Ubuntu odoo letsencrypt
1/ Install certbot :
#> sudo apt update
#> sudo apt install certbot
2/ Generate Strong Dh (Diffie-Hellman) Group:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
3/ Map .well-known/acme-challenge to /var/lib/letsencrypt Directory:
#> sudo mkdir -p /var/lib/letsencrypt/.well-known
#> sudo chgrp www-data /var/lib/letsencrypt
#> sudo chmod g+s /var/lib/letsencrypt
we can use an Nginx snippet for the mapping and use later in our files
#> sudo nano /etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
allow all; root /var/lib/letsencrypt/; default_type "text/plain"; try_files $uri =404;
}
4/ Create a second snippet ssl.conf which includes the chippers:
sudo nano /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on;
ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;
5/ Create your domain nginx bloc:
server {
listen 80; server_name your.com www.your_domain.com;
include snippets/letsencrypt.conf;
}
6/ Create a symbolic link of your file to sites-enabled folder:
sudo ln -s /etc/nginx/sites-available/your_domain.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx
Obtain an SSL certificate by running Certbot:
sudo certbot certonly --agree-tos --email test@example.com --webroot -w /var/lib/letsencrypt/ -d your_domain.com -d www.your_domain.com
/etc/nginx/sites-available/your_domain.conf
- Odoo servers
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
- HTTP -> HTTPS
server {
listen 80; server_name www.your_domain.com your_domain.com;
include snippets/letsencrypt.conf; return 301 https://your_domain.com$request_uri;
}
- WWW -> NON WWW
server {
listen 443 ssl http2; server_name www.your_domain.com;
ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/your_domain.com/chain.pem; include snippets/ssl.conf; include snippets/letsencrypt.conf;
return 301 https://your_domain.com$request_uri;
}
server {
listen 443 ssl http2; server_name your_domain.com;
proxy_read_timeout 720s; proxy_connect_timeout 720s; proxy_send_timeout 720s;
# Proxy headers proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr;
# SSL parameters ssl_certificate /etc/letsencrypt/live/your_domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your_domain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/your_domain.com/chain.pem; include snippets/ssl.conf; include snippets/letsencrypt.conf;
# log files access_log /var/log/nginx/odoo.access.log; error_log /var/log/nginx/odoo.error.log;
# Handle longpoll requests
location /longpolling {
proxy_pass http://odoochat;
}
# Handle / requests
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# Cache static files
location ~* /web/static/ {
proxy_cache_valid 200 90m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}
# Gzip gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript; gzip on;
}
sudo systemctl restart nginx
Useful Tips about Nginx & Odoo :
1/ In your Odoo config file you need to enable the proxy mode by adding :
proxy_mode = True
2/ Enable the multi-processing mode by extending your Odoo config file:
limit_memory_hard = 1677721600 limit_memory_soft = 629145600 limit_request = 8192 limit_time_cpu = 600 limit_time_real = 1200 max_cron_threads = 1 workers = 8