====== Connexions remotes segures ======

Per tenir connexions segures (NET-RPC, eTiny, WebDAV secure). Si tenim compressió també poden ser més ràpides.




===== Stunnel =====
Extret de http://openerp.com/wiki/index.php/InstallationManual/WebClientInstallLinux


Altres fonts: http://openobject.com/wiki/index.php/Manual_Installation:Installation_Manual/WebClientHTTPS


==== Instal·lació ====

<code>
$ sudo apt-get install stunnel4
</code>

Revisar si en  l'arranc del servidor el stunnel està operatiu:
<code>
Modify your init.d start scripts to start stunnel in runlevel 3 and 5 (afegir als directoris /etc/rc3.d i /etc/rc5.d el link S20stunnel4 -> ../init.d/stunnel4 o executar la comanda sudo update-rc.d -f stunnel4 start 20 3 5)
</code>

==== Configuració ====
  - Editar el fitxer **/etc/default/stunnel4**:<code>
$ sudo vi /etc/default/stunnel4
</code>
  - Canviar ENABLED=0 per ENABLED=1


===== Generació de certificats =====

1. Generem el certificat sense validesa. Aquests certificats expiraran després de 365 dies!!!

<code>
$ openssl genrsa 1024 > server.pkey
$ openssl req -new -x509 -days 365 -key server.pkey -out server.cert
$ chmod 600 server.pkey
$ chmod 600 server.cert
$ sudo chown root:root server.*
$ sudo mv server.pkey /etc/stunnel
$ sudo mv server.cert /etc/stunnel
</code>

Afegim a la configuració de stunnel:
<code>
sudo vi /etc/stunnel/stunnel.conf

;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem
cert = /etc/stunnel/server.cert
key = /etc/stunnel/server.pkey

[https]
accept  = 443
connect = 8080
;TIMEOUTclose = 0

sudo /etc/init.d/stunnel4 restart
</code>


===== OpenERP client web =====

El fitxer de configuració del client web podem deixar aquesta configuració
<code>
server.socket_host = "127.0.0.1"
server.socket_port = 8070

tools.proxy.on = True
tools.proxy.base = 'https://demo.zzsaas.com'
</code>

===== SSH (si no volem instal·lar stunnel) =====

This is an alternative and fast solution for those who do not want or need to hide Tiny behind apache.

Works with ssh on linux or putty on windows.

Create a compressed tunnel to your server. Obviously you need an account on the server, which is not necessary for the "apache" solution.

  ssh -CX username@server -L 8069:localhost:8069 -L 8070:localhost:8070 -L 8089:localhost:8089

localhost has to be replaced eventually by the server which runs eTiny if different from the login server. I choose 8089, because another service is running on 8080. It is defined in eTiny dev.cfg:
  server.socket_port=8089
  server.socket_host="server-ip or address"

Connect with your browser to
  * http://localhost:8089
  * or with the GTK-client to either 8069 or 8070
and enjoy save and fast browsing.

Compressing the http connection improves the performance for internet connections (band width usage) dramatically.


===== python-pyopenssl =====

XML-RPC segur però no comprimit (Nota, a jesteve no li va funcionar. Però la solució amb stunnel ja li agrada)

  sudo apt-get install python-pyopenssl
  cd <to_the_directory_where_tinyerp-server.py_is_located>
  openssl genrsa > server.pkey
  openssl req -new -x509 -key server.pkey -out server.cert
  chmod 600 server.pkey
  chmod 600 server.cert