如何以生产环境的标准在Ubuntu 20.04上安装部署Odoo14并设置Nginx和SSL

Odoo是流行的开源商务应用程序套件,可帮助公司管理和运营其业务。它包括广泛的应用程序,例如CRM,电子商务,网站构建器,POS,会计,制造,仓库,项目管理等等。

本文介绍如何以生产环境的标准在Ubuntu 20.04上安装和部署Odoo 14并设置Nginx和SSL
首先当我们拿到VPS服务器后先要对VPS服务器做基本的安全设置。
新建sudo用户,禁止root用户SSH登录,并用SSH密钥登录替代密码登录。
以root用户身份登录到服务器:

ssh root@server_ip_address

创建一个新的用户帐户

adduser username

将新用户添加到sudo组中

usermod -aG sudo username

退出root用户

exit

以新用户登录到服务器

ssh username@server_ip_address

更新系统

sudo apt update
sudo apt upgrade
exit

为了服务器安全请使用SSH密钥登录到服务器
将公钥复制到服务器。在本地计算机上输入:

ssh-copy-id username@server_ip_address

如果由于某种原因该ssh-copy-id实用程序在本地计算机上不可用,请使用以下命令复制公钥:

cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

禁用SSH密码认证和root SSH登录
在禁用SSH密码认证之前,请确保您可以不使用密码登录服务器,并且使用sudo特权登录的用户。
登录到远程服务器:

ssh username@server_ip_address

使用文本编辑器打开SSH配置文件:

sudo vi /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

重启SSH:

sudo systemctl restart ssh

安装安装Git,Pip,Node.js等安装Odoo的依赖项:

sudo apt install git python3-pip build-essential wget python3-dev python3-venv \
python3-wheel libfreetype6-dev libxml2-dev libzip-dev libldap2-dev libsasl2-dev \
python3-setuptools node-less libjpeg-dev zlib1g-dev libpq-dev \
libxslt1-dev libldap2-dev libtiff5-dev libjpeg8-dev libopenjp2-7-dev \
liblcms2-dev libwebp-dev libharfbuzz-dev libfribidi-dev libxcb1-dev

创建运行Odoo服务的系统用户:

sudo useradd -m -d /opt/odoo14 -U -r -s /bin/bash odoo14

您可以使用任意用户名,只要创建相同用户名的PostgreSQL用户即可。

安装和配置PostgreSQL:

sudo apt install postgresql

创建与先前Odoo系统用户同名的PostgreSQL用户:

sudo su - postgres -c "createuser -s odoo14"

安装wkhtmltopdf
在Odoo中打印PDF报告,需要安装该wkhtmltox软件包。Odoo的推荐版本是version 0.12.5,可以从Github下载:

sudo wget https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.bionic_amd64.deb
sudo apt install ./wkhtmltox_0.12.6-1.bionic_amd64.deb

安装和配置Odoo 14
切换到Odoo用户:

sudo su - odoo14

克隆Odoo 14源代码:

git clone https://www.github.com/odoo/odoo --depth 1 --branch 14.0 /opt/odoo14/odoo

为Odoo创建一个虚拟环境:

cd /opt/odoo14
python3 -m venv odoo-venv

激活虚拟环境:

source odoo-venv/bin/activate

安装所有必需的Python模块:

pip3 install wheel
pip3 install -r odoo/requirements.txt

如果在安装过程中遇到任何编译错误,请确保安装了Prerequisites中列出的所有必需依赖项。

停用虚拟环境:

deactivate

创建第三方插件的目录:

mkdir /opt/odoo14/odoo-custom-addons

此目录将添加到addons_path参数中。此参数定义Odoo在其中搜索第三方插件。

切换回sudo用户

exit

创建Odoo配置文件:

sudo vi /etc/odoo14.conf
[options]
; This is the password that allows database operations:
admin_passwd = my_admin_passwd
db_host = False
db_port = False
db_user = odoo14
db_password = False
addons_path = /opt/odoo14/odoo/addons,/opt/odoo14/odoo-custom-addons

不要忘记将更my_admin_passwd改为更安全的内容。

创建系统服务单元

sudo vi /etc/systemd/system/odoo14.service
[Unit]
Description=Odoo14
Requires=postgresql.service
After=network.target postgresql.service

[Service]
Type=simple
SyslogIdentifier=odoo14
PermissionsStartOnly=true
User=odoo14
Group=odoo14
ExecStart=/opt/odoo14/odoo-venv/bin/python3 /opt/odoo14/odoo/odoo-bin -c /etc/odoo14.conf
StandardOutput=journal+console

[Install]
WantedBy=multi-user.target

更新系统服务文件:

sudo systemctl daemon-reload

启动Odoo,并使其在启动时启动:

sudo systemctl enable --now odoo14

验证服务状态:

sudo systemctl status odoo14

输出应如下所示,表明Odoo服务处于活动状态并正在运行:
● odoo14.service – Odoo14
Loaded: loaded (/etc/systemd/system/odoo14.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-01-01 17:30:12 UTC; 3s ago

要查看Odoo服务记录的消息,请使用以下命令:

sudo journalctl -u odoo14

测试安装
打开浏览器并输入: http://:8069

将Nginx配置为Odoo的代理并实现SSL
在继续本节之前,请确保你已经设置域名解析到当前服务器:

安装Nginx

sudo apt install nginx

安装Certbot

sudo apt install certbot

产生强Dh(Diffie-Hellman)组
生成一组新的2048位DH参数:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

您还可以使用最长4096位的密钥长度,但是生成时间可能会超过30分钟。

获取SSL证书
为了简单,我们将所有HTTP请求.well-known/acme-challenge都映射到目录/var/lib/letsencrypt。

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

为了避免重复代码,我们将创建两个片段并将它们包含在所有Nginx虚拟主机配置文件中。

sudo vi /etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}
sudo vi /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

创建Nginx虚拟主机配置:

sudo vi /etc/nginx/sites-available/example.com.conf
server {
  listen 80;
  server_name example.com www.example.com;

  include snippets/letsencrypt.conf;
}

启用Nginx虚拟主机配置文件:

sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/

重启Nginx:

sudo systemctl restart nginx

运行Certbot获取SSL证书文件:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

如果成功获得SSL证书,certbot将显示以下消息:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2021-01-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

修改之前的Nginx虚拟主机配置文件设置方向代理和SSL:

sudo vi /etc/nginx/sites-enabled/example.com.conf
# Odoo servers
upstream odoo {
 server 127.0.0.1:8069;
}

upstream odoochat {
 server 127.0.0.1:8072;
}

# HTTP -> HTTPS
server {
    listen 80;
    server_name www.example.com example.com;

    include snippets/letsencrypt.conf;
    return 301 https://example.com$request_uri;
}

# WWW -> NON WWW
server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    proxy_read_timeout 720s;
    proxy_connect_timeout 720s;
    proxy_send_timeout 720s;

    # Proxy headers
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # log files
    access_log /var/log/nginx/odoo.access.log;
    error_log /var/log/nginx/odoo.error.log;

    # Handle longpoll requests
    location /longpolling {
        proxy_pass http://odoochat;
    }

    # Handle / requests
    location / {
       proxy_redirect off;
       proxy_pass http://odoo;
    }

    # Cache static files
    location ~* /web/static/ {
        proxy_cache_valid 200 90m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://odoo;
    }

    # Gzip
    gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
    gzip on;
}

重启Nginx:

sudo systemctl restart nginx

自动更新SSL证书
certbot程序包会创建一个cronjob和一个systemd计时器。计时器将在证书到期前30天自动更新证书。但是证书更新后,需要重新加载nginx服务,添加一下两行到文件里:

sudo vi /etc/letsencrypt/cli.ini
/etc/cron.d/certbot
deploy-hook = systemctl reload nginx

运行certbot–dry-run测试续订:

sudo certbot renew --dry-run

如果没有错误,则表示更新过程成功。

打开Odoo代理设置:

sudo vi /etc/odoo14.conf
proxy_mode = True

重启Odoo:

sudo systemctl restart odoo14

默认情况下,Odoo服务器侦听所有8069端口来的请求。为了安全可以设置强制Odoo仅侦听本地接口。

将Odoo配置为仅监听127.0.0.1:

sudo vi /etc/odoo14.conf
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

重启Odoo:

sudo systemctl restart odoo14

启用多处理器
默认情况下,Odoo在多线程模式下工作。对于生产环境,建议更改为多处理器模式,可以提高稳定性并更好地利用系统资源。

sudo vi /etc/odoo14.conf
limit_memory_hard = 2684354560
limit_memory_soft = 2147483648
limit_request = 8192
limit_time_cpu = 600
limit_time_real = 1200
max_cron_threads = 1
workers = 5

重启Odoo:

sudo systemctl restart odoo14

UFW防火墙设置

sudo ufw allow ssh
sudo ufw allow 'Nginx Full'
sudo ufw enable

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注