Ubuntu odoo letsencrypt

From wiki karavi
Revision as of 09:28, 27 October 2023 by Karavi (talk | contribs) (Created page with "'''1/ Install certbot :''' <nowiki>#</nowiki>> sudo apt update <nowiki>#</nowiki>> sudo apt install certbot '''2/ Generate Strong Dh (Diffie-Hellman) Group:''' sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 '''3/ Map <code>.well-known/acme-challenge</code> to <code>/var/lib/letsencrypt</code> Directory:''' <nowiki>#</nowiki>> sudo mkdir -p /var/lib/letsencrypt/.well-known <nowiki>#</nowiki>> sudo chgrp www-data /var/lib/letsencrypt <nowiki>#</nowiki...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

1/ Install certbot :

#> sudo apt update

#> sudo apt install certbot


2/ Generate Strong Dh (Diffie-Hellman) Group:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048


3/ Map .well-known/acme-challenge to /var/lib/letsencrypt Directory:


#> sudo mkdir -p /var/lib/letsencrypt/.well-known

#> sudo chgrp www-data /var/lib/letsencrypt

#> sudo chmod g+s /var/lib/letsencrypt


we can use an Nginx snippet for the mapping and use later in our files

#> sudo nano /etc/nginx/snippets/letsencrypt.conf


location ^~ /.well-known/acme-challenge/ { 

 allow all;
 root /var/lib/letsencrypt/;
 default_type "text/plain";
 try_files $uri =404;

}


4/ Create a second snippet ssl.conf which includes the chippers:

sudo nano /etc/nginx/snippets/ssl.conf

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on;

ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;



5/ Create your domain nginx bloc:

server { 

 listen 80;
 server_name your.com www.your_domain.com;

 include snippets/letsencrypt.conf;

}

6/ Create a symbolic link of your file to sites-enabled folder:

sudo ln -s /etc/nginx/sites-available/your_domain.conf /etc/nginx/sites-enabled/

sudo systemctl restart nginx

Obtain an SSL certificate by running Certbot:

sudo certbot certonly --agree-tos --email test@example.com --webroot -w /var/lib/letsencrypt/ -d your_domain.com -d www.your_domain.com

/etc/nginx/sites-available/your_domain.conf


  1. Odoo servers

upstream odoo { 

server 127.0.0.1:8069;

}

upstream odoochat { 

server 127.0.0.1:8072;

}

  1. HTTP -> HTTPS

server { 

   listen 80;
   server_name www.your_domain.com your_domain.com;

   include snippets/letsencrypt.conf;
   return 301 https://your_domain.com$request_uri;

}

  1. WWW -> NON WWW

server { 

   listen 443 ssl http2;
   server_name www.your_domain.com;

   ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/your_domain.com/chain.pem;
   include snippets/ssl.conf;
   include snippets/letsencrypt.conf;

   return 301 https://your_domain.com$request_uri;

}

server { 

   listen 443 ssl http2;
   server_name your_domain.com;

   proxy_read_timeout 720s;
   proxy_connect_timeout 720s;
   proxy_send_timeout 720s;

   # Proxy headers
   proxy_set_header X-Forwarded-Host $host;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header X-Real-IP $remote_addr;

   # SSL parameters
   ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/your_domain.com/chain.pem;
   include snippets/ssl.conf;
   include snippets/letsencrypt.conf;

   # log files
   access_log /var/log/nginx/odoo.access.log;
   error_log /var/log/nginx/odoo.error.log;

   # Handle longpoll requests
   location /longpolling {
       proxy_pass http://odoochat;
   }

   # Handle / requests
   location / {
      proxy_redirect off;
      proxy_pass http://odoo;
   }

   # Cache static files
   location ~* /web/static/ {
       proxy_cache_valid 200 90m;
       proxy_buffering on;
       expires 864000;
       proxy_pass http://odoo;
   }

   # Gzip
   gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
   gzip on;

}


sudo systemctl restart nginx


Useful Tips about Nginx & Odoo :

1/ In your Odoo config file you need to enable the proxy mode by adding :

proxy_mode = True

2/ Enable the multi-processing mode by extending your Odoo config file:

limit_memory_hard = 1677721600 limit_memory_soft = 629145600 limit_request = 8192 limit_time_cpu = 600 limit_time_real = 1200 max_cron_threads = 1 workers = 8

Retrieved from "https://wiki.alikaravi.ir/index.php?title=Ubuntu_odoo_letsencrypt&oldid=23"