Security and performance tuning

This guide provides essential recommendations for securing your OpenSPP instance and tuning its performance for production environments. It covers database security, firewall setup, SSL/TLS configuration with Nginx, and implementing regular backups. Additionally, it offers tips on performance tuning, including adjusting worker processes, memory limits, and PostgreSQL settings to handle high-load scenarios.

Security recommendations

1. Database security configuration

After initial setup and database creation, it's strongly recommended to modify the configuration file:

sudo nano /etc/openspp/odoo.conf

Set list_db to False for Production environments:

list_db = False

Restart the service

sudo systemctl restart openspp

Why disable list_db in production:

• Prevents unauthorized users from seeing database names

• Disables database creation/deletion via web interface

• Reduces attack surface by hiding database management interface

• Forces direct database URL access (e.g., http://server:8069/web?db=openspp_prod)

When to keep list_db = True:

• Development environments

• Testing environments

• Initial setup phase

• When multiple databases need frequent management

2. Firewall configuration

Install ufw

sudo apt-get install -y ufw

Allow SSH (adjust port if needed)

sudo ufw allow 22/tcp

Allow OpenSPP web interface

sudo ufw allow 8069/tcp

Allow OpenSPP longpolling (if using real-time features)

sudo ufw allow 8072/tcp

Enable firewall

sudo ufw enable

3. SSL/TLS with Nginx (Recommended for Production)

Run the following commands to install nginx, certbot and create a file in /etc/nginx/sites-available/openspp:

sudo apt-get install -y nginx certbot python3-certbot-nginx
sudo nano /etc/nginx/sites-available/openspp

Add this configuration changing example.com to your domain:

server {
    listen 80;
    server_name example.com;

    # Redirect HTTP to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    # SSL certificates (will be added by certbot)
    # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Proxy settings
    proxy_read_timeout 720s;
    proxy_connect_timeout 720s;
    proxy_send_timeout 720s;

    # Add headers
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;

    # Redirect requests to OpenSPP
    location / {
        proxy_redirect off;
        proxy_pass http://127.0.0.1:8069;
    }

    # Longpolling
    location /longpolling {
        proxy_pass http://127.0.0.1:8072;
    }

    # Static files
    location ~* /web/static/ {
        proxy_cache_valid 200 90m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://127.0.0.1:8069;
    }
}

Enable the site and get SSL certificate (Change example.com to your domain):

sudo ln -s /etc/nginx/sites-available/openspp /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
sudo certbot --nginx -d example.com

4. Regular backups

Create a backup script:

sudo nano /usr/local/bin/openspp-backup.sh

Add the following content:

#!/bin/bash
BACKUP_DIR="/var/backups/openspp"
DATE=$(date +%Y%m%d_%H%M%S)
DB_NAME="openspp_prod"

# Create backup directory
mkdir -p $BACKUP_DIR

# Backup database
sudo -u postgres pg_dump $DB_NAME | gzip > $BACKUP_DIR/db_${DB_NAME}_${DATE}.sql.gz

# Backup filestore
tar -czf $BACKUP_DIR/filestore_${DATE}.tar.gz /var/lib/openspp/

# Keep only last 30 days of backups
find $BACKUP_DIR -type f -mtime +30 -delete

echo "Backup completed: $DATE"

Make it executable and schedule:

sudo chmod +x /usr/local/bin/openspp-backup.sh
echo "0 2 * * * /usr/local/bin/openspp-backup.sh" | sudo crontab -

Performance tuning

For production environments with high load:

1. Increase workers (1 worker per CPU core, minimum 2 for queue_job):

   workers = 8  # For 8-core server
   server_wide_modules = base,web,queue_job  # Required
   

   Note: Never set workers = 0 in production as this disables queue_job async processing.

2. Adjust memory limits based on available RAM:

   limit_memory_hard = 8589934592  # 8GB
   limit_memory_soft = 6442450944  # 6GB
   

3. PostgreSQL tuning:

   sudo nano /etc/postgresql/16/main/postgresql.conf
   

   Adjust:

   shared_buffers = 2GB
   effective_cache_size = 6GB
   maintenance_work_mem = 512MB
   checkpoint_completion_target = 0.9
   wal_buffers = 16MB
   default_statistics_target = 100
   random_page_cost = 1.1
   

4. Enable caching with Redis (optional):

   sudo apt-get install -y redis-server
   # Configure in odoo.conf if your OpenSPP version supports it