Version propre, durcie et optimisée production pour ERPLibre 18 (ERPLibre)
Objectifs :
-
🔐 Sécurité renforcée
-
⚡ Meilleure gestion websocket / longpolling
-
🧠 Cache statique efficace
-
🧼 Config lisible et maintenable
-
🔁 Ready pour Certbot + HTTPS
🔷 Version optimisée (HTTP + HTTPS propre)
⚠️ Hypothèses :
-
ERPLibre sur
127.0.0.1:8069 -
Longpolling / websocket sur
127.0.0.1:8072 -
Certbot utilisé
-
Proxy mode activé dans
odoo.conf
/etc/nginx/sites-available/erplibre.conf
# ------------------------
# Upstreams
# ------------------------
upstream erplibre_backend {
server 127.0.0.1:8069;
keepalive 32;
}
upstream erplibre_longpolling {
server 127.0.0.1:8072;
keepalive 16;
}
# ------------------------
# HTTP → HTTPS Redirect
# ------------------------
server {
listen 80;
server_name erplibre.domain.tld;
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}
# ------------------------
# HTTPS
# ------------------------
server {
listen 443 ssl http2;
server_name erplibre.domain.tld;
# ------------------------
# SSL (Certbot managed)
# ------------------------
ssl_certificate /etc/letsencrypt/live/erplibre.domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/erplibre.domain.tld/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
# ------------------------
# Security Headers
# ------------------------
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header X-XSS-Protection "1; mode=block";
# HSTS (optionnel si public)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# ------------------------
# Logs
# ------------------------
access_log /var/log/nginx/erplibre-access.log;
error_log /var/log/nginx/erplibre-error.log;
# ------------------------
# Global tuning
# ------------------------
client_max_body_size 512M;
proxy_read_timeout 600s;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_buffering on;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# ------------------------
# Gzip
# ------------------------
gzip on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript application/xml;
gzip_vary on;
# ------------------------
# Static assets cache
# ------------------------
location ~* /web/static/ {
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
expires 7d;
proxy_pass http://erplibre_backend;
}
# ------------------------
# Longpolling / Websocket
# ------------------------
location /websocket {
proxy_pass http://erplibre_longpolling;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
}
location /longpolling {
proxy_pass http://erplibre_longpolling;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# ------------------------
# Main ERPLibre
# ------------------------
location / {
proxy_pass http://erplibre_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
}
}
🔷 Ce que j’ai corrigé / amélioré
1️⃣ Suppression des doublons de headers
Tu définissais les headers dans server et dans location.
→ Maintenant propre et cohérent.
2️⃣ Séparation claire HTTP / HTTPS
Production-ready.
Tu évites les confusions Certbot.
3️⃣ Keepalive upstream
Améliore la performance backend (moins de TCP reopen).
4️⃣ Websocket propre
ERPLibre 18 utilise bus/websocket → config adaptée.
5️⃣ Cache statique plus propre
Limité à /web/static/ (plus sûr que regex large).
6️⃣ Timeout ajustés
720s était excessif.
600s suffisent pour ERPLibre.
7️⃣ Sécurité renforcée
-
HSTS
-
nosniff
-
Referrer policy
🔷 Ce que TU dois vérifier côté ERPLibre
Dans /etc/odoo.conf :
proxy_mode = True
workers = 4 # selon RAM
longpolling_port = 8072
Sinon le reverse proxy ne sert à rien.