nginx配置https访问odoo

   前段日子用AppScan对odoo进行了一个漏斗扫描，发现未做ssl的odoo服务有巨大安全隐患，故需要对通过配置一个ssl来消除这些安全隐患，最终选择了通过nginx来做ssl加密

一:安装nginx

ubuntu：

apt-get install nginx

lunix:

yum install nginx

二:nginx.conf配置

安装好nginx后，使用如下配置

worker_processes 1;

events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

upstream oeserver{
server 127.0.0.1:8069;
}
server {
    listen 443 default;
    server_name _;

    access_log /var/log/nginx/odoo.access.log;
    error_log  /var/log/nginx/odoo.error.log;

    ssl on;
    ssl_certificate     cert/cdn.openerp.hk-ca-bundle.crt; # 之前生成的证书和key
    ssl_certificate_key cert/cdn.openerp.hk.key;
    ssl_ciphers             HIGH:!ADH:!MD5;
    ssl_protocols           SSLv3 TLSv1;
    ssl_prefer_server_ciphers on;


    location / {
        proxy_pass http://127.0.0.1:8069;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;


        proxy_buffer_size 128k;
        proxy_buffers 16 64k;
        proxy_redirect off;


        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto https;
    }


   location ~* /web/static/ {
        proxy_cache_valid 200 60m;
        proxy_buffering    on;
        expires 864000;
        proxy_pass http://127.0.0.1:8069;
    }
}
server {   
    listen 80;
    server_name __;
    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^/.*$ https://$host$request_uri? permanent;
}
}

注意配置好ssl路径的位置以及权限