- Odoo 11 Development Cookbook(Second Edition)
- Holger Brunn Alexandre Fayolle
- 589字
- 2021-06-25 22:48:36
How it works...
We are using nginx as a reverse HTTP proxy. Incoming HTTP and HTTPS connections are handled by nginx, which delegates the processing of the requests to the Odoo server. The Odoo server is configured to only listen on the local loop back interface (127.0.0.1) on port 8069 for normal requests (http_port) and port 8072 for the long polling requests (longpolling_port). You may need to adapt the port numbers to your configuration:
The recipe sets up two files. The first one is the configuration for incoming connections on port 80 using the HTTP protocol. We don't want these because they are in clear text, meaning that the passwords can be sniffed. Therefore, we set up nginx to redirect the URLs permanently to port 443 using the encrypted HTTPS protocol.
The second file is a bit more complex and configures the way nginx should handle connections using the HTTPS protocol:
- The first configuration block configures the SSL protocol, the encryption key, and certificate, as well as the log file's location.
- The second block sets some headers on the requests to handle the proper reverse proxying over HTTPS.
- The location / block defines the default processing of incoming requests; they will be proxied to the Odoo server listening on port 8069.
- The location /longpolling block handles queries made on URLs starting with
/longpolling, which are then forwarded to Odoo on port 8072. These connections are used by the bus addon module to send notifications to the web client. - The location ~ /[a-zA-Z0-9_-]*/static/ block uses a regular expression to match the URLs of the static files of Odoo modules. These files are rarely updated, and so we ask nginx to cache them in order to lighten the load on the Odoo server.
The certbot program is a command-line utility that eases interacting with letsencrypt.org. The complete documentation is available at https://certbot.eff.org/docs/. In this recipe, we use two subcommands:
- certbot certonly <options> will request a signed certificate from letsencrypt for the domains passed to the -d option. Use the -m option to specify your email address. The --standalone option requests certbot to set up a local temporary web server which Let's Encrypt will attempt to contact to check that you do control the domain for which you are requesting a certificate. It is therefore important that the command is run on the server which will be hosting Odoo, that the DNS is pointing to that server and that no firewall is blocking port 80 and 443 on the server.
This check is done by connecting to http://<yourdomain>:80/.well-known/acme. The --standalone mode of certbot creates a temporary web server listening on this port and able to answer the request, but for this only works if no other process is listening on port 80 and if the external firewall is letting external connections on that port pass.
- certbot renew checks for certificates pending renewal, and automatically renews them. By default, Let's Encrypt certificates have a validity of 90 days, which is quite short. Thanks to this utility, which we run on a daily basis, certificates which are about to expire are automatically renewed.
The Odoo Community Association has a module available in the OCA server-tools project called letsencrypt. At the time of writing this, the module is available for Odoo 10 but not for Odoo 11, although it will most certainly be ported rapidly (and when it is, it will be available at https://github.com/OCA/server-tools/tree/11.0/letsencrypt). The aim of this module is to help you set up Let's Encrypt for your Odoo server.