Comments (11)
hurik
commented on May 21, 2024
1
Thanks for the information, I got it running. I only activated SSL (https://mozilla.github.io/server-side-tls/ssl-config-generator/ with modern configuration) and changed the port to 4344. It's my first time working with nginx, so I'm open for optimizations.
Installation:
docker run -d -e POSTGRES_USER=odoo -e POSTGRES_PASSWORD=odoo -v /docker/odoo/db/:/var/lib/postgresql/data/ --name db postgres
docker run -d --link db:db --name odoo odoo
docker run -d -p 127.0.0.1:4344:4344 -v /docker/odoo/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro -v /docker/odoo/nginx/ssl/:/etc/ssl/nginx/:ro -v /docker/odoo/nginx/logs/:/var/log/nginx/ --link odoo:odoo --name nginx nginx
default.conf (nginx):
server {
listen 4344 ssl;
# log files
access_log /var/log/nginx/odoo-access.log;
error_log /var/log/nginx/odoo-error.log;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/nginx/ca_bundle.crt;
# increase proxy buffer to handle some Odoo web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# general proxy settings
# force timeouts if the backend dies
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
location / {
proxy_pass http://odoo:8069;
}
# Cache some static data in memory for 60mins.
# Under heavy load this should relieve stress on the Odoo web interface a bit.
location ~* /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo:8069;
}
}
dhparam.pem generated with:
$ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
files and folders on host:
/docker/
-- /odoo/
---- /db/
------ Database files ...
---- /nginx/
------ default.conf
------ /logs/
-------- access.log
-------- error.log
-------- odoo-access.log
-------- odoo-error.log
------ /ssl/
-------- dhparam.pem
-------- ca_bundle.crt
-------- server.crt
-------- server.key
from docker.
thomas15v
commented on May 21, 2024
1
Just leaving some automated resources here:
- https://hub.docker.com/r/dockercloud/haproxy/
- https://traefik.io/ (Automated let's encrypt certificates)
- https://hub.docker.com/r/steveltn/https-portal/ (same as above but with nginx)
@Kazebayashi looks like you forgot to define the default.conf, causing docker to make a folder, causing nginx to crash while trying to read a folder like a file 😉.
from docker.
Kazebayashi
commented on May 21, 2024
1
Thanks Thomas for your resources.
I couldn't manage to do it with my default.conf, but I succeeded with https-portal. Great solution for me!
from docker.
chermed
commented on May 21, 2024
Maybe you should link the container with an other container (nginx for example)
from docker.
kvdb
commented on May 21, 2024
Of course, that makes perfect sense. Thanks.
from docker.
hurik
commented on May 21, 2024
Did anyone get it running with nginx? It would be a great help if someone could provide his working nginx.conf ...
from docker.
rimusz
commented on May 21, 2024
@hurik here we go:
server {
listen *:443 default;
server_name www.domainname.com ;
access_log /var/log/nginx/oddo.access.log;
error_log /var/log/nginx/oddo.error.log;
ssl on;
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/mysite.key;
keepalive_timeout 60;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://HOST_IP:8069;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_buffer_size 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto https;
# increase proxy timeouts to prevent 504 Gateway Time-Out
}
}
# forward domainname.com to www.domainname.com
server {
listen *:443;
server_name domainname.com;
return 301 http://www.domainname.com$request_uri;
}
# This allows for someone to go to http and get redirected to https automatically
server {
listen *:80;
server_name domainname.com;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
from docker.
md5
commented on May 21, 2024
I wouldn't recommend using ssl_protocols SSLv3 unless you absolutely must do so to support known older clients.
I'd recommend starting at the Mozilla SSL Config Generator to get some good SSL settings that work for the latest Nginx and OpenSSL versions and your known user base: https://mozilla.github.io/server-side-tls/ssl-config-generator/
from docker.
md5
commented on May 21, 2024
That listen *:443 block without SSL settings looks odd too.
from docker.
md5
commented on May 21, 2024
One more thing to bear in mind is that log performance with that config will be terrible if /var/log/nginx is not a volume.
Why not log to STDOUT and STDERR like the stock nginx container does?
from docker.
Kazebayashi
commented on May 21, 2024
Thank you to share your code hurik.
I can run postgres and odoo, but I got this error when trying to docker run nginx
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:54: mounting \\\"/docker/odoo/nginx/default.conf\\\" to rootfs \\\"/var/lib/docker/aufs/mnt/6e612a56d7058a7fad31878d2cf7ed9caa15bd0daee0f95c77e787e81d68687d\\\" at \\\"/var/lib/docker/aufs/mnt/6e612a56d7058a7fad31878d2cf7ed9caa15bd0daee0f95c77e787e81d68687d/etc/nginx/conf.d/default.conf\\\" caused \\\"not a directory\\\"\""
: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.
Any idea where I'm wrong and how to fix it?
Thanks
from docker.
Related Issues (20)
- python 3.11 or newer? HOT 5
- Readme: obsolete docker flag (--link) HOT 5
- [QUESTION]: Odoo V16 - wkhtmltopdf version
- Odoo 17 image? HOT 19
- How install the requirements for odoo 17 in offical Docker HOT 1
- I had a permission problem when I mounted the data volume. Trying to specify a user also didn't work. HOT 4
- docker map directory permission error HOT 2
- RuntimeError: can't start new thread HOT 4
- getting error 99 Cannot assign requested address in outgoing email server - Odoo 17.0 Community Edition HOT 2
- Database name configuration HOT 4
- Unable to obtain the real address of the external client HOT 2
- Oddo don't work on Unraid HOT 8
- recent docker pull from odoo:16 cause AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK' HOT 2
- Odoo 15 Unraid update never worked HOT 2
- Apply docker compose HOT 4
- Update the release version of Odoo 17. HOT 2
- odoo:15,how to upgrade to new version HOT 4
- [17.0] lxml.html.clean module is now a separate project lxml_html_clean HOT 2
- Update Odoo release in the dockerfile to include commit 7e9a873 HOT 4
- Location of HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker.