stackoom
  简体   繁体   中英

Nginx configuration for CI/CD for Odoo

 原文  2020-03-29 16:08:44       nginx/ continuous-integration/ odoo/ continuous-deployment

Question

I am configuring nginx for a web server running Odoo. My configuration for the first nginx server (running as root) is:

#odoo server
upstream runbot_odoo {
 server 127.0.0.1:8080;
}
upstream odoo {
 server 127.0.0.1:8069;
}
upstream odoochat {
 server 127.0.0.1:8072;
}

# http -> https
server {
   listen 80;
   server_name runbot.mydomain.com;
   rewrite ^(.*) https://$host$1 permanent;
}

server {
 listen 443;
 server_name runbot.mydomain.com;
 proxy_read_timeout 720s;
 proxy_connect_timeout 720s;
 proxy_send_timeout 720s;

 # Add Headers for odoo proxy mode
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;

 # SSL parameters
 ssl on;
 ssl_certificate /etc/ssl/nginx/server.crt;
 ssl_certificate_key /etc/ssl/nginx/server.key;
 ssl_session_timeout 30m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;

 # log
 access_log /var/log/nginx/odoo.access.log;
 error_log /var/log/nginx/odoo.error.log;

 # Redirect longpoll requests to odoo longpolling port
 location /longpolling {
 proxy_pass http://odoochat;
 }

 # Redirect requests to odoo backend server
 location / {
   proxy_redirect off;
   proxy_pass http://odoo;
 }

 # common gzip
 gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
 gzip on;
}

Basically it is redirecting 80 to 443, then reverse proxy to correct port 8069 and 8072

Then I have another nginx server (running as normal user), with the following configuration:

pid /home/odoo/src/runbot/runbot/static/nginx/nginx.pid;
error_log /home/odoo/src/runbot/runbot/static/nginx/error.log;
worker_processes  1;
events { worker_connections  1024; }
http {
include /etc/nginx/mime.types;
server_names_hash_max_size 512;
server_names_hash_bucket_size 256;
client_max_body_size 10M;
index index.html;
log_format full '$remote_addr - $remote_user [$time_local] '
                '"$request" $status $body_bytes_sent '
                '"$http_referer" "$http_user_agent" $request_time';
access_log /home/odoo/src/runbot/runbot/static/nginx/access.log full;
error_log /home/odoo/src/runbot/runbot/static/nginx/error.log;
client_body_temp_path /home/odoo/src/runbot/runbot/static/nginx;
fastcgi_temp_path /home/odoo/src/runbot/runbot/static/nginx;

autoindex on;

gzip on;
gzip_types text/css text/plain application/xml application/json application/javascript;

proxy_temp_path /home/odoo/src/runbot/runbot/static/nginx;
proxy_read_timeout 600;
proxy_connect_timeout 600;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;

server {
    listen 8080 default;
    location / { proxy_pass http://127.0.0.1:8069; }
    location /longpolling/im/poll { return 404; }
    location /longpolling/poll { return 404; }
    location /runbot/static/ {
       alias /home/odoo/src/runbot/runbot/static/;
       autoindex off;
       location ~ /runbot/static/build/[^/]+/(logs|tests)/ {
          autoindex on;
       }
    }
}

server {
    # this is for testing master branch
    # you can see it in the server_name
    # the first part 00058 is the incremental number of the build, so this is the 58'th build
    # the second part master-d9d6e8 is the name of the branch, and I think a random number
    # the last part runbot.mydomain.com, is the domain.
    listen 8080;
    server_name ~^00058\-master\-d9d6e8(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
    location / { proxy_pass http://127.0.0.1:2000; }
    location /longpolling { proxy_pass http://127.0.0.1:2001; }
}

server {
    # another build
    listen 8080;
    server_name ~^00057\-dev\-hr\-operations\-d64c8d(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
    location / { proxy_pass http://127.0.0.1:2003; }
    location /longpolling { proxy_pass http://127.0.0.1:2004; }
}

server {
    # another build
    listen 8080;
    server_name ~^00056\-dev\-returns\-68ca49(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
    location / { proxy_pass http://127.0.0.1:2006; }
    location /longpolling { proxy_pass http://127.0.0.1:2007; }
}

server {
    # another build
    listen 8080;
    server_name ~^00055\-dev\-56c2e4(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
    location / { proxy_pass http://127.0.0.1:2009; }
    location /longpolling { proxy_pass http://127.0.0.1:2010; }
}

server {
    # another build
    listen 8080;
    server_name ~^00054\-master\-06503a(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
    location / { proxy_pass http://127.0.0.1:2012; }
    location /longpolling { proxy_pass http://127.0.0.1:2013; }
}

server {
    listen 8080;
    server_name ~.+\.runbot\.mydomain\.com$;
    location / { return 404; }
}
}

notes on the second config file:

The first server block is the default which reverse proxy to the main server. The other server blocks except last one are for each build to be tested. Each build is running on a docker container, and exposing two http ports (eg: 2012, and 2013).

A drawing to help understand my structure: 在此处输入图片说明

My question is how to make all requests with a domain like this *.runbot.mydomain.com for example build-01.runbot.mydomain.com be correctly "proxied" to the second nginx server on port 8080 which will proxy them to the correct port depending on the subdomain name. I already have the second nginx server correctly redirecting subdomains, but I can't get the first nginx (running as root) to proxy to the second one.l

My best try was adding the following configuration to the main nginx:

upstream runbot_odoo {
 #this upstream is the second nginx server
 server 127.0.0.1:8080;
}


 ......


server {
 # a copy from the first config file above with few edits (not the entire file just the 443 server block)
 # 1. changed server_name to *.runbot.gsk-erp.com I inteded to catch all subdomains and proxy them to 8080 which can then proxy them to then correct port (2012 for example)
 # 2. the location block which now proxy to 8080 instead of 8069
 listen 443;
 server_name *.runbot.gsk-erp.com;
 proxy_read_timeout 720s;
 proxy_connect_timeout 720s;
 proxy_send_timeout 720s;

 # Add Headers for odoo proxy mode
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;

 # SSL parameters
 ssl on;
 ssl_certificate /etc/ssl/nginx/server.crt;
 ssl_certificate_key /etc/ssl/nginx/server.key;
 ssl_session_timeout 30m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;

 # log
 access_log /var/log/nginx/instances.odoo.access.log;
 error_log /var/log/nginx/instances.odoo.error.log;

 # Redirect requests to runbot config file
 location / { proxy_pass http://runbot_odoo; }

 # common gzip
 gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
 gzip on;
}

When writing http://00058-master-d9d6e8.runbot.mydomain.com the request gets handled by the main server running on 8069, instead of 8080, this means that the first 443 server block is still handling the requests instead of the new one with *.runbot.mydomain.com for server_name

Another try:

I moved the 443 server block with *.runbot.mydomain.com before the first one. Now it is handling the subdomain requests, but the url on the browser is changed to https://runbot_odoo (Instead of reverse proxy it is redirecting)

1 answers

solution1
 1 ACCPTED  2020-03-29 23:24:44

Found a solution in this answer .

Add this line to the location block

proxy_set_header HOST $host;

Full nginx config files: main nginx (running as root)

#odoo server
upstream odoorunbot {
 server 127.0.0.1:8080;
}
upstream odoo {
 server 127.0.0.1:8069;
}
upstream odoochat {
 server 127.0.0.1:8072;
}

# http -> https
server {
   listen 80;
   server_name runbot.mydomain.com;
   rewrite ^(.*) https://$host$1 permanent;
}

# runbot build instances
server {
 listen 443;
 server_name *.runbot.mydomain.com;
 proxy_read_timeout 720s;
 proxy_connect_timeout 720s;
 proxy_send_timeout 720s;

 # Add Headers for odoo proxy mode
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;

 # SSL parameters
 ssl on;
 ssl_certificate /etc/ssl/nginx/server.crt;
 ssl_certificate_key /etc/ssl/nginx/server.key;
 ssl_session_timeout 30m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;

 # log
 access_log /var/log/nginx/instances.odoo.access.lo full;
 error_log /var/log/nginx/instances.odoo.error.log;

 # Redirect requests to runbot config file
 #location / { proxy_pass http://odoorunbot; }
 location /longpolling {
   proxy_pass http://odoorunbot;
 }

 # Redirect requests to odoo backend server
 location / {
   #proxy_redirect off;
   proxy_pass http://odoorunbot;
   proxy_set_header HOST $host;
 }

 # common gzip
 gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
 gzip on;
}

server {
 listen 443;
 server_name runbot.mydomain.com;
 proxy_read_timeout 720s;
 proxy_connect_timeout 720s;
 proxy_send_timeout 720s;

 # Add Headers for odoo proxy mode
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;

 # SSL parameters
 ssl on;
 ssl_certificate /etc/ssl/nginx/server.crt;
 ssl_certificate_key /etc/ssl/nginx/server.key;
 ssl_session_timeout 30m;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_prefer_server_ciphers on;

 # log
 access_log /var/log/nginx/odoo.access.log;
 error_log /var/log/nginx/odoo.error.log;

 # Redirect longpoll requests to odoo longpolling port
 location /longpolling {
 proxy_pass http://odoochat;
 }

 # Redirect requests to odoo backend server
 location / {
   proxy_redirect off;
   proxy_pass http://odoo;
 }

 # common gzip
 gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
 gzip on;
}

The other nginx running as normal user (runbot user)

pid /home/odoo/src/runbot/runbot/static/nginx/nginx.pid;
error_log /home/odoo/src/runbot/runbot/static/nginx/error.log;
worker_processes  1;
events { worker_connections  1024; }
http {
include /etc/nginx/mime.types;
server_names_hash_max_size 512;
server_names_hash_bucket_size 256;
client_max_body_size 10M;
index index.html;
log_format full '$remote_addr - $remote_user [$time_local] '
                '"$request" $status $body_bytes_sent '
                '"$http_referer" "$http_user_agent" $request_time';
access_log /home/odoo/src/runbot/runbot/static/nginx/access.log full;
error_log /home/odoo/src/runbot/runbot/static/nginx/error.log;
client_body_temp_path /home/odoo/src/runbot/runbot/static/nginx;
fastcgi_temp_path /home/odoo/src/runbot/runbot/static/nginx;
autoindex on;

gzip on;
gzip_types text/css text/plain application/xml application/json application/javascript;

proxy_temp_path /home/odoo/src/runbot/runbot/static/nginx;
proxy_read_timeout 600;
proxy_connect_timeout 600;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;

server {
    listen 8081 default;
    location / { proxy_pass http://127.0.0.1:8069; }
    location /longpolling/im/poll { return 404; }
    location /longpolling/poll { return 404; }
    location /runbot/static/ {
       alias /home/odoo/src/runbot/runbot/static/;
       autoindex off;
       location ~ /runbot/static/build/[^/]+/(logs|tests)/ {
          autoindex on;
       }
    }
}

server {
    listen 8080;
    server_name ~^00066\-master\-d9d6e8(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
    location / { proxy_redirect off; proxy_pass  http://127.0.0.1:2000; }
    location /longpolling { proxy_pass http://127.0.0.1:2001; }
}

server {
    listen 8080;
    server_name ~.+\.runbot\.mydomain\.com$;
    location / { return 404; }
}
}

On the other file I only changed the first server block to listen to 8081 instead of 8080 because I thought it was causing problems, but it is probably isn't. So I recommend to keep the runbot's nginx file unchanged.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to change nginx configuration context URI for odoo Nginx with Odoo configuration: host not found in upstream How to replace fields value of angular config.json using environment variable in kubernetes and nginx in CI &CD VSTS nginx rewrite odoo 8 Nginx configuration Nginx configuration NGINX Configuration : Gitlab CI - registry and nginx Gitlab CI/CD - user and permissions best practices docker nginx letsencrypt odoo error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM