在Ubuntu 18.4上部署安装Odoo 13并通过Nginx反向代理实现SSL

以sudo用户身份登录到Ubuntu,并更新系统:

sudo apt update
sudo apt upgrade 

安装Git,Pip,Node.js和构建Odoo所需的工具:

sudo apt install git python3-pip build-essential wget python3-dev python3-venv python3-wheel libxslt-dev libzip-dev libldap2-dev libsasl2-dev python3-setuptools node-less 

创建运行Odoo 的系统用户,并将odoo的主目录指向/opt/odoo:

sudo useradd -m -d /opt/odoo -U -r -s /bin/bash odoo 

安装和配置PostgreSQL

sudo apt install postgresql 

安装完成后,以与先前创建的系统用户相同的名称创建一个PostgreSQL用户,在本例中为odoo13:

sudo su - postgres -c "createuser -s odoo" 

安装Wkhtmltopdf

wget https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.5/wkhtmltox_0.12.5-1.bionic_amd64.deb 
sudo apt install ./wkhtmltox_0.12.5-1.bionic_amd64.deb  

安装和配置Odoo

如前所述,我们将在隔离的Python虚拟环境中从源代码安装Odoo 。
首先,更改为用户 “ odoo”:

sudo su - odoo 

从GitHub克隆Odoo源代码:

git clone https://www.github.com/odoo/odoo --depth 1 --branch 13.0 /opt/odoo/odoo 

下载完成后,为Odoo创建一个新的Python虚拟环境:

cd /opt/odoo
python3 -m venv odoo-venv 

使用以下命令激活环境:

source odoo-venv/bin/activate

使用pip3安装所有必需的Python模块:

pip3 install wheel
pip3 install -r odoo/requirements.txt 

如果在安装过程中遇到任何编译错误,请确保安装了所有必需依赖项.

完成后,通过键入以下内容停用环境:

deactivate 

创建一个新目录,其中将包含第三方插件。

mkdir /opt/odoo/odoo-custom-addons 

稍后,我们将此目录添加到addons_path参数中。此参数定义Odoo在其中搜索模块的目录列表。

切换回您的sudo用户:

exit 

创建具有以下内容的配置文件:

sudo vi /etc/odoo.conf 
[options] 
; This is the password that allows database operations:
 admin_passwd = my_admin_passwd
 db_host = False
 db_port = False
 db_user = odoo
 db_password = False
 addons_path = /opt/odoo/odoo/addons,/opt/odoo/odoo-custom-addons 

不要忘记将更my_admin_passwd改为更安全的内容。

创建系统服务文件
创建一个服务文件odoo.service,其内容如下:

sudo vi /etc/systemd/system/odoo.service 
[Unit]
 Description=Odoo
 Requires=postgresql.service
 After=network.target postgresql.service

[Service]
 Type=simple
 SyslogIdentifier=odoo
 PermissionsStartOnly=true
 User=odoo
 Group=odoo
 ExecStart=/opt/odoo/odoo-venv/bin/python3 /opt/odoo/odoo/odoo-bin -c /etc/odoo.conf
 StandardOutput=journal+console

[Install]
 WantedBy=multi-user.target

通知systemd一个新的单位文件存在:

sudo systemctl daemon-reload 

启动Odoo服务,并通过运行以下命令使其在启动时启动:

sudo systemctl enable --now odoo 

验证服务状态:

sudo systemctl status odoo 

输出应如下所示,表明Odoo服务处于活动状态并正在运行。

● odoo13.service
    Loaded: loaded (/etc/systemd/system/odoo.service; enabled; vendor preset: enabled)
    Active: active (running) since Sat 2019-10-19 20:06:23 UTC; 3s ago
  Main PID: 1860 (python3)
     Tasks: 4 (limit: 2362)
    CGroup: /system.slice/odoo.service
            └─1860 /opt/odoo/odoo-venv/bin/python3 /opt/odoo/odoo/odoo-bin -c /etc/odoo.conf

测试安装
打开浏览器并输入: http://your_domain_or_IP_address:8069

安装Nginx

sudo apt install nginx 

安装完成后,Nginx服务将自动启动。您可以使用以下命令检查服务的状态:

sudo systemctl status nginx 

输出将如下所示:

● nginx.service - A high performance web server and a reverse proxy server
    Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
    Active: active (running) since Sun 2018-04-29 06:43:26 UTC; 8s ago
      Docs: man:nginx(8)
   Process: 3091 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Process: 3080 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Main PID: 3095 (nginx)
     Tasks: 2 (limit: 507)
    CGroup: /system.slice/nginx.service
            ├─3095 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
            └─3097 nginx: worker process

安装Certbot

sudo apt install certbot 

Diffie-Hellman密钥

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 

我们将所有HTTP请求映射.well-known/acme-challenge到一个目录/var/lib/letsencrypt。
以下命令将创建目录,并使该目录可用于Nginx服务器。

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt 

为了避免重复代码,创建以下两个片段,我们将在所有Nginx服务器块文件中包含以下片段。
创建第一个片段letsencrypt.conf:

sudo vi /etc/nginx/snippets/letsencrypt.conf 
location ^~ /.well-known/acme-challenge/ {
   allow all;
   root /var/lib/letsencrypt/;
   default_type "text/plain";
   try_files $uri =404;
}

创建第二个代码段ssl.conf。

sudo vi /etc/nginx/snippets/ssl.conf 
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

创建letsencrypt.conf代码段后,创建服务器文件并包含代码段,如下所示:

sudo vi /etc/nginx/sites-available/example.com.conf
server {
   listen 80;
   server_name example.com www.example.com;

   include snippets/letsencrypt.conf;
 }

创建一个从 sites-available 到sites-enabled目录的符号链接,在启动期间Nginx会读取该链接:

sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/

重新启动Nginx服务:

sudo systemctl restart nginx 

现在,您可以运行Certbot并通过以下命令获取SSL证书文件:

sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com 

如果成功获得SSL证书,certbot将打印以下消息:

IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/example.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/example.com/privkey.pem
 Your cert will expire on 2018-07-28. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew all of your certificates, run
 "certbot renew"
Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

配置SSL,HTTP到HTTPS重定向,WWW到非WWW重定向,缓存静态文件并启用GZip压缩。

sudo vi /etc/nginx/sites-enabled/example.com 
# Odoo servers
upstream odoo {
 server 127.0.0.1:8069;
}

upstream odoochat {
 server 127.0.0.1:8072;
}

# HTTP -> HTTPS
server {
    listen 80;
    server_name www.example.com example.com;

    include snippets/letsencrypt.conf;
    return 301 https://example.com$request_uri;
}

# WWW -> NON WWW
server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    proxy_read_timeout 720s;
    proxy_connect_timeout 720s;
    proxy_send_timeout 720s;

    # Proxy headers
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # log files
    access_log /var/log/nginx/odoo.access.log;
    error_log /var/log/nginx/odoo.error.log;

    # Handle longpoll requests
    location /longpolling {
        proxy_pass http://odoochat;
    }

    # Handle / requests
    location / {
       proxy_redirect off;
       proxy_pass http://odoo;
    }

    # Cache static files
    location ~* /web/static/ {
        proxy_cache_valid 200 90m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://odoo;
    }

    # Gzip
    gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
    gzip on;
}

不要忘记替换example.com并为SSL证书文件设置正确的路径。
完成后,重新启动Nginx服务:

sudo systemctl restart nginx

自动更新让我们加密SSL证书

sudo vi /etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

测试续订过程,可以使用certbot –dry-run开关:

sudo certbot renew --dry-run

接下来,我们需要告诉Odoo使用代理。打开/etc/odoo.conf 并添加以下行:

proxy_mode = True

我们将Odoo配置为仅监听127.0.0.1。在/etc/odoo.conf 末尾添加以下两行:

xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

假设您的服务器具有4个CPU内核,8 GB RAM内存和30个并发Odoo用户的系统。
30 users / 6 = 5 (5是所需的理论工人数)
(4 * 2) + 1 = 9 (9是理论上的最大工人人数)
根据上面的计算,您可以使用5名工人+ 1名工人作为cron工人,总共6名工人。

根据工作线程数计算RAM内存消耗:

RAM = 6 * ((0.8150) + (0.21024)) ~= 2 GB of RAM
计算表明,Odoo安装将需要大约2GB的RAM。

要切换到多处理模式,请 /etc/odoo.conf 并附加计算值:

 limit_memory_hard = 2684354560
 limit_memory_soft = 2147483648
 limit_request = 8192
 limit_time_cpu = 600
 limit_time_real = 1200
 max_cron_threads = 1
 workers = 5

重新启动Odoo服务以使更改生效:

sudo systemctl restart odoo

至此,反向代理已配置完毕,您可以在以下位置访问Odoo实例: https://example.com
如果出现PDF打印中文不显示可以手动安装字体

sudo apt-get install ttf-wqy-zenhei
sudo apt-get install ttf-wqy-microhei

发表评论

电子邮件地址不会被公开。 必填项已用*标注