Odoo是流行的开源商务应用程序套件,可帮助公司管理和运营其业务。它包括广泛的应用程序,例如CRM,电子商务,网站构建器,POS,会计,制造,仓库,项目管理等等。
本文介绍如何以生产环境的标准在Ubuntu 20.04上安装和部署Odoo 14并设置Nginx和SSL
首先当我们拿到VPS服务器后先要对VPS服务器做基本的安全设置。
新建sudo用户,禁止root用户SSH登录,并用SSH密钥登录替代密码登录。
以root用户身份登录到服务器:
ssh root@server_ip_address
创建一个新的用户帐户
adduser username
将新用户添加到sudo组中
usermod -aG sudo username
退出root用户
exit
以新用户登录到服务器
ssh username@server_ip_address
更新系统
sudo apt update
sudo apt upgrade
exit
为了服务器安全请使用SSH密钥登录到服务器
将公钥复制到服务器。在本地计算机上输入:
ssh-copy-id username@server_ip_address
如果由于某种原因该ssh-copy-id实用程序在本地计算机上不可用,请使用以下命令复制公钥:
cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
禁用SSH密码认证和root SSH登录
在禁用SSH密码认证之前,请确保您可以不使用密码登录服务器,并且使用sudo特权登录的用户。
登录到远程服务器:
ssh username@server_ip_address
使用文本编辑器打开SSH配置文件:
sudo vi /etc/ssh/sshd_config
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
重启SSH:
sudo systemctl restart ssh
安装安装Git,Pip,Node.js等安装Odoo的依赖项:
sudo apt install git python3-pip build-essential wget python3-dev python3-venv \
python3-wheel libfreetype6-dev libxml2-dev libzip-dev libldap2-dev libsasl2-dev \
python3-setuptools node-less libjpeg-dev zlib1g-dev libpq-dev \
libxslt1-dev libldap2-dev libtiff5-dev libjpeg8-dev libopenjp2-7-dev \
liblcms2-dev libwebp-dev libharfbuzz-dev libfribidi-dev libxcb1-dev
创建运行Odoo服务的系统用户:
sudo useradd -m -d /opt/odoo14 -U -r -s /bin/bash odoo14
您可以使用任意用户名,只要创建相同用户名的PostgreSQL用户即可。
安装和配置PostgreSQL:
sudo apt install postgresql
创建与先前Odoo系统用户同名的PostgreSQL用户:
sudo su - postgres -c "createuser -s odoo14"
安装wkhtmltopdf
在Odoo中打印PDF报告,需要安装该wkhtmltox软件包。Odoo的推荐版本是version 0.12.5,可以从Github下载:
sudo wget https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.bionic_amd64.deb
sudo apt install ./wkhtmltox_0.12.6-1.bionic_amd64.deb
安装和配置Odoo 14
切换到Odoo用户:
sudo su - odoo14
克隆Odoo 14源代码:
git clone https://www.github.com/odoo/odoo --depth 1 --branch 14.0 /opt/odoo14/odoo
为Odoo创建一个虚拟环境:
cd /opt/odoo14
python3 -m venv odoo-venv
激活虚拟环境:
source odoo-venv/bin/activate
安装所有必需的Python模块:
pip3 install wheel
pip3 install -r odoo/requirements.txt
如果在安装过程中遇到任何编译错误,请确保安装了Prerequisites中列出的所有必需依赖项。
停用虚拟环境:
deactivate
创建第三方插件的目录:
mkdir /opt/odoo14/odoo-custom-addons
此目录将添加到addons_path参数中。此参数定义Odoo在其中搜索第三方插件。
切换回sudo用户
exit
创建Odoo配置文件:
sudo vi /etc/odoo14.conf
[options] ; This is the password that allows database operations: admin_passwd = my_admin_passwd db_host = False db_port = False db_user = odoo14 db_password = False addons_path = /opt/odoo14/odoo/addons,/opt/odoo14/odoo-custom-addons
不要忘记将更my_admin_passwd改为更安全的内容。
创建系统服务单元
sudo vi /etc/systemd/system/odoo14.service
[Unit] Description=Odoo14 Requires=postgresql.service After=network.target postgresql.service [Service] Type=simple SyslogIdentifier=odoo14 PermissionsStartOnly=true User=odoo14 Group=odoo14 ExecStart=/opt/odoo14/odoo-venv/bin/python3 /opt/odoo14/odoo/odoo-bin -c /etc/odoo14.conf StandardOutput=journal+console [Install] WantedBy=multi-user.target
更新系统服务文件:
sudo systemctl daemon-reload
启动Odoo,并使其在启动时启动:
sudo systemctl enable --now odoo14
验证服务状态:
sudo systemctl status odoo14
输出应如下所示,表明Odoo服务处于活动状态并正在运行:
● odoo14.service – Odoo14
Loaded: loaded (/etc/systemd/system/odoo14.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-01-01 17:30:12 UTC; 3s ago
…
要查看Odoo服务记录的消息,请使用以下命令:
sudo journalctl -u odoo14
测试安装
打开浏览器并输入: http://:8069
将Nginx配置为Odoo的代理并实现SSL
在继续本节之前,请确保你已经设置域名解析到当前服务器:
安装Nginx
sudo apt install nginx
安装Certbot
sudo apt install certbot
产生强Dh(Diffie-Hellman)组
生成一组新的2048位DH参数:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
您还可以使用最长4096位的密钥长度,但是生成时间可能会超过30分钟。
获取SSL证书
为了简单,我们将所有HTTP请求.well-known/acme-challenge都映射到目录/var/lib/letsencrypt。
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
为了避免重复代码,我们将创建两个片段并将它们包含在所有Nginx虚拟主机配置文件中。
sudo vi /etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ { allow all; root /var/lib/letsencrypt/; default_type "text/plain"; try_files $uri =404; }
sudo vi /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 30s; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;
创建Nginx虚拟主机配置:
sudo vi /etc/nginx/sites-available/example.com.conf
server { listen 80; server_name example.com www.example.com; include snippets/letsencrypt.conf; }
启用Nginx虚拟主机配置文件:
sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/
重启Nginx:
sudo systemctl restart nginx
运行Certbot获取SSL证书文件:
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
如果成功获得SSL证书,certbot将显示以下消息:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2021-01-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
修改之前的Nginx虚拟主机配置文件设置方向代理和SSL:
sudo vi /etc/nginx/sites-enabled/example.com.conf
# Odoo servers upstream odoo { server 127.0.0.1:8069; } upstream odoochat { server 127.0.0.1:8072; } # HTTP -> HTTPS server { listen 80; server_name www.example.com example.com; include snippets/letsencrypt.conf; return 301 https://example.com$request_uri; } # WWW -> NON WWW server { listen 443 ssl http2; server_name www.example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; include snippets/ssl.conf; include snippets/letsencrypt.conf; return 301 https://example.com$request_uri; } server { listen 443 ssl http2; server_name example.com; proxy_read_timeout 720s; proxy_connect_timeout 720s; proxy_send_timeout 720s; # Proxy headers proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; # SSL parameters ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; include snippets/ssl.conf; include snippets/letsencrypt.conf; # log files access_log /var/log/nginx/odoo.access.log; error_log /var/log/nginx/odoo.error.log; # Handle longpoll requests location /longpolling { proxy_pass http://odoochat; } # Handle / requests location / { proxy_redirect off; proxy_pass http://odoo; } # Cache static files location ~* /web/static/ { proxy_cache_valid 200 90m; proxy_buffering on; expires 864000; proxy_pass http://odoo; } # Gzip gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript; gzip on; }
重启Nginx:
sudo systemctl restart nginx
自动更新SSL证书
certbot程序包会创建一个cronjob和一个systemd计时器。计时器将在证书到期前30天自动更新证书。但是证书更新后,需要重新加载nginx服务,添加一下两行到文件里:
sudo vi /etc/letsencrypt/cli.ini
/etc/cron.d/certbot deploy-hook = systemctl reload nginx
运行certbot–dry-run测试续订:
sudo certbot renew --dry-run
如果没有错误,则表示更新过程成功。
打开Odoo代理设置:
sudo vi /etc/odoo14.conf
proxy_mode = True
重启Odoo:
sudo systemctl restart odoo14
默认情况下,Odoo服务器侦听所有8069端口来的请求。为了安全可以设置强制Odoo仅侦听本地接口。
将Odoo配置为仅监听127.0.0.1:
sudo vi /etc/odoo14.conf
xmlrpc_interface = 127.0.0.1 netrpc_interface = 127.0.0.1
重启Odoo:
sudo systemctl restart odoo14
启用多处理器
默认情况下,Odoo在多线程模式下工作。对于生产环境,建议更改为多处理器模式,可以提高稳定性并更好地利用系统资源。
sudo vi /etc/odoo14.conf
limit_memory_hard = 2684354560 limit_memory_soft = 2147483648 limit_request = 8192 limit_time_cpu = 600 limit_time_real = 1200 max_cron_threads = 1 workers = 5
重启Odoo:
sudo systemctl restart odoo14
UFW防火墙设置
sudo ufw allow ssh
sudo ufw allow 'Nginx Full'
sudo ufw enable