|
|
|
@ -266,26 +266,53 @@ sudo chown root: /etc/init.d/$OE_CONFIG
|
|
|
|
echo -e "\n---- Start ODOO on Startup ----\n"
|
|
|
|
echo -e "\n---- Start ODOO on Startup ----\n"
|
|
|
|
sudo update-rc.d $OE_CONFIG defaults
|
|
|
|
sudo update-rc.d $OE_CONFIG defaults
|
|
|
|
|
|
|
|
|
|
|
|
#--------------------------------------------------
|
|
|
|
#-----------------------------------------------------------------------
|
|
|
|
# Install Nginx if needed
|
|
|
|
# PROXY_MODE != PROXY_NONE (Nginx will be install to port 80 and/or 443)
|
|
|
|
#--------------------------------------------------
|
|
|
|
#-----------------------------------------------------------------------
|
|
|
|
if [ $INSTALL_NGINX = "True" ]; then
|
|
|
|
if [ $PROXY_MODE != "PROXY_NONE" ]; then
|
|
|
|
echo -e "\n---- Installing and setting up Nginx ----"
|
|
|
|
echo -e "\n---- Installing and setting up Nginx ----\n"
|
|
|
|
sudo apt install nginx -y
|
|
|
|
sudo apt install nginx -y
|
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF >~/odoo
|
|
|
|
cat <<EOF >~/odoo
|
|
|
|
server {
|
|
|
|
upstream odoo {
|
|
|
|
listen 80;
|
|
|
|
server 127.0.0.1:$OE_PORT;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
upstream odoochat {
|
|
|
|
|
|
|
|
server 127.0.0.1:$LONGPOLLING_PORT;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$(
|
|
|
|
|
|
|
|
if [ "$PROXY_MODE" = "PROXY_HTTP" ]; then
|
|
|
|
|
|
|
|
echo "# PROXY MODE USES HTTP"
|
|
|
|
|
|
|
|
echo " server {"
|
|
|
|
|
|
|
|
echo " listen 80;"
|
|
|
|
|
|
|
|
echo " server_name "$WEBSITE_NAME";"
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
# set proper server name after domain set
|
|
|
|
if [ "$PROXY_MODE" = "PROXY_LETSENCRYPT" ]; then
|
|
|
|
server_name $WEBSITE_NAME;
|
|
|
|
echo "# PROXY MODE USES LETSENCRYPT"
|
|
|
|
|
|
|
|
echo " server {"
|
|
|
|
|
|
|
|
echo " listen 80;"
|
|
|
|
|
|
|
|
echo " server_name "$WEBSITE_NAME";"
|
|
|
|
|
|
|
|
echo " "
|
|
|
|
|
|
|
|
echo " rewrite ^(.*) https://\$host\$1 permanent;"
|
|
|
|
|
|
|
|
echo " }"
|
|
|
|
|
|
|
|
echo " "
|
|
|
|
|
|
|
|
echo " server {"
|
|
|
|
|
|
|
|
echo " listen 443 ssl http2;"
|
|
|
|
|
|
|
|
echo " server_name "$WEBSITE_NAME";"
|
|
|
|
|
|
|
|
echo " "
|
|
|
|
|
|
|
|
echo " include snippets/ssl.conf;"
|
|
|
|
|
|
|
|
echo " include snippets/letsencrypt.conf;"
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
# Add Headers for odoo proxy mode
|
|
|
|
# Add Headers for odoo proxy mode
|
|
|
|
proxy_set_header X-Forwarded-Host \$host;
|
|
|
|
proxy_set_header X-Forwarded-Host \$host;
|
|
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
|
|
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
|
|
|
|
proxy_set_header X-Client-IP \$remote_addr;
|
|
|
|
proxy_set_header X-Client-IP \$remote_addr;
|
|
|
|
proxy_set_header HTTP_X_FORWARDED_HOST \$remote_addr;
|
|
|
|
proxy_set_header HTTP_X_FORWARDED_HOST \$remote_addr;
|
|
|
|
|
|
|
|
|
|
|
|
@ -302,8 +329,7 @@ if [ $INSTALL_NGINX = "True" ]; then
|
|
|
|
proxy_send_timeout 900s;
|
|
|
|
proxy_send_timeout 900s;
|
|
|
|
|
|
|
|
|
|
|
|
# force timeouts if the backend dies
|
|
|
|
# force timeouts if the backend dies
|
|
|
|
proxy_next_upstream error timeout invalid_header http_500 http_502
|
|
|
|
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
|
|
|
http_503;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
types {
|
|
|
|
types {
|
|
|
|
text/less less;
|
|
|
|
text/less less;
|
|
|
|
@ -314,33 +340,34 @@ if [ $INSTALL_NGINX = "True" ]; then
|
|
|
|
gzip on;
|
|
|
|
gzip on;
|
|
|
|
gzip_min_length 1100;
|
|
|
|
gzip_min_length 1100;
|
|
|
|
gzip_buffers 4 32k;
|
|
|
|
gzip_buffers 4 32k;
|
|
|
|
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript application/pdf image/jpeg image/png;
|
|
|
|
gzip_types text/css text/scss text/less text/plain text/xml application/xml application/json application/javascript application/pdf image/jpeg image/png;
|
|
|
|
gzip_vary on;
|
|
|
|
gzip_vary on;
|
|
|
|
client_header_buffer_size 4k;
|
|
|
|
client_header_buffer_size 4k;
|
|
|
|
large_client_header_buffers 4 64k;
|
|
|
|
large_client_header_buffers 4 64k;
|
|
|
|
client_max_body_size 0;
|
|
|
|
client_max_body_size 0;
|
|
|
|
|
|
|
|
|
|
|
|
location / {
|
|
|
|
location / {
|
|
|
|
proxy_pass http://127.0.0.1:$OE_PORT;
|
|
|
|
proxy_pass http://odoo;
|
|
|
|
# by default, do not forward anything
|
|
|
|
proxy_redirect off; # by default, do not forward anything
|
|
|
|
proxy_redirect off;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
location /longpolling {
|
|
|
|
location /longpolling {
|
|
|
|
proxy_pass http://127.0.0.1:$LONGPOLLING_PORT;
|
|
|
|
proxy_pass http://odoochat;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
|
|
|
|
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
|
|
|
|
expires 2d;
|
|
|
|
expires 2d;
|
|
|
|
proxy_pass http://127.0.0.1:$OE_PORT;
|
|
|
|
proxy_pass http://odoo;
|
|
|
|
add_header Cache-Control "public, no-transform";
|
|
|
|
add_header Cache-Control "public, no-transform";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# cache some static data in memory for 60mins.
|
|
|
|
# cache some static data in memory for 60mins.
|
|
|
|
location ~ /[a-zA-Z0-9_-]*/static/ {
|
|
|
|
location ~ /[a-zA-Z0-9_-]*/static/ {
|
|
|
|
proxy_cache_valid 200 302 60m;
|
|
|
|
proxy_cache_valid 200 302 60m;
|
|
|
|
proxy_cache_valid 404 1m;
|
|
|
|
proxy_cache_valid 404 1m;
|
|
|
|
proxy_buffering on;
|
|
|
|
proxy_buffering on;
|
|
|
|
expires 864000;
|
|
|
|
expires 864000;
|
|
|
|
proxy_pass http://127.0.0.1:$OE_PORT;
|
|
|
|
proxy_pass http://odoo;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
EOF
|
|
|
|
EOF
|
|
|
|
@ -358,12 +385,59 @@ fi
|
|
|
|
# Enable ssl with certbot
|
|
|
|
# Enable ssl with certbot
|
|
|
|
#--------------------------------------------------
|
|
|
|
#--------------------------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
if [ $INSTALL_NGINX = "True" ] && [ $ENABLE_SSL = "True" ] && [ $ADMIN_EMAIL != "odoo@example.com" ] && [ $WEBSITE_NAME != "_" ];then
|
|
|
|
if [ $PROXY_MODE = "PROXY_LETSENCRYPT" ] && [ $ADMIN_EMAIL != "odoo@example.com" ] && [ $WEBSITE_NAME != "_" ]; then
|
|
|
|
|
|
|
|
echo -e "\n---- Installing and setting up Cerbot ----\n"
|
|
|
|
sudo add-apt-repository ppa:certbot/certbot -y && sudo apt-get update -y
|
|
|
|
sudo add-apt-repository ppa:certbot/certbot -y && sudo apt-get update -y
|
|
|
|
sudo apt-get install python-certbot-nginx -y
|
|
|
|
sudo apt-get install python-certbot-nginx -y
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo -e "\n---- Generating dhparam ----\n"
|
|
|
|
|
|
|
|
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
|
|
|
|
|
|
|
|
sudo mkdir -p /var/lib/letsencrypt/.well-known
|
|
|
|
|
|
|
|
sudo chgrp www-data /var/lib/letsencrypt
|
|
|
|
|
|
|
|
sudo chmod g+s /var/lib/letsencrypt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo -e "\n---- Wrting snippets: ssl.conf + letsencrypt.conf ----\n"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF >/etc/nginx/snippets/ssl.conf
|
|
|
|
|
|
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ssl_session_timeout 1d;
|
|
|
|
|
|
|
|
ssl_session_cache shared:SSL:50m;
|
|
|
|
|
|
|
|
ssl_session_tickets off;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
|
|
|
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
|
|
|
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ssl_stapling on;
|
|
|
|
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
|
|
|
|
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
|
|
|
|
|
|
|
resolver_timeout 30s;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload" always;
|
|
|
|
|
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
cat <<EOF >/etc/nginx/snippets/letsencrypt.conf
|
|
|
|
|
|
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
|
|
|
|
|
|
allow all;
|
|
|
|
|
|
|
|
root /var/lib/letsencrypt/;
|
|
|
|
|
|
|
|
default_type "text/plain";
|
|
|
|
|
|
|
|
try_files \$uri =404;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo -e "\n---- Generating and installing SSL certificates ----\n"
|
|
|
|
sudo certbot --nginx -d $WEBSITE_NAME --noninteractive --agree-tos --email $ADMIN_EMAIL --redirect
|
|
|
|
sudo certbot --nginx -d $WEBSITE_NAME --noninteractive --agree-tos --email $ADMIN_EMAIL --redirect
|
|
|
|
sudo service nginx reload
|
|
|
|
sudo service nginx reload
|
|
|
|
|
|
|
|
|
|
|
|
echo -e "\n---- SSL/HTTPS is enabled! ----\n"
|
|
|
|
echo -e "\n---- SSL/HTTPS is enabled! ----\n"
|
|
|
|
|
|
|
|
echo -e "\n---- Updating cron job to renew certificate ----\n"
|
|
|
|
|
|
|
|
sudo sed -i 's/43200/3600/g' /etc/cron.d/certbot
|
|
|
|
|
|
|
|
sudo sed -i 's/-q renew/-q renew --renew-hook "systemctl reload nginx"/g' /etc/cron.d/certbot
|
|
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
else
|
|
|
|
echo -e "\n---- SSL/HTTPS isn't enabled due to choice of the user or because of a misconfiguration! ----\n"
|
|
|
|
echo -e "\n---- SSL/HTTPS isn't enabled due to choice of the user or because of a misconfiguration! ----\n"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
@ -381,6 +455,9 @@ echo "Password superadmin (database): $OE_SUPERADMIN"
|
|
|
|
echo "Start Odoo service: sudo service $OE_CONFIG start"
|
|
|
|
echo "Start Odoo service: sudo service $OE_CONFIG start"
|
|
|
|
echo "Stop Odoo service: sudo service $OE_CONFIG stop"
|
|
|
|
echo "Stop Odoo service: sudo service $OE_CONFIG stop"
|
|
|
|
echo "Restart Odoo service: sudo service $OE_CONFIG restart"
|
|
|
|
echo "Restart Odoo service: sudo service $OE_CONFIG restart"
|
|
|
|
|
|
|
|
if [ $PROXY_MODE != "PROXY_NONE" ]; then
|
|
|
|
echo -e "\n---- Nginx configuration file: /etc/nginx/sites-available/odoo ----\n"
|
|
|
|
echo -e "\n---- Nginx configuration file: /etc/nginx/sites-available/odoo ----\n"
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
echo -e "\n---- Nginx was not installed because PROXY_MODE is PROXY_NONE ----\n"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
echo "-----------------------------------------------------------"
|
|
|
|
echo "-----------------------------------------------------------"
|
|
|
|
|
Carlitos Melgar
6 years ago