Help configuring Tryton behind Apache reverse proxy

Hi, I was playing around with GNU Health 3.6.4 version which comes with tryton 5.0.23 and werkzeug installed in a backend server (Ubuntu 20.04 LTS). I was able to install it with SAO 5.6.
In the main server I’ve installed apache2 and configured it with mod_proxy and related modules, the main configuration is similar to:

<VirtualHost *:80>
ProxyPass /
ProxyPassReverse /

When I access from outside the intranet via web (let’s suppose the next URL:, SAO loads correctly showing credentials form for database and user. I was able to login, only one error is prompted: FORBIDDEN.

However that’s not the problem. I was trying to access via the GTK client application pointing to with the database and user created on the server, but doesn’t work.

I was reading some information about it and I conclude that GTK client application works with RPC calls, so the reverse proxy server can not handle the request.

Do I need to configure something else? Is it possible to forward the request when using the GTK client?

Sorry for posting this topic here, but other forums have outdated info even GNU Health doc has no related topic.

Thanks in advance :grinning:

You should use the same series 5.0 also for sao.

If you do not specify a port on the hostname of desktop client, it will tries on port 8080.
So you must make Apache listen also on 8080 or you must use

1 Like

I think this might be a typo, as I’m pretty sure the desktop client normally defaults to port 8000.

Thank you very much, problem solved as you said:

  • I had to use series 5.0 for SAO. Check that trytond.conf config file, [web] section, root path points correctly to SAO folder.
  • The GTK client worked with domain:port configuration, pointing to port 80 in the Host field. Note that if one uses HTTPS config on apache via SSL certificates, it opens port 443, that works too.
  • Reverse proxy needs the next configuration if you have VirtualHost config on 443 port:

RequestHeader set X-Forwarded-Proto “https”
Header always set Access-Control-Allow-Origin “*”

That’s it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.