I have a fresh ubuntu server 16.04 with docker running odoo (hiboo/odoo) and it works perfectly fine.
So I’m trying to enforce HTTPS everywhere.
I have try with normal caddy and caddy on docker. None of which worked.
I looks like caddy is doing nothing but input https://mydomain:2015 and that address doesn’t work either.
At this point I feel a bit desperate, I working on this day and night since 2 weeks… I searched everywhere on the web, try many thing, reset my server at least 25 times.
also I keep on having:"
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with “ulimit -n 8192”.
"
Hi @KeilaCoin, firstly what command are you using to run Caddy, and what is it outputting on startup?
As for your Caddyfile:
I believe that as you’ve specified tls self_signed, Automatic HTTPS is disabled and Caddy will serve the www.website.com and website.com on port :2015. I’m assuming you understand that tls self_signed will result in certificate errors that connecting clients will have to click through.
Also, consider adding the transparent preset to your proxy directive so that your Odoo backend has the information it needs about the client.
‘’’
*.domain.com
redir www.domain.com {uri}
proxy / 172.17.0.3:8069 {
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}
header_upstream Connection {>Connection}
header_upstream Upgrade {>Upgrade}
}
proxy /longpolling 172.17.0.3:8071 {
header_upstream Host {host}
}
gzip
header / {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always
# connect via HTTPS (do not use if only testing)
Strict-Transport-Security “max-age=31536000;”
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection “1; mode=block”
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options “nosniff”
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options “DENY”
}
But still serving domain.com:2015 and that address doesn't work.
Please make use of the code formatting by using the button in the post editor or by adding three backticks (```) before and after your code snippets.
Can you define what you mean by “doesn’t work” - there’s about a million ways a webserver can go awry and we rely on its output to help us find the problem.
Are you getting 500 or 400 series errors? Certificate errors? DNS lookup errors? Connection timeouts?
Caddy won’t fetch certificates with the aforementioned Caddyfile because the site is *.domain.com and there is no tls directive to configure on-demand TLS.
We’re still missing crucial information and can’t troubleshoot without it. What, exactly, doesn’t work?
I’d also suggest removing or commenting out the HSTS header until your HTTPS-related issues are sorted.
www.domain.com:80, domain.com, domain.com:443, www.domain.com:443, localhost {
redir www.domain.com {uri}`
proxy / 172.17.0.3:8069 {
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}
header_upstream Connection {>Connection}
header_upstream Upgrade {>Upgrade}
}
proxy /longpolling 172.17.0.3:8072 {
header_upstream Host {host}
}
gzip
header / {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always
# connect via HTTPS (do not use if only testing)
Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
}
but now odoo is missing most of the graphic part, here is the home page for example:
This line is concerning because in this context, logically it is a redirect loop, but luckily it is not working as expected right now due to a syntax mistake - you have a space between the domain and the {uri} placeholder.
I suggest you simplify your site list and split up into two vhosts instead, like so:
2017/02/14 17:32:46 [INFO] XXserverIP.XX - No such site at :80 (Remote: XXXX, Referer: )
2017/02/14 17:32:51 http: TLS handshake error from XXX: tls: first record does not look like a TLS handshake
2017/02/14 17:32:51 http: TLS handshake error from XXX: tls: first record does not look like a TLS handshake
Any way thank you very much for your help Matthew !!
I’m still trying to have it run but it doesn’t work…
I just want a really simple thing: make odoo who’s running on port 8069 on 80 and 443 with SSL/TLS I’m still stuck, I keep on testing config but it doesn’t work.
How should I reverse proxy the odoo app ? I’m lost… now
Just having a quick look at your last Caddyfile, I notice you’ve got a redirect loop on www.domain.com. You also have proxies under *.domain.com that will never be relevant as Caddy will redirect the client before they are followed.
If this is all you want, the following will cover it. Change 127.0.0.1 as necessary:
Again thank you very much for your help ! Things are working now !
I have 3 docker container running:
odoo
postgres
abiosoft/caddy
But, ports from odoo 8069, 8071 are still exposed and accessible without tls. I know it’s not exactly related to caddy but what should I do for caddy to still expose odoo website on 80 and 443 while keeping others ports private ?
You’ll want to set up a firewall. The best way to do that depends on your infrastructure setup, but Ubuntu has a built-in interface to iptables called UFW that’s easy to use in a pinch.
Assuming it hasn’t been configured already and is still on default settings, it should be as simple as:
sudo ufw allow ssh http https
sudo ufw enable
Which will deny all external incoming requests for anything other than the ports used by those services (defaults 22, 80, and 443).
I’m still stuck, I keep on testing config but it doesn’t work.