Hi
I have stumbled onto a problem with my ERPNext server when I install my SSL-cert.
I am still investigating this to see if I can find a solution for my NGINX.
But in the meantime, I am thinking out loud in terms of other solution.
Here is the cenario
My V12.26 ERPNext seem to be working well without an SSL-cert ( VPS on Digital Ocean)
An SSL-cert seem to be breaking my server ( I suspect Nginx ) because
the ERPNExt function seem to continue. ( Posting elsewhere on this discussion group)
I cannot operate my server without HTTPS that would be irresponsible.
One other way would be to install VPN pipe between my browser and my server.
I have googled this topic and many VPN-names pop up
Question:
Has anyone else done something like this to make a recommendation ?
My VPS server is running Ubuntu 18.04
@johnlongland you can use a combination of fail2ban and ufw to allow traffic from only your specified IP addresses and block all other connection requests. This should not require any VPN service.
HTTPS will encrypt traffic, so nobody can snoop in on your traffic. I guess in terms of confidentiality, that is certainly a need.
The VPN on the other hand will limit access to your server, so only limited people can access your server in the first place.
To limit access, I have secured a few websites with a client certificate, on top of HTTPS. So every user gets a client SSL certificate and this needs to be presented to the server, otherwise you can’t connect to it. This is a simple config in NGINX and should be easy to add.
This requires issuing (and distribution) of the client certs, but it also has the beauty that you can revoke certs and remove access easily. But an OpenVPN server might be a bit easier to handle, as you only need to provide a username/password combo for a user.
My goal : to be able to access my ERPNext ( Digital OCean VPS ) in such a way that the traffic
is not clear-text as in HTTP. Yes, HTTPS will encrypt it and that is what I want. But as I
indicated, the problem is, that when I add my SSL-certificates to my ERPNExt-server ,
it seems to break NGINX. Some of the Report buttons on ERPNext starts to malfunction.
No errors are generated so its difficult to see what is going wrong.
( I have made another post about this on this group about this)
And I don’t know why I am the only one battling with securing my server with an SSL-cert.
I am still investigating and hoping to find a solution.
In the meantime I am looking at a VPN. Yes, you are right … a VPN is going to be very limiting
but I am starting off as one-man company anyway, so for now it is not a problem.
If you can share the guide you used in implementing https, it might be easier to help identify why NGINX breaks after you enable ssl. Basically, the only way to encrypt your data from snoopers is to implement https, hence I would suggest this is problem you should be focused on solving.
I purchased the SSL-certs from the ISP that is hosting all my URL’s ( domains.co.za )
If you could spot something that I did wrong I would really appreciate it. I am very frustrated
to not be able to use my ERPNext server. Lots of data to punch into my server !
here are the versions on my server…
redis 4.0.9
python 3.6.9
nginx 1.14.0
Mariadb 10.4
ERPNext: v12.26.0 (version-12)
Frappe Framework: v12.23.0 (version-12)
Ubuntu 18.04 LTS on 2CPU Digital Ocean droplet with 4G RAM
I suspected as much. Are you using lets encrypt or you got a paid cert. if lets-encrypt then try this method by @bkm in his tutorial. works for me every time:
I am thinking in the same line as you … to use letsencrypt so long …mmmmm
I have my VPN running but it does pose other problems. I have a URL setup to access
my server …my_url.co.za. And now that I have a VPN running directly into the ERPNext server,
I can no longer use that URL because the only port open is the VPN port and port 80/443
is now closed. So to access the server I have to use its internal address. And this
once again impacts on the installation process because I have to use that IP-address
as my site-name.
I think let me try the lets-encrypt on my one server ( I still have 4 test-servers running ! )
For those that may be interested, I have installed a VPN into my ERPnext server.
I used this video as guideline …
It also shows where to get a client for windows that you can setup to access your ERPNext server.
In my setup I also use a Raspberry Pi terminal at the 3D-printing station so I also had to
setup a client on Raspbian.
I used this guide for it.
So my procedure was …
Install OpenVPN on my VPS server
It generates a xxxx.ovpn file that you use on your client side
You install OpenVPN on whatever client you are using and run the client using the xxxx.ovpn
configuration file ( it already contains the encryption keys )
thats it.
It is not an ideal solution. In my case I have to consider it. The problem is, on a VPS
you have a public IP and an internal IP. The public IP is linked via a URL that is all
managed by the DNS server. So you can access your ERPNext with a URL.
With a VPN you can no longer do that. You shut down the ports 80 and 443
and access your server with the internal IP address. Yes of course you can set
up a name in the hosts-file but that then becomes your site-name. So …
lots of things to consider if one wants to use a VPN.
I’m not familiar with the installation of nginx together with Frappe (installation via bench setup nginx, as I have used my nginx reverse proxy to have a HTTPS front for ERPNext.
You might want to look for the nginx config files (normally they are in /etc/nginx/sites-available/ or /etc/nginx/sites-enabled/ (they are linked files). My reverse proxy config looks as follows. Maybe you find the problem by comparing with your setup?
server {
server_name erp.domain.com;
location / {
proxy_pass http://192.168.7.18:80;
proxy_redirect off;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 512M;
}
access_log /var/log/nginx/erp.domain.com-access.log;
error_log /var/log/nginx/erp.domain.com-error.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/erp.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/erp.domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = erp.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name erp.domain.com;
listen 80;
return 404; # managed by Certbot
}