Lock down Odoo server access (IP allowlist and firewall)

Introduction #

This guide shows how to restrict inbound access to your Odoo server and whitelist Cloudpepper platform IPs.
Cloudpepper servers use UFW by default. On a new server, ports 22, 80 and 443 are open from anywhere; all other ports are blocked.

Step 1. Connect to your server over SSH #

Use an SSH client such as Termius or your terminal.
If you have not done this before, see: How to connect to your server with SSH.

Step 2. Review current firewall rules #

Check what is already allowed. You should see 22/80/443 open from anywhere. Enter the following commands in your terminal.

sudo ufw status verbose
sudo ufw status numbered

sudo ufw status verbose
sudo ufw status numbered

Step 3. Allow your users’ IPs on HTTPS (443) #

Add each office/user IP or CIDR that should reach your site or API over HTTPS.

# replace with your real IPs or ranges
sudo ufw allow from 203.0.113.10 to any port 443 proto tcp
# repeat for other IPs or CIDRs

# replace with your real IPs or ranges
sudo ufw allow from 203.0.113.10 to any port 443 proto tcp
# repeat for other IPs or CIDRs

Step 4. Allow Cloudpepper platform IPs on 443 #

Cloudpepper needs access for platform services. Use the list at:
https://api.cloudpepper.io/ip-list.txt

Example for a single IP:

sudo ufw allow from 141.95.166.93 to any port 443 proto tcp

sudo ufw allow from 141.95.166.93 to any port 443 proto tcp

Optional helper to add many IPs at once:

curl -fsSL https://api.cloudpepper.io/ip-list.txt | \
  sudo xargs -I{} ufw allow from {} to any port 443 proto tcp

curl -fsSL https://api.cloudpepper.io/ip-list.txt | \
  sudo xargs -I{} ufw allow from {} to any port 443 proto tcp

Step 5. Remove the wide-open 443 rules #

Delete any “Anywhere” rules for 443 (and the v6 variant).
Re-list between deletions because numbers change after each delete.

sudo ufw status numbered
sudo ufw delete <number_for_443_anywhere>
sudo ufw status numbered
sudo ufw delete <number_for_443_anywhere_v6>

sudo ufw status numbered
sudo ufw delete <number_for_443_anywhere>
sudo ufw status numbered
sudo ufw delete <number_for_443_anywhere_v6>

Do not remove the rules for port 80. Cloudpepper uses port 80 for automatic SSL certificate renewal, , and HTTP requests are immediately redirected to HTTPS (ensure this is enabled under the domain settings of your Odoo instance’s dashboard in My Cloudpepper). Your Odoo instance is not served on port 80; real traffic lands on 443 only.

Step 6. Verify and reload #

sudo ufw reload
sudo ufw status verbose

sudo ufw reload
sudo ufw status verbose

You should now see only your allowlisted IPs permitted on 443.
Port 80 remains open.

Notes #

• In case you also want to lock down your SSH port, ensure to still allow Cloudpepper IPs.
• These firewall rules apply to all services and Odoo instances on the server.
• Keep your allowlist up to date when user IPs or Cloudpepper IPs change.
• Prefer specific /32 or tight CIDRs over broad ranges.