forked from Yenthe666/InstallScript
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx_install.sh
159 lines (141 loc) · 5.49 KB
/
nginx_install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/bin/bash
##
# This script creates a self-signed certificate and configuration file for Nginx.
# Nginx is used as a reverse proxy for Odoo.
#
# For examples:
# subdomain1.website.com -> using the Odoo database1.
# subdomain2.website.com -> using the Odoo database2.
# When a database name is mussing the database with the same name as the subdomain will be used, depending on the database
# parameter of the Odoo configuration file.
##
if [ -z $1 ]; then
echo "Missing subdomain!"
echo "Usage: odoo_nginx subdomain [database]"
echo "For example: ./odoo_nginx my.website.com TheDatabaseName"
exit 0
fi
NGINX_CONFIG_DIR=/etc/nginx
DOMAIN="$1"
DB=$2
SSL_DIR=$NGINX_CONFIG_DIR/ssl/$DOMAIN
DOMAIN_CONFIG=$NGINX_CONFIG_DIR/sites/"$DOMAIN.conf"
#echo "Setup domain "$DOMAIN" with database "$2" - $DOMAIN_CONFIG, SSL=$SSL_DIR"
#echo "Create Self-signed cert"
mkdir -p $SSL_DIR
mkdir -p $NGINX_CONFIG_DIR/sites
openssl ecparam -out $SSL_DIR/nginx.key -name prime256v1 -genkey
openssl req -new -key $SSL_DIR/nginx.key -out $SSL_DIR/csr.pem -subj "/C=VN/ST=DONG BAC BO/L=HA NOI/O=ERPHanoi/OU=IT Department/CN=$DOMAIN"
openssl req -x509 -nodes -days 1000 -key $SSL_DIR/nginx.key -in $SSL_DIR/csr.pem -out $SSL_DIR/nginx.pem
# openssl dhparam -out $SSL_DIR/dhparam.pem 4096 # This take long time
if [ -z $DB ]; then
DB_STR=""
else
DB_STR="proxy_set_header X-Custom-Referrer \"$DB\";"
fi
echo -e "* Create $DOAMIN's nginx config file at $DOMAIN_CONFIG"
cat <<EOF > $DOMAIN_CONFIG
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
##
# Configuration file for each subdomain <=> database.
# Should use with http.py patch, which using HTTP_X_CUSTOM_REFERRER as database name
# See https://github.com/halybang/odoo/blob/9.0/openerp/http.py
#
##
server {
# Redirect all request to ssl
listen 80;
server_name $DOMAIN;
# Strict Transport Security
add_header Strict-Transport-Security max-age=2592000;
return 301 https://\$host\$request_uri;
}
server {
# Enable SSL
listen 443 ssl;
server_name $DOMAIN;
#root /var/www/html;
# Add index.php to the list if you are using PHP
#index index.html index.htm index.nginx-debian.html;
# Set log files
access_log /var/log/nginx/$DOMAIN.access.log;
error_log /var/log/nginx/$DOMAIN.error.log;
keepalive_timeout 60;
client_max_body_size 100m;
# SSL Configuration
# Self signed certs generated by the ssl-cert package
ssl on;
ssl_certificate $SSL_DIR/nginx.pem;
ssl_certificate_key $SSL_DIR/nginx.key;
#ssl_dhparam $SSL_DIR/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!ADH:!MD5;
#ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# set headers
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-Host \$http_host;
proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;
# Let the OpenERP web service know that we’re using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Front-End-Https On;
# Point to real database name
#proxy_set_header X-Custom-Referrer "databasename";
$DB_STR
# by default, do not forward anything
# proxy_redirect off;
proxy_buffering off;
location / {
#try_files \$uri \$uri/ @proxy;
proxy_pass http://odoo9;
proxy_redirect default;
}
location /longpolling {
proxy_pass http://odoo9-im;
}
# cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the OpenERP web interface a bit.
location ~* /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
#try_files $uri $uri/ @proxy;
proxy_pass http://odoo9;
#proxy_redirect default;
#proxy_redirect off;
}
location @proxy {
proxy_pass http://odoo9;
proxy_redirect default;
#proxy_redirect off;
}
location ~ /\.ht {
deny all;
}
}
EOF