Securing Odoo for External Access with HTTPS using Nginx Proxy Manager

Extend your local Odoo install with a reverse-proxy and Let’s Encrypt so users outside your office can connect via https://odoo.yourdomain.com:8443—no VPN needed.

1. DNS setup for your subdomain

Create an A record in your DNS provider:

  • Type: A
  • Name: odoo
  • Value: 2.179.165.134 (your public IP)
  • TTL: 2 hours (or default)

This ensures odoo.yourdomain.com resolves to your WAN address.

2. Update docker-compose.yml with Nginx Proxy Manager

version: '3.8'
services:
  odoo:
    image: odoo:18
    container_name: odoo
    depends_on: [db]
    ports:
      - "0.0.0.0:8069:8069"
    environment:
      - HOST=db
      - USER=odoo
      - PASSWORD=odoo
    volumes:
      - odoo-data:/var/lib/odoo
    networks: [odoo-net]

  db:
    image: postgres:16
    container_name: db
    environment:
      POSTGRES_DB: odoo
      POSTGRES_USER: odoo
      POSTGRES_PASSWORD: odoo
    volumes:
      - odoo-db-data:/var/lib/postgresql/data
    networks: [odoo-net]

  npm:
    image: jc21/nginx-proxy-manager:latest
    container_name: nginx-proxy-manager
    ports:
      - "80:80"      # HTTP for ACME challenges
      - "81:81"      # Admin UI
      - "8443:443"   # External HTTPS → internal 443
    volumes:
      - npm-data:/data
      - npm-letsencrypt:/etc/letsencrypt
    networks: [odoo-net]

networks:
  odoo-net:

volumes:
  odoo-data:
  odoo-db-data:
  npm-data:
  npm-letsencrypt:

3. Configure pfSense NAT & Firewall

3.1. Firewall / NAT / Port Forward

  • WAN port 81 → 192.168.121.145:8069:81
  • WAN port 8443 → 192.168.121.145:8069:8443

3.2. Firewall / Rules / WAN

  • Allow TCP 81 → WAN address
  • Allow TCP 8443 → WAN address.

(these rules are created automatic with the Port Forward)

3.3. System / Advanced / Firewall & NAT / Network Address Translation

  • Pure NAT
  • Enable NAT Reflection for 1:1 NAT
  • Enable automatic outbound NAT for Reflection

Note: NAT Relflection (Harpin NAT) allows connection with subdomian from the office. This will “loop” LAN requests back to the internal server correctly.

4. Set up your Proxy Host in Nginx Proxy Manager

  • Domain Names: odoo.yourdomain.com
  • Scheme: http
  • Forward Hostname/IP: 192.168.121.145
  • Forward Port: 8069
  • Websockets Support: ✅
  • Block Common Exploits: ✅

SSL (Let’s Encrypt)

  • Request a new SSL certificate
  • Force SSL, HTTP/2, HSTS
  • Enter your email, accept terms, Save

5. Access Odoo externally

➡️ URL:

https://odoo.yourdomain.com:8443
  • Fully encrypted with Let’s Encrypt
  • Uses port 8443 to avoid conflict with VPN on 443
  • No VPN required

Deploying Odoo Community Locally with Docker Compose

In this post we’ll spin up Odoo Community Edition on your local network using Docker Compose, so that any machine on your LAN can connect to it.

1. Create your docker-compose.yml

version: '3.8'
services:
  odoo:
    image: odoo:18
    container_name: odoo
    depends_on:
      - db
    ports:
      - "0.0.0.0:8069:8069"    # Expose Odoo on host port 8069
    environment:
      - HOST=db
      - USER=odoo
      - PASSWORD=odoo
    volumes:
      - odoo-data:/var/lib/odoo
    restart: always

  db:
    image: postgres:16
    container_name: db
    environment:
      POSTGRES_DB: odoo
      POSTGRES_USER: odoo
      POSTGRES_PASSWORD: odoo
    volumes:
      - odoo-db-data:/var/lib/postgresql/data
    restart: always

volumes:
  odoo-data:
  odoo-db-data:

2. Launch the services

docker compose up -d

3. Verify it’s running

curl -I http://localhost:8069
# You should see "HTTP/1.1 303 SEE OTHER" redirecting to /odoo

Open your browser on any LAN machine:
➡️ http://192.168.121.145:8069

Find Out Who’s on Your Network with One Simple Command

Want to see all devices connected to your local network? Try this quick Linux command:

sudo arp-scan --interface=eno2 -l

What does it do?

  • sudo: Runs with superuser privileges (required for network access).
  • arp-scan: Scans for devices using the ARP protocol.
  • --interface=eno2: Specifies the network interface (like your Ethernet or Wi-Fi).
  • -l: Scans the entire local network (same as --localnet).

What will you see?

  • Each device’s IP address
  • MAC address
  • Device vendor (if recognized)

Great for:

  • Checking who’s connected to your Wi-Fi
  • Spotting unknown or suspicious devices
  • Managing your local network

Connecting to a ModBerry 500 via SSH with Dual Ethernet outside the local network

Context

Industrial devices like the ModBerry 500 often come with multiple Ethernet interfaces — typically with eth0 set to a static IP (e.g., 192.168.0.101) and eth1 (e.g., 192.168.20.118) configured via DHCP on your local network.


In some cases, you’ll want to ensure that a specific interface — for example, eth1 — is used as the primary route for Internet access. This is especially important if you plan to remotely connect to the device via SSH, using a custom external port (like 2223) forwarded through your router.

The Problem

Even if you configure the IP and gateway on eth1, Linux may still use eth0 as the default route, because it automatically assigns routing priorities (metrics). In our case, eth1 ended up with metric 203 and eth0 with 202 — making eth0 the preferred route. That’s the opposite of what we wanted.

The Solution: Prioritize eth1 via /etc/dhcpcd.conf

If your system is using dhcpcd as its network manager (which is common on ModBerry), you can set the interface priority easily.

1. Open the config file:

sudo nano /etc/dhcpcd.conf

2. Add this at the end:

interface eth1
  metric 100

interface eth0
  metric 200

This tells the system: “Use eth1 first, because it has a lower metric.”

3. Restart the service:

sudo systemctl restart dhcpcd

4. Check the active routes:

ip route show

You should see something like:

default via 192.168.120.1 dev eth1 metric 100
default via 192.168.0.99 dev eth0 metric 200

Open SSH Access on Port 2223 via Router NAT (e.g., pfSense)

In this setup, we’re accessing the ModBerry remotely by forwarding a custom external port (like 2223) on the router’s public IP to port 22 on the ModBerry’s eth1 IP address.

1. Set up a NAT Port Forwarding rule on your router (e.g., pfSense)

  • External port: 2223
  • Internal IP: your ModBerry’s eth1 IP (e.g., 192.168.120.118)
  • Internal port: 22 (default SSH port)
  • Protocol: TCP

This tells your router: “When someone connects to port 2223 on the public IP, forward that to port 22 on the ModBerry’s eth1 interface.”

2. From outside your network, connect using:

ssh -p 2223 user@YOUR_PUBLIC_ROUTER_IP

Replace user with your actual ModBerry username (e.g., root or pi), and YOUR_PUBLIC_ROUTER_IP with the WAN IP of your pfSense router.

Convert JPG Images to Optimized WebP

mogrify -format webp -quality 80 -strip -resize "1024x>" *.jpg

This command creates optimized WebP versions of your JPG images while intelligently handling image sizes, only larger images are resized, and smaller ones are left unchanged. The original JPG files remain untouched, with new WebP versions created alongside them.