Setting up nginx - HTTP & HTTPS

Setting up nginx

Back inside the container, we will now install nginx and link port 80 to the Odoo app

# apt-get install nginx

# vim /etc/nginx/sites-enabled/default

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

## OpenERP backend ## upstream openerp {     server 127.0.0.1:8069; }   server {     listen 80 ;     listen [::]:80 ;       root /var/www/html;     index index.html index.htm;     server_name yourserver.com www.yourserver.com;       location / {         proxy_pass http://openerp;         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;         proxy_redirect off;           # set headers         proxy_set_header Host $host;         proxy_set_header X-Real-IP $remote_addr;         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;         proxy_set_header X-Forwarded-Proto https;     } }

# systemctr restart nginx

Getting a SSL certificate

Once the domain is linked to the host, we can request a SSL certificate. There are many options for certification but we will stick with the free and open LetsEncript certificate. LetsEncript has a tool, Certbot, to install a certificate on the server, so lets make use of it.

# apt-get install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install python-certbot-nginx
# sudo certbot –nginx certonly
Enter email address:
youremail@gmail.com
(A)gree/(C)ancel:
A
(Y)es/(N)o:
Y
Which names would you like to activate HTTPS for?
Select the appropriate numbers:
1 # pick the one for your new domain
…
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yourserver.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yourserver.com/privkey.pem
Your cert will expire on 2018-06-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
…

And your sertification is done!

But like you can read, the sertificate is only valid for 90 days. You can manually renew it every 90 days, but you can also let the server do it automaically. For this job we use cronjob.

# cronjob -e

Cron will ask you what editor to use, after this it will show you a configuration file with some explanation on how it works. I want to check every first day of the week for certificates that need renewal, next line will check weekly at 3:30am.

1	30 03 * * 0 certbot renew

Finishing the nginx configuration

Now the time has come to finish up our configuration for https access. We chould want to keep the connection safe at all times. Therefor we will rederect port 80 to port 443.

# vim /etc/nginx/sites-enabled/default

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

## OpenERP backend ## upstream openerp {    server 127.0.0.1:8069; }   server {     index index.html index.htm;     server_name yourserver.com www.yourserver.com;     location / {         proxy_pass  http://openerp;         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;         proxy_redirect off;                   proxy_set_header    Host            $host;         proxy_set_header    X-Real-IP       $remote_addr;         proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;         proxy_set_header    X-Forwarded-Proto https;     }           listen [::]:443 ssl ipv6only=on;     listen 443 ssl;     ssl_certificate /etc/letsencrypt/live/yourserver.com/fullchain.pem;     ssl_certificate_key /etc/letsencrypt/live/yourserver.com/privkey.pem;     include /etc/letsencrypt/options-ssl-nginx.conf;     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; }   server {     if ($host = yourserver.com) {         return 301 https://$host$request_uri;     }     listen 80 ;     listen [::]:80 ;     server_name yourserver.com www.yourserver.com;     return 301 https://$host$request_uri; }

# systemctr restart nginx

Now your Odoo installation is up and running.