在Ubuntu 18.4上部署安装Odoo 13并通过Nginx反向代理实现SSL
以sudo用户身份登录到Ubuntu,并更新系统:
sudo apt update
sudo apt upgrade
安装Git,Pip,Node.js和构建Odoo所需的工具:
sudo apt install git python3-pip build-essential wget python3-dev python3-venv python3-wheel libxslt-dev libzip-dev libldap2-dev libsasl2-dev python3-setuptools node-less
创建运行Odoo 的系统用户,并将odoo的主目录指向/opt/odoo:
sudo useradd -m -d /opt/odoo -U -r -s /bin/bash odoo
安装和配置PostgreSQL
sudo apt install postgresql
安装完成后,以与先前创建的系统用户相同的名称创建一个PostgreSQL用户,在本例中为odoo13:
sudo su - postgres -c "createuser -s odoo"
安装Wkhtmltopdf
wget https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.5/wkhtmltox_0.12.5-1.bionic_amd64.deb
sudo apt install ./wkhtmltox_0.12.5-1.bionic_amd64.deb
安装和配置Odoo
如前所述,我们将在隔离的Python虚拟环境中从源代码安装Odoo 。
首先,更改为用户 “ odoo”:
sudo su - odoo
从GitHub克隆Odoo源代码:
git clone https://www.github.com/odoo/odoo --depth 1 --branch 13.0 /opt/odoo/odoo
下载完成后,为Odoo创建一个新的Python虚拟环境:
cd /opt/odoo
python3 -m venv odoo-venv
使用以下命令激活环境:
source odoo-venv/bin/activate
使用pip3安装所有必需的Python模块:
pip3 install wheel
pip3 install -r odoo/requirements.txt
如果在安装过程中遇到任何编译错误,请确保安装了所有必需依赖项.
完成后,通过键入以下内容停用环境:
deactivate
创建一个新目录,其中将包含第三方插件。
mkdir /opt/odoo/odoo-custom-addons
稍后,我们将此目录添加到addons_path参数中。此参数定义Odoo在其中搜索模块的目录列表。
切换回您的sudo用户:
exit
创建具有以下内容的配置文件:
sudo vi /etc/odoo.conf
[options]
; This is the password that allows database operations:
admin_passwd = my_admin_passwd
db_host = False
db_port = False
db_user = odoo
db_password = False
addons_path = /opt/odoo/odoo/addons,/opt/odoo/odoo-custom-addons
不要忘记将更my_admin_passwd改为更安全的内容。
创建系统服务文件
创建一个服务文件odoo.service,其内容如下:
sudo vi /etc/systemd/system/odoo.service
[Unit]
Description=Odoo
Requires=postgresql.service
After=network.target postgresql.service
[Service]
Type=simple
SyslogIdentifier=odoo
PermissionsStartOnly=true
User=odoo
Group=odoo
ExecStart=/opt/odoo/odoo-venv/bin/python3 /opt/odoo/odoo/odoo-bin -c /etc/odoo.conf
StandardOutput=journal+console
[Install]
WantedBy=multi-user.target
通知systemd一个新的单位文件存在:
sudo systemctl daemon-reload
启动Odoo服务,并通过运行以下命令使其在启动时启动:
sudo systemctl enable --now odoo
验证服务状态:
sudo systemctl status odoo
输出应如下所示,表明Odoo服务处于活动状态并正在运行。
● odoo13.service
Loaded: loaded (/etc/systemd/system/odoo.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2019-10-19 20:06:23 UTC; 3s ago
Main PID: 1860 (python3)
Tasks: 4 (limit: 2362)
CGroup: /system.slice/odoo.service
└─1860 /opt/odoo/odoo-venv/bin/python3 /opt/odoo/odoo/odoo-bin -c /etc/odoo.conf
测试安装
打开浏览器并输入: http://your_domain_or_IP_address:8069
安装Nginx
sudo apt install nginx
安装完成后,Nginx服务将自动启动。您可以使用以下命令检查服务的状态:
sudo systemctl status nginx
输出将如下所示:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2018-04-29 06:43:26 UTC; 8s ago
Docs: man:nginx(8)
Process: 3091 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 3080 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 3095 (nginx)
Tasks: 2 (limit: 507)
CGroup: /system.slice/nginx.service
├─3095 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─3097 nginx: worker process
安装Certbot
sudo apt install certbot
Diffie-Hellman密钥
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
我们将所有HTTP请求映射.well-known/acme-challenge到一个目录/var/lib/letsencrypt。
以下命令将创建目录,并使该目录可用于Nginx服务器。
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
为了避免重复代码,创建以下两个片段,我们将在所有Nginx服务器块文件中包含以下片段。
创建第一个片段letsencrypt.conf:
sudo vi /etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
创建第二个代码段ssl.conf。
sudo vi /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
创建letsencrypt.conf代码段后,创建服务器文件并包含代码段,如下所示:
sudo vi /etc/nginx/sites-available/example.com.conf
server {
listen 80;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;
}
创建一个从 sites-available 到sites-enabled目录的符号链接,在启动期间Nginx会读取该链接:
sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/
重新启动Nginx服务:
sudo systemctl restart nginx
现在,您可以运行Certbot并通过以下命令获取SSL证书文件:
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
如果成功获得SSL证书,certbot将打印以下消息:
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-07-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
配置SSL,HTTP到HTTPS重定向,WWW到非WWW重定向,缓存静态文件并启用GZip压缩。
sudo vi /etc/nginx/sites-enabled/example.com
# Odoo servers
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# HTTP -> HTTPS
server {
listen 80;
server_name www.example.com example.com;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_uri;
}
# WWW -> NON WWW
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Proxy headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# log files
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Handle longpoll requests
location /longpolling {
proxy_pass http://odoochat;
}
# Handle / requests
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# Cache static files
location ~* /web/static/ {
proxy_cache_valid 200 90m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}
# Gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
不要忘记替换example.com并为SSL证书文件设置正确的路径。
完成后,重新启动Nginx服务:
sudo systemctl restart nginx
自动更新让我们加密SSL证书
sudo vi /etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
测试续订过程,可以使用certbot –dry-run开关:
sudo certbot renew --dry-run
接下来,我们需要告诉Odoo使用代理。打开/etc/odoo.conf 并添加以下行:
proxy_mode = True
我们将Odoo配置为仅监听127.0.0.1。在/etc/odoo.conf 末尾添加以下两行:
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1
假设您的服务器具有4个CPU内核,8 GB RAM内存和30个并发Odoo用户的系统。
30 users / 6 = 5 (5是所需的理论工人数)
(4 * 2) + 1 = 9 (9是理论上的最大工人人数)
根据上面的计算,您可以使用5名工人+ 1名工人作为cron工人,总共6名工人。
根据工作线程数计算RAM内存消耗:
RAM = 6 * ((0.8150) + (0.21024)) ~= 2 GB of RAM
计算表明,Odoo安装将需要大约2GB的RAM。
要切换到多处理模式,请 /etc/odoo.conf 并附加计算值:
limit_memory_hard = 2684354560
limit_memory_soft = 2147483648
limit_request = 8192
limit_time_cpu = 600
limit_time_real = 1200
max_cron_threads = 1
workers = 5
重新启动Odoo服务以使更改生效:
sudo systemctl restart odoo
至此,反向代理已配置完毕,您可以在以下位置访问Odoo实例: https://example.com
如果出现PDF打印中文不显示可以手动安装字体
sudo apt-get install ttf-wqy-zenhei
sudo apt-get install ttf-wqy-microhei