In order to access your instance using HTTPS through NGINX, you need to follow these steps:
- As root, install the Let's Encrypt client, certbot:
# apt-get update
# apt-get install software-properties-common
# add-apt-repository universe
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install certbot python-certbot-nginx
- As root, request a certificate from Let's Encrypt (don't forget to change the email and the address of the server):
# certbot certonly --standalone -n --agree-tos
-m [email protected] -d odoo.example.com
- As root, install nginx:
# apt-get install nginx
- Create a configuration file in /etc/nginx/sites-available/odoo-ssl and add an upstream reference as follows:
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
- In the same file, add the rewrite rule to redirect http into the https website:
server {
listen 80;
server_name odoo.example.com;
rewrite ^(.*) https://$host$1 permanent;
}
- In the same file, add the following nginx configuration to serve the Odoo instance over https:
server {
listen 443;
server_name odoo.example.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Place configuration of steps 7 to 12 here
}
- Add the SSL configuration to the server block:
# SSL Configuration
ssl on;
ssl_certificate /etc/letsencrypt/live/odoo.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/odoo.example.com/privkey.pem;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
ssl_prefer_server_ciphers on;
- Add the log file configuration to the server block:
# Add log files
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
- Enable gzip by adding the following configuration to the server block:
# enable gzip
gzip on;
gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
- Add proxy headers configuration to the server block:
# Add Headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
- Add reverse proxy configuration to the server block:
# Manage longpolling on 8072 port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo server on 8069
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
- Enable the static cache by adding the following configuration to the server block:
# Enable static cache
location ~* /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}
- As root, link the configuration file in /etc/nginx/sites-enabled/:
# ln -s /etc/nginx/sites-available/odoo-ssl
/etc/nginx/sites-enabled/odoo-ssl
- As root, remove /etc/nginx/sites-enabled/default:
# rm /etc/nginx/sites-enabled/default
- As Odoo, edit the production configuration file of the instance to enable proxy_mode:
proxy_mode = True
- As root, restart your odoo instance and nginx:
# service odoo restart
# service nginx restart
- As root, create a cron /etc/cron.d/letsencrypt file to ensure that the certificate will get renewed with the following content:
11 5 * * * certbot renew