System Architecture and Component Integration
Odoo 18 operates as a multi-tier application with distinct layers that require precise coordination. The architecture separates presentation, application logic, and data persistence into specialized components. Each layer communicates through defined protocols with specific security and performance requirements. Understanding this structure prevents configuration errors that compromise system integrity.
The web interface layer handles HTTP requests through Nginx, which acts as a reverse proxy and SSL terminator. Nginx distributes incoming traffic across multiple Odoo worker processes while serving static content directly. This separation reduces load on the Python application layer and improves response times. Proper Nginx configuration ensures optimal resource utilization and prevents worker exhaustion.
The application layer runs Odoo as a WSGI application under Python 3.10+ with dedicated system user isolation. This layer processes business logic, manages sessions, and generates dynamic content. Worker processes handle requests concurrently, with each worker consuming significant memory resources. Correct worker count configuration balances performance against available system memory.
The data persistence layer utilizes PostgreSQL 15+ for all operational data storage. Odoo establishes persistent database connections that require proper connection pooling configuration. PostgreSQL handles complex queries, transaction management, and data integrity enforcement. Proper indexing and vacuum configuration maintains database performance under heavy loads.
Component integration relies on secure socket communication and proper firewall configuration. Nginx connects to Odoo through Unix sockets or local network ports with strict access controls. Odoo connects to PostgreSQL through peer authentication or encrypted network connections. Each connection point represents a potential security vulnerability that requires specific hardening measures.
Prerequisites and System Preparation
Ubuntu 22.04 LTS provides the foundation with its long-term support and security maintenance guarantees. Start with a minimal installation to reduce attack surface and resource consumption. Ensure your system has at least 2GB RAM and 20GB disk space for basic operation. Production deployments typically require 4GB RAM and 40GB disk space minimum.
System updates eliminate known vulnerabilities in core packages. Execute apt update && apt upgrade -y to apply all security patches and bug fixes. Reboot the system if the kernel receives updates to activate the new version. This baseline establishes a secure foundation for subsequent software installation.
Create a dedicated system user account that isolates Odoo processes from other services. Run adduser --system --group --home /opt/odoo odoo to establish the user with proper system account attributes. This user owns all Odoo files and executes the application with minimal privileges. Isolated execution contains potential security breaches within a constrained environment.
Install Python 3.10+ development tools and essential build dependencies. Execute apt install -y python3-pip python3-dev build-essential to prepare the Python environment. Add libxml2-dev libxslt1-dev libsasl2-dev libldap2-dev libssl-dev for XML processing and authentication support. These packages enable compilation of Python extensions that lack binary distributions.
Configure the system firewall to expose only necessary services. UFW provides a simplified interface for iptables management. Run ufw allow ssh to maintain remote access, then ufw allow 80/tcp and ufw allow 443/tcp for web traffic. Enable the firewall with ufw enable to block all other incoming connections. This basic hardening prevents unauthorized access to non-essential services.
PostgreSQL Database Configuration
PostgreSQL serves as Odoo’s primary data store with specific configuration requirements. Install PostgreSQL 15+ using apt install -y postgresql postgresql-contrib to get the latest version. The package manager ensures proper integration with system security policies and service management. PostgreSQL runs under its own dedicated user account with strict access controls.
Create a database user that matches your Odoo system account name for peer authentication. Execute su - postgres -c "createuser --createdb --username postgres --no-createrole --no-superuser --no-password odoo" as the postgres system user. This command establishes a database role with appropriate privileges for Odoo operations. Peer authentication allows passwordless connections when the system user matches the database role.
Verify the connection method in PostgreSQL’s pg_hba.conf file located in /etc/postgresql/15/main/. Ensure the line local all all peer appears for local socket connections. This configuration enables the odoo system user to connect as the odoo database role without password authentication. Restart PostgreSQL with systemctl restart postgresql to apply changes.
Test the database connection using sudo -u odoo psql -d postgres to verify proper authentication setup. The command should connect without password prompts and present a PostgreSQL command prompt. Execute \conninfo to confirm connection details show the odoo user. This verification prevents authentication errors during Odoo initialization.
Configure PostgreSQL performance parameters based on your available system resources. Modify /etc/postgresql/15/main/postgresql.conf to set shared_buffers = 256MB for systems with 2GB RAM. Set effective_cache_size = 1GB to help the query planner make better index usage decisions. Adjust max_connections = 80 to accommodate Odoo worker processes and maintenance connections.
Odoo Application Installation and Configuration
Download Odoo 18 source code from the official repository using Git for version control. Execute git clone https://github.com/odoo/odoo.git /opt/odoo/odoo-server -b 18.0 --depth=1 to retrieve the stable branch. This approach ensures you receive official releases with security patches rather than development snapshots. Git management simplifies future updates through pull operations.
Create a Python virtual environment to isolate Odoo dependencies from system packages. Run python3 -m venv /opt/odoo/odoo-venv to establish an independent Python environment. Activate the environment with source /opt/odoo/odoo-venv/bin/activate before installing packages. Virtual environments prevent conflicts between Odoo requirements and system Python packages.
Install Odoo Python dependencies using the requirements.txt file from the source code. Execute /opt/odoo/odoo-venv/bin/pip3 install -r /opt/odoo/odoo-server/requirements.txt to install all necessary packages. The virtual environment contains these dependencies without affecting system-wide Python packages. This isolation maintains system stability while allowing Odoo-specific package versions.
Install additional system packages for full functionality including wkhtmltopdf for report generation. Use apt install -y wkhtmltopdf to get the package from Ubuntu repositories. Wkhtmltopdf converts HTML pages to PDF documents for invoices and other business reports. Some Odoo modules require this component for proper reporting functionality.
Create the Odoo configuration file at /etc/odoo.conf with appropriate permissions. Use mkdir -p /etc/odoo and touch /etc/odoo.conf then chown odoo:odoo /etc/odoo.conf. This configuration file controls all aspects of Odoo behavior from database connections to module paths. Isolate configuration from code to simplify maintenance and deployment automation.
Configure core Odoo parameters in the configuration file with these essential settings: [options] admin_passwd = superadmin_secret_password db_host = False db_port = False db_user = odoo db_password = False addons_path = /opt/odoo/odoo-server/addons logfile = /var/log/odoo/odoo.log log_level = info The admin_passwd secures the database management interface while db_host=False enables peer authentication. Addons_path directs Odoo to standard and custom modules while logfile centralizes application logging.
Create the log directory with proper permissions using mkdir -p /var/log/odoo and chown odoo:odoo /var/log/odoo. Odoo requires write access to this directory for application logging and debugging information. Proper log management facilitates troubleshooting and security auditing.
Systemd Service Configuration and Process Management
Systemd provides reliable process supervision and automatic service recovery. Create the service file at /etc/systemd/system/odoo.service with root ownership. This service definition controls how systemd starts, stops, and monitors the Odoo application. Proper service configuration ensures automatic restart after system reboots or process failures.
Define the service with these essential parameters: [Unit] Description=Odoo 18 After=postgresql.service
[Service] Type=simple User=odoo Group=odoo ExecStart=/opt/odoo/odoo-venv/bin/python3 /opt/odoo/odoo-server/odoo-bin -c /etc/odoo.conf KillMode=mixed Restart=on-failure RestartSec=5
[Install] WantedBy=multi-user.target The User and Group directives ensure Odoo runs with appropriate privileges while After=postgresql.service enforces proper startup ordering. Restart=on-failure automatically recovers from unexpected process termination.
Reload systemd to recognize the new service with systemctl daemon-reload. Enable automatic startup with systemctl enable odoo.service which activates the service on system boot. Start the service immediately with systemctl start odoo.service to verify proper configuration. These commands integrate Odoo into standard system management procedures.
Monitor service status using systemctl status odoo.service to confirm successful startup. The output shows active (running) state and recent log entries when the service operates correctly. Check for any error messages that indicate configuration problems or dependency issues. Continuous monitoring ensures early detection of service interruptions.
Examine application logs for detailed operational information using journalctl -u odoo.service -f. The command displays real-time log entries with timestamps and severity levels. Look for database connection messages and HTTP service initialization confirmations. Log analysis provides deeper insight than basic service status checks.
Configure log rotation to prevent disk space exhaustion from growing log files. Create /etc/logrotate.d/odoo with these parameters: /var/log/odoo/*.log { daily missingok rotate 7 compress delaycompress notifempty create 644 odoo odoo } This configuration preserves one week of logs with daily rotation and Gzip compression. Log management maintains system performance while retaining sufficient history for troubleshooting.
Nginx Reverse Proxy and SSL Configuration
Nginx handles HTTP requests efficiently while terminating SSL encryption before traffic reaches Odoo. Install Nginx using apt install -y nginx to get the latest stable version from Ubuntu repositories. The web server operates on port 80 and 443 with superior performance for static content delivery. Reverse proxy configuration separates web server concerns from application logic.
Create a server block configuration at /etc/nginx/sites-available/odoo with these core directives: server { listen 80; server_name your-domain.com;
location / {
proxy_pass http://127.0.0.1:8069;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /longpolling {
proxy_pass http://127.0.0.1:8072;
} } The configuration routes normal requests to Odoo's HTTP port while directing long-polling connections to the dedicated port. Header forwarding ensures Odoo receives accurate client information for geolocation and logging.
Enable the site configuration using ln -s /etc/nginx/sites-available/odoo /etc/nginx/sites-enabled/odoo. Remove the default configuration with rm /etc/nginx/sites-enabled/default to prevent conflicts. These symbolic links activate your specific configuration while maintaining organizational separation between available and enabled sites.
Test Nginx configuration with nginx -t to verify proper syntax before applying changes. The command checks all configuration files for errors and reports any problems with specific line numbers. Correct any identified issues before proceeding to ensure reliable service operation. Restart Nginx with systemctl restart nginx to activate the new configuration.
Implement SSL encryption using Let’s Encrypt certificates for secure communications. Install Certbot with apt install -y certbot python3-certbot-nginx to automate certificate management. Request certificates using certbot --nginx -d your-domain.com which automatically configures Nginx for HTTPS. Certificates renew automatically before expiration through systemd timers.
Modify the Odoo configuration to recognize the reverse proxy setup for proper URL generation. Add these parameters to /etc/odoo.conf:
proxy_mode = True
x_sendfile = True
These settings ensure Odoo generates URLs with the correct domain and protocol while leveraging Nginx’s efficient file serving capabilities. Restart Odoo with systemctl restart odoo to apply the configuration changes.
Verify the complete stack by accessing your domain with HTTPS in a web browser. The Odoo database management interface should appear with a secure padlock icon. Test both normal navigation and real-time features like messaging to confirm proper long-polling configuration. Full functionality verification ensures all components integrate correctly.
Security Hardening and Access Controls
System security requires multiple layers of protection from network to application level. Configure Odoo to listen only on localhost interfaces by adding xmlrpc_interface = 127.0.0.1 to /etc/odoo.conf. This restriction prevents direct external access to the application server, forcing all traffic through the Nginx proxy. Interface binding contains potential vulnerabilities within the local system.
Implement strong database master passwords that differ from your admin password. Odoo uses the admin_passwd parameter to secure database creation and deletion operations. Generate a complex password with 16+ characters mixing uppercase, lowercase, numbers, and symbols. Store this password securely separate from the configuration file for production deployments.
Configure PostgreSQL to reject network connections from unauthorized sources. Modify /etc/postgresql/15/main/pg_hba.conf to comment out any host all all lines that allow external connections. Use local all all peer for socket connections and host all 127.0.0.1/32 md5 for specific local IP ranges. These restrictions prevent database access from compromised network services.
Set strict file permissions on Odoo directories to prevent unauthorized access. Execute chmod 750 /opt/odoo and chmod 640 /etc/odoo.conf to restrict read access to the odoo user and group. Configuration files contain database credentials and security parameters that require protection. Proper permission settings form the foundation of filesystem security.
Implement fail2ban to block brute force attacks against the Odoo login interface. Install with apt install -y fail2ban then create /etc/fail2ban/jail.d/odoo.conf with these settings:
[odoo]
enabled = true
port = 8069,8072
filter = odoo
logpath = /var/log/odoo/odoo.log
maxretry = 5
bantime = 600
This configuration blocks IP addresses for 10 minutes after five failed authentication attempts. Fail2ban scans application logs for patterns indicating malicious activity.
Create the filter file at /etc/failtoabn/filter.d/odoo.conf with these contents:
[Definition]
failregex = ^.* WARNING odoo odoo.http: Invalid login for database:.* from
Regular security updates address newly discovered vulnerabilities. Configure automatic security updates with apt install -y unattended-upgrades and enable automatic reboots for kernel updates. Schedule weekly security audits that review user accounts, file permissions, and login attempts. Proactive maintenance prevents exploitation of known security issues.
Performance Optimization and Scaling
Odoo performance depends on proper resource allocation across multiple system components. Configure Odoo workers based on available CPU cores and system memory. Add these parameters to /etc/odoo.conf for a system with 4GB RAM and 2 CPU cores: workers = 4 limit_memory_hard = 2684354560 limit_memory_soft = 2147483648 limit_request = 8192 limit_time_cpu = 60 limit_time_real = 120 Worker count should equal CPU cores * 2 + 1, while memory limits prevent worker exhaustion. These settings balance concurrent request handling with system resource constraints.
Optimize PostgreSQL for better query performance with specific configuration adjustments. Modify /etc/postgresql/15/main/postgresql.conf with these key parameters: shared_buffers = 512MB effective_cache_size = 2GB work_mem = 10MB maintenance_work_mem = 128MB These values assume a system with 4GB RAM dedicated to database operations. shared_buffers controls memory for caching data, while work_mem improves sort performance.
Implement Redis for caching session data and frequently accessed information. Install Redis with apt install -y redis-server then add these lines to /etc/odoo.conf:
cache_timeout = 3600
redis = True
redis_host = localhost
redis_port = 6379
redis_db = 1
Redis caching reduces database load for common operations like menu rendering and translation lookups. Session storage in Redis enables horizontal scaling across multiple Odoo instances.
Configure Nginx caching for static assets to reduce application server load. Add these directives to your Nginx server block: location /web/static/ { proxy_cache_valid 200 60m; proxy_buffering on; expires 864000; proxy_pass http://127.0.0.1:8069; } Static content caching eliminates redundant requests for CSS, JavaScript, and image files. Browser caching headers reduce bandwidth consumption for repeat visitors.
Monitor system performance using built-in Odoo metrics and system monitoring tools. Enable Odoo statistics with log_level = info_rpc in the configuration file. Install and configure htop for real-time process monitoring and nethogs for network usage analysis. Performance monitoring identifies bottlenecks before they impact user experience.
Backup Strategies and Disaster Recovery
Comprehensive backup strategies protect against data loss from hardware failure or human error. Implement automated PostgreSQL database dumps using pg_dump with custom scripts. Create /opt/odoo/backup.sh with these contents: #!/bin/bash BACKUP_DIR=”/opt/odoo/backups” DATE=$(date +%Y%m%d_%H%M%S) sudo -u odoo pg_dump odoo_prod > $BACKUP_DIR/odoo_backup_$DATE.sql find $BACKUP_DIR -name “*.sql” -mtime +7 -delete This script creates timestamped backups and removes files older than seven days. Schedule daily execution using cron for consistent backup coverage.
Backup filestore directories that contain documents and attachments outside the database. Odoo stores these files in /opt/odoo/.local/share/Odoo by default. Use rsync with compression to copy these files to backup storage: rsync -az /opt/odoo/.local/share/Odoo /backup/storage/ File backups ensure complete data recovery including invoices, reports, and employee documents.
Test restoration procedures regularly to verify backup integrity and recovery processes. Practice restoring databases to a development environment using pg_restore commands. Document the recovery steps with specific commands and expected timeframes. Recovery testing identifies gaps in backup strategies before actual emergencies.
Implement off-site backup storage for protection against physical disasters. Use cloud storage services or remote servers to maintain copies separate from production infrastructure. Automate transfer using rclone or similar tools with encryption for sensitive business data. Geographic separation ensures business continuity despite local disruptions.
Monitor backup completion and storage capacity to prevent backup failures. Implement alerting for backup script errors or insufficient storage space. Regular verification ensures backup systems operate correctly when needed. Monitoring prevents silent backup failures that create false security.