Introduction #
This guide explains how to restrict access to your Odoo server so only trusted users and the Cloudpepper platform can reach it.
By default, Cloudpepper servers use UFW (Uncomplicated Firewall). On a fresh server, ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open to the entire world. This guide helps you change that setting so port 443 is only open to specific IP addresses.
📋 Quick Reference: Cloudpepper Platform IPs #
If you are just looking for the list of Cloudpepper IPs to whitelist, visit: https://api.cloudpepper.io/ip-list.txt
Prerequisites #
Before you begin, ensure you have:
- SSH Access: You need to be able to log into your server terminal (How to install SSH key on your Cloudpepper managed server).
- Your IP List: A list of the IP addresses (office, home, VPN) that need access to Odoo.
- Caution: Follow the steps in order. Do not delete the default rules until you have added your new rules, or you might lock yourself out.
Step 1. Connect to your server over SSH #
Open your terminal or an SSH client like Termius. (If you have not done this before, see our guide: How to connect to your server with SSH).
Step 2. Review current firewall rules #
First, check what is currently allowed on your server. Run the following command to see a numbered list of active rules:
sudo ufw status verbose
sudo ufw status numberedWhat you should see: You will likely see rules allowing traffic from Anywhere (or 0.0.0.0/0) to three main ports:
- 22 (SSH) – For terminal access.
- 80 (HTTP) – For web redirects and certificates.
- 443 (HTTPS) – For secure Odoo access.
Goal: Identify the rule numbers next to Port 443. We need these numbers later to delete the “Anywhere” access rules.
Step 3. Allow your users’ IPs on HTTPS (443) #
Add each office/user IP or CIDR that should reach your site or API over HTTPS.
# replace with your real IPs or ranges
sudo ufw allow from 203.0.113.10 to any port 443 proto tcp
# repeat for other IPs or CIDRsStep 4. Allow Cloudpepper platform IPs on 443 #
Cloudpepper needs access for platform services. Use the list at:https://api.cloudpepper.io/ip-list.txt
Example for a single IP:
sudo ufw allow from 141.95.166.93 to any port 443 proto tcpOptional helper to add many IPs at once:
curl -fsSL https://api.cloudpepper.io/ip-list.txt | \
sudo xargs -I{} ufw allow from {} to any port 443 proto tcpStep 5. Remove the wide-open 443 rules #
Now that your specific IPs are allowed, it is safe to remove the rule that allows the whole world to access port 443.
- Check the rule numbers again (they may have shifted after adding new rules):
sudo ufw status numbered - Find the number next to the rule that says
443andAnywhere(or(v6)). - Delete it using the number (replace
Xwith the actual number):sudo ufw delete X - Repeat the
status numberedcommand and delete any remaining “Anywhere” rules for port 443 (e.g., IPv6 rules).
⚠️ Important: Do not remove rules for Port 80.
- Cloudpepper uses Port 80 for SSL certificate renewals (Let’s Encrypt).
- Standard HTTP requests hitting Port 80 are safely redirected to HTTPS automatically (enabled undere Domain settings in your Instance dashboard in My Cloudpepper).
- Your Odoo data is not served on Port 80, so leaving it open is safe and necessary.
Step 6. Verify and reload #
Finally, reload the firewall to ensure all changes are active and double-check your work.
sudo ufw reload
sudo ufw status verboseSuccess! You should now see that Port 443 allows traffic only from the specific IP addresses you added in Steps 3 and 4.
Important Notes #
- SSH Lockdown: If you also decide to restrict Port 22 (SSH), make sure you still allow Cloudpepper IPs, or we cannot access the server to help you.
- Global Effect: These firewall rules apply to all Odoo instances running on this specific server.
- Dynamic IPs: If your office or home internet has a dynamic IP (it changes when you restart your router), you will need to update these rules whenever your IP changes, or request a dedicated IP from your internet provider.
