如何以生产环境的标准在Ubuntu 20.04上安装部署Odoo14并设置Nginx和SSL
Odoo是流行的开源商务应用程序套件,可帮助公司管理和运营其业务。它包括广泛的应用程序,例如CRM,电子商务,网站构建器,POS,会计,制造,仓库,项目管理等等。
本文介绍如何以生产环境的标准在Ubuntu 20.04上安装和部署Odoo 14并设置Nginx和SSL
首先当我们拿到VPS服务器后先要对VPS服务器做基本的安全设置。
新建sudo用户,禁止root用户SSH登录,并用SSH密钥登录替代密码登录。
以root用户身份登录到服务器:
ssh root@server_ip_address创建一个新的用户帐户
adduser username将新用户添加到sudo组中
usermod -aG sudo username退出root用户
exit以新用户登录到服务器
ssh username@server_ip_address更新系统
sudo apt update
sudo apt upgrade
exit为了服务器安全请使用SSH密钥登录到服务器
将公钥复制到服务器。在本地计算机上输入:
ssh-copy-id username@server_ip_address如果由于某种原因该ssh-copy-id实用程序在本地计算机上不可用,请使用以下命令复制公钥:
cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"禁用SSH密码认证和root SSH登录
在禁用SSH密码认证之前,请确保您可以不使用密码登录服务器,并且使用sudo特权登录的用户。
登录到远程服务器:
ssh username@server_ip_address使用文本编辑器打开SSH配置文件:
sudo vi /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
重启SSH:
sudo systemctl restart ssh安装安装Git,Pip,Node.js等安装Odoo的依赖项:
sudo apt install git python3-pip build-essential wget python3-dev python3-venv \
python3-wheel libfreetype6-dev libxml2-dev libzip-dev libldap2-dev libsasl2-dev \
python3-setuptools node-less libjpeg-dev zlib1g-dev libpq-dev \
libxslt1-dev libldap2-dev libtiff5-dev libjpeg8-dev libopenjp2-7-dev \
liblcms2-dev libwebp-dev libharfbuzz-dev libfribidi-dev libxcb1-dev创建运行Odoo服务的系统用户:
sudo useradd -m -d /opt/odoo14 -U -r -s /bin/bash odoo14您可以使用任意用户名,只要创建相同用户名的PostgreSQL用户即可。
安装和配置PostgreSQL:
sudo apt install postgresql创建与先前Odoo系统用户同名的PostgreSQL用户:
sudo su - postgres -c "createuser -s odoo14"安装wkhtmltopdf
在Odoo中打印PDF报告,需要安装该wkhtmltox软件包。Odoo的推荐版本是version 0.12.5,可以从Github下载:
sudo wget https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox_0.12.6-1.bionic_amd64.deb
sudo apt install ./wkhtmltox_0.12.6-1.bionic_amd64.deb安装和配置Odoo 14
切换到Odoo用户:
sudo su - odoo14克隆Odoo 14源代码:
git clone https://www.github.com/odoo/odoo --depth 1 --branch 14.0 /opt/odoo14/odoo为Odoo创建一个虚拟环境:
cd /opt/odoo14
python3 -m venv odoo-venv激活虚拟环境:
source odoo-venv/bin/activate安装所有必需的Python模块:
pip3 install wheel
pip3 install -r odoo/requirements.txt如果在安装过程中遇到任何编译错误,请确保安装了Prerequisites中列出的所有必需依赖项。
停用虚拟环境:
deactivate创建第三方插件的目录:
mkdir /opt/odoo14/odoo-custom-addons此目录将添加到addons_path参数中。此参数定义Odoo在其中搜索第三方插件。
切换回sudo用户
exit创建Odoo配置文件:
sudo vi /etc/odoo14.conf
[options]
; This is the password that allows database operations:
admin_passwd = my_admin_passwd
db_host = False
db_port = False
db_user = odoo14
db_password = False
addons_path = /opt/odoo14/odoo/addons,/opt/odoo14/odoo-custom-addons
不要忘记将更my_admin_passwd改为更安全的内容。
创建系统服务单元
sudo vi /etc/systemd/system/odoo14.service
[Unit]
Description=Odoo14
Requires=postgresql.service
After=network.target postgresql.service
[Service]
Type=simple
SyslogIdentifier=odoo14
PermissionsStartOnly=true
User=odoo14
Group=odoo14
ExecStart=/opt/odoo14/odoo-venv/bin/python3 /opt/odoo14/odoo/odoo-bin -c /etc/odoo14.conf
StandardOutput=journal+console
[Install]
WantedBy=multi-user.target
更新系统服务文件:
sudo systemctl daemon-reload启动Odoo,并使其在启动时启动:
sudo systemctl enable --now odoo14验证服务状态:
sudo systemctl status odoo14输出应如下所示,表明Odoo服务处于活动状态并正在运行:
● odoo14.service – Odoo14
Loaded: loaded (/etc/systemd/system/odoo14.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-01-01 17:30:12 UTC; 3s ago
…
要查看Odoo服务记录的消息,请使用以下命令:
sudo journalctl -u odoo14测试安装
打开浏览器并输入: http://:8069
将Nginx配置为Odoo的代理并实现SSL
在继续本节之前,请确保你已经设置域名解析到当前服务器:
安装Nginx
sudo apt install nginx安装Certbot
sudo apt install certbot产生强Dh(Diffie-Hellman)组
生成一组新的2048位DH参数:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048您还可以使用最长4096位的密钥长度,但是生成时间可能会超过30分钟。
获取SSL证书
为了简单,我们将所有HTTP请求.well-known/acme-challenge都映射到目录/var/lib/letsencrypt。
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt为了避免重复代码,我们将创建两个片段并将它们包含在所有Nginx虚拟主机配置文件中。
sudo vi /etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
sudo vi /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
创建Nginx虚拟主机配置:
sudo vi /etc/nginx/sites-available/example.com.conf
server {
listen 80;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;
}
启用Nginx虚拟主机配置文件:
sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/重启Nginx:
sudo systemctl restart nginx运行Certbot获取SSL证书文件:
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com如果成功获得SSL证书,certbot将显示以下消息:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2021-01-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le修改之前的Nginx虚拟主机配置文件设置方向代理和SSL:
sudo vi /etc/nginx/sites-enabled/example.com.conf
# Odoo servers
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# HTTP -> HTTPS
server {
listen 80;
server_name www.example.com example.com;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_uri;
}
# WWW -> NON WWW
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Proxy headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# log files
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Handle longpoll requests
location /longpolling {
proxy_pass http://odoochat;
}
# Handle / requests
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# Cache static files
location ~* /web/static/ {
proxy_cache_valid 200 90m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}
# Gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
重启Nginx:
sudo systemctl restart nginx自动更新SSL证书
certbot程序包会创建一个cronjob和一个systemd计时器。计时器将在证书到期前30天自动更新证书。但是证书更新后,需要重新加载nginx服务,添加一下两行到文件里:
sudo vi /etc/letsencrypt/cli.ini
/etc/cron.d/certbot
deploy-hook = systemctl reload nginx
运行certbot–dry-run测试续订:
sudo certbot renew --dry-run如果没有错误,则表示更新过程成功。
打开Odoo代理设置:
sudo vi /etc/odoo14.conf
proxy_mode = True
重启Odoo:
sudo systemctl restart odoo14默认情况下,Odoo服务器侦听所有8069端口来的请求。为了安全可以设置强制Odoo仅侦听本地接口。
将Odoo配置为仅监听127.0.0.1:
sudo vi /etc/odoo14.conf
xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1
重启Odoo:
sudo systemctl restart odoo14启用多处理器
默认情况下,Odoo在多线程模式下工作。对于生产环境,建议更改为多处理器模式,可以提高稳定性并更好地利用系统资源。
sudo vi /etc/odoo14.conf
limit_memory_hard = 2684354560
limit_memory_soft = 2147483648
limit_request = 8192
limit_time_cpu = 600
limit_time_real = 1200
max_cron_threads = 1
workers = 5
重启Odoo:
sudo systemctl restart odoo14UFW防火墙设置
sudo ufw allow ssh
sudo ufw allow 'Nginx Full'
sudo ufw enable