Apache as a proxy) you could write i.e.

<Location "/" >
Order deny,allow
Deny from all
Allow from all
</Location>

<Location "/web/database" >
Order deny,allow
Deny from all
Allow from 123.123.123.123 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

<Location "/website/info" >
Order deny,allow
Deny from all
Allow from 123.123.123.123 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>


where it is 123.123.123.123  fill in your current IP address. If you haven't a fixed one you need to change this perhaps any time your IP is changing to and than restart apache2 ie. with "service apache2 restart"

You should also limit access to the info site of each odoo installation - actually most of them are wide open and don't seem to worry about that - so our tests on several odoo sites.

Attackers could spy out what kind of modules you have installed and get better ideas how to get into your side ;-) which is not such a good idea.
So better disable that too 

----

You can actually use the same Odoo installation and create another instance i.e. Odoo3

Copy etc/odoo-server.conf and rename the copy i.e. to odoo3-server.conf and adjust it to your needs. i.e. leave the %d or %h database parameters out than you will be presented with the database manager/selector

Copy 
init.d/odoo-server and rename the copy to something i.e. odoo3-server you like. Than adjust the inside with your settings i.e. the redirect to the renamed conf file/

adjust your apache2 files if you are using apache and than do the same like mentioned above. Limit access to the site:

<Location "/" >
Order deny,allow
Deny from all
Allow from all
</Location>

<Location "/web/database" >
Order deny,allow
Deny from all
Allow from 123.123.123.123 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

<Location "/website/info" >
Order deny,allow
Deny from all
Allow from 123.123.123.123 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

or even limit much more access

<Location "/page" >
Order deny,allow
Deny from all
Allow from 123.123.123.123 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

<Location "/web" >
Order deny,allow
Deny from all
Allow from 123.123.123.123 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

or even change the top one

<Location "/" >
Order deny,allow
Deny from all
Allow from 123.123.123.123 192.168.122.0/24 127.0.0.0/255.0.0.0 ::1/128
</Location>

than only you with your ip will be able to see and work in it.


With kind regards,
Mit freundlichen Grüßen,
Con un cordial saludo,
Cordialement,
с сердечным приветом,
เรื่องที่เกี่ยวกับชนิด,
與親切的問候,

 ANDI BECKER

CEO/General Manager LisAndi Co., Ltd.

--------------------------------------------------

LisAndi Co. Ltd., Phuket, Thailand (lisandi.com)
15/21 M.2 Viset Road, Rawai, Muang, Phuket, Thailand 83130

Mobile: +66 (0)81 606 3378
VoIP:   +49 (0)711 50 88788 50
Fax:     +49 (0)711 50 88788 50
Skype:          lisandi
Facebook:     andibecker
Google Talk/Facetime/eMail:  andi@lisandi.com

--------------------------------------------------

This email may contain confidential and/or privileged information. If you are not the intended recipient (or have received this email by mistake), please notify the sender immediately and destroy this email. Any unauthorized copying, disclosure or distribution of the material in this email is strictly prohibited. Email transmission security and error-free status cannot be guaranteed as information could be intercepted, corrupted, destroyed, delayed, incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which may arise as a result of email transmission

On Wed, Nov 18, 2015 at 8:07 AM, Olivier Dony <odo@openerp.com> wrote:
On 11/16/2015 08:21 PM, Gastón Pablo Pérez wrote:
> HI all:
>
> Im trying to do a little complex configuration on my server, so I have
> multiples odoo v8 databases and Im trying to access to each one by diferent
> url, I configured the dbfilter option in the config file like this:
>
> dbfilter = ^%d$
>
> So I can access directly to each database by the subdomain, I mean
>
> http://subdomain1.domain redirects me to the subdomain1 database
>
> http://subdomain2.domain redirects me to the subdomain2 database
>
> OK, works really good BUT.... I need a method or a way to access to odoo
> database manager and be able to see all the databases in the combos and have a
> method to access to one particular database that no has a subdomain configuration
>
> Is it posible?

In a production environment you should be very careful and prevent external 
access to the database manager, typically thanks to the dbfilter and possibly 
extra rewrite rules in your vhosts.

Why don't you simply start a second Odoo server on a different port on the same 
machine, with no dbfilter parameter? You could make it listen to an interface 
and port where only you can connect, which would increase the security of your 
setup, and/or configure another nginx virtual host for it if you need, e.g with 
password protection.

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe