Skip to content

Instantly share code, notes, and snippets.

@zizitizi

zizitizi/nginx_odoo_letsencrypt.sh

Forked from abdulhamidalsalman/nginx_odoo_letsencrypt.sh
Created April 4, 2023 19:50
Show Gist options
  • Save zizitizi/14306a35376fca52ae081bb50bb72a93 to your computer and use it in GitHub Desktop.
Save zizitizi/14306a35376fca52ae081bb50bb72a93 to your computer and use it in GitHub Desktop.
Download ZIP
Odoo Nginx Reverse Proxy automation with TLS using Let's Encrypt
Raw
nginx_odoo_letsencrypt.sh
#!/bin/bash
#--------------------------------------------------
# Locale changing for localization
#--------------------------------------------------
echo "*********************************"
echo "* *"
echo "* Changing Locales *"
echo "* *"
echo "*********************************"
# Configure timezone and locale
echo -e "\n---- Setting Locales ----"
sudo locale-gen --purge "en_US.UTF-8" && \
echo -e 'LANG="en_US.UTF-8"\nLANGUAGE="en_US:en"\n' > /etc/default/locale && \
sudo dpkg-reconfigure --frontend=noninteractive locales && \
sudo update-locale LANG=en_US.UTF-8
#---------------------------------------------------
# Timezone for Dominican Republic, change as needed
#---------------------------------------------------
echo -e "\n---- Setting Time Zone ----"
echo "America/Santo_Domingo" > /etc/timezone && \
sudo dpkg-reconfigure -f noninteractive tzdata && \
#--------------------------------------------------
# Update Server
#--------------------------------------------------
echo "*********************************"
echo "* *"
echo "* Updating and upgrading *"
echo "* *"
echo "*********************************"
sudo apt-get update
sudo apt-get dist-upgrade -y
#--------------------------------------------------
# Nginx Install
#--------------------------------------------------
echo "*********************************"
echo "* *"
echo "* NGINX and dependencies *"
echo "* *"
echo "*********************************"
apt-get -y install nginx-light
apt-get -y install openssl
apt-get -y install git bc curl
#--------------------------------------------------
# Fixed parameters for NGINX
#--------------------------------------------------
#General Domain and Server
DOMAIN_NAME="EXAMPLE.COM" #change with your domain
SRVR_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
#SSL Configuration
SSL_EMAIL="[email protected]" #email for let's encrypt info
SSL_CERT=/root/.acme.sh/$DOMAIN_NAME/fullchain.cer #ssl_certificate
SSL_CERTK=/root/.acme.sh/$DOMAIN_NAME/${DOMAIN_NAME}.key #ssl_certificate_key
# Not sure about this conf, need some testing.
#SSL_CONF=/root/.acme.sh/$DOMAIN_NAME/${DOMAIN_NAME}.ssl.conf #include ssl_settings.conf
#Odoo Web Gui configuration for Nginx
ODOO_SRVC="odoo"
ODOO_IP="$SRVR_IP" #$SRVR_IP or your private odoo server IP
ODOO_SRVR="odoo.${$DOMAIN_NAME}" #or change as you like
ODOO_PORT="8069"
#--------------------------------------------------
# Let's encrypt install and configuration for SSL
#--------------------------------------------------
echo "*********************************"
echo "* *"
echo "* Getting Let's encrypt *"
echo "* *"
echo "*********************************"
echo -e "\n---- Install acme.sh for Let's encrypt ----"
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install \
--accountemail $SSL_EMAIL \
cd ~
echo -e "\n---- Install SSL Certificates for your domains ----"
~/.acme.sh/acme.sh --issue -d $DOMAIN_NAME -d www.${DOMAIN_NAME} -d $ODOO_SRVR -w /usr/share/nginx/html
echo -e "\n---- Generate Strong Diffie-Hellman Group. ----"
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
#--------------------------------------------------
# NGINX Configuration
#--------------------------------------------------
echo "*********************************"
echo "* *"
echo "* NGINX Conf as Reverse Proxy *"
echo "* *"
echo "*********************************"
echo -e "\n---- Setting up Nginx configurations. ----"
touch /etc/nginx/sites-available/$ODOO_SRVC
echo -e "\n---- Starting conf for $ODOO_SRVC. ----"
cat <<EOF > /etc/nginx/sites-available/$ODOO_SRVC
upstream $ODOO_SRVC {
server $ODOO_IP:$ODOO_PORT;
}
## http redirects to https ##
server {
listen 80 default_server;
server_name $DOMAIN_NAME *.${DOMAIN_NAME} www.${DOMAIN_NAME} $ODOO_SRVR;
# Redirect 301 to HTTPS
return 301 https://\$host\$request_uri;
# log files
access_log /var/log/nginx/${ODOO_SRVC}.access.log;
error_log /var/log/nginx/${ODOO_SRVC}.error.log;
}
## https site##
server {
listen 443;
server_name $DOMAIN_NAME $ODOO_SRVR;
root /usr/share/nginx/html;
index index.html index.htm;
# SSL Configuration
ssl on;
ssl_certificate $SSL_CERT;
ssl_certificate_key $SSL_CERTK;
# ssl_trusted_certificate $SSL_TRUST;
# include $SSL_CONF;
# Only allow the most secure SSL protocols and ciphers
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# ssl_stapling on;
# ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
keepalive_timeout 60;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# LetsEncrypt location
location ~ /.well-known {
allow all;
}
## default location ##
location / {
proxy_pass http://$ODOO_SRVC;
# force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_connect_timeout 3600;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
send_timeout 3600;
# Set headers
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
# Let the Odoo web service know that we're using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;
# By default, do not forward anything
proxy_redirect off;
}
location ~* /[0-9a-zA-Z_]*/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://$ODOO_SRVC;
}
} # $ODOO_SRVC Server
EOF
echo -e "\n---- Enable the new sites configuration in the /etc/nginx/sites-enabled. ----"
ln -s /etc/nginx/sites-available/$ODOO_SRVC /etc/nginx/sites-enabled/$ODOO_SRVC
echo -e "\n---- Disabled the default site by deleting the symbolic link for it. ----"
rm /etc/nginx/sites-available/default
echo -e "\n---- Verify Nginx conf file has the right syntax. ----"
nginx -t
echo -e "\n---- Restart the services to load the new configurations. ----"
service nginx restart
echo "-----------------------------------------------------------"
echo "Done! The Nginx Server is up and Running. Specifications:"
echo
echo "Server IP:$SRVR_IP"
echo "Odoo URL: https://$ODOO_SRVR"
echo
echo "-------------------------------------------"
echo "--Below is your /etc/hosts for validation -"
echo "-------------------------------------------"
echo
cat /etc/hosts
echo
echo "------------------------------------------------------------"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment