Show how to add SSL certficates

[kvdb]

It would be nice if the instructions would show how to configure a custom SSL certificate so Odoo can be securely connected.

[chermed]

Maybe you should link the container with an other container (nginx for example)

[kvdb]

Of course, that makes perfect sense. Thanks.

[hurik]

Did anyone get it running with nginx? It would be a great help if someone could provide his working nginx.conf ...

[rimusz]

@hurik here we go:

server {
    listen      *:443 default;
    server_name www.domainname.com ;

    access_log  /var/log/nginx/oddo.access.log;
    error_log   /var/log/nginx/oddo.error.log;

    ssl on;
    ssl_certificate     /etc/nginx/ssl/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/mysite.key;
    keepalive_timeout   60;

    ssl_ciphers             HIGH:!ADH:!MD5;
    ssl_protocols           SSLv3 TLSv1;
    ssl_prefer_server_ciphers on;


    location / {
        proxy_pass  http://HOST_IP:8069;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        proxy_buffer_size 128k;
        proxy_buffers 16 64k;
        proxy_redirect off;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # proxy_set_header X-Forwarded-Proto https;
        # increase proxy timeouts to prevent 504 Gateway Time-Out
    }

}

# forward domainname.com to www.domainname.com
server {
    listen       *:443;
    server_name  domainname.com;
    return       301 http://www.domainname.com$request_uri;
}

# This allows for someone to go to http and get redirected to https automatically
server {
    listen     *:80;
    server_name domainname.com;

    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^/.*$ https://$host$request_uri? permanent;
}

[md5]

I wouldn't recommend using ssl_protocols SSLv3 unless you absolutely must do so to support known older clients.

I'd recommend starting at the Mozilla SSL Config Generator to get some good SSL settings that work for the latest Nginx and OpenSSL versions and your known user base: https://mozilla.github.io/server-side-tls/ssl-config-generator/

[md5]

That listen *:443 block without SSL settings looks odd too.

[md5]

One more thing to bear in mind is that log performance with that config will be terrible if /var/log/nginx is not a volume.

Why not log to STDOUT and STDERR like the stock nginx container does?

[hurik]

Thanks for the information, I got it running. I only activated SSL (https://mozilla.github.io/server-side-tls/ssl-config-generator/ with modern configuration) and changed the port to 4344. It's my first time working with nginx, so I'm open for optimizations.

Installation:

docker run -d -e POSTGRES_USER=odoo -e POSTGRES_PASSWORD=odoo -v /docker/odoo/db/:/var/lib/postgresql/data/ --name db postgres
docker run -d --link db:db --name odoo odoo
docker run -d -p 127.0.0.1:4344:4344 -v /docker/odoo/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro -v /docker/odoo/nginx/ssl/:/etc/ssl/nginx/:ro -v /docker/odoo/nginx/logs/:/var/log/nginx/ --link odoo:odoo --name nginx nginx

default.conf (nginx):

server {
    listen 4344 ssl;

    # log files
    access_log /var/log/nginx/odoo-access.log;
    error_log /var/log/nginx/odoo-error.log;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/ssl/nginx/server.crt;
    ssl_certificate_key /etc/ssl/nginx/server.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/ssl/nginx/dhparam.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/nginx/ca_bundle.crt;

    # increase proxy buffer to handle some Odoo web requests
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    # general proxy settings
    # force timeouts if the backend dies
    proxy_connect_timeout 600s;
    proxy_send_timeout 600s;
    proxy_read_timeout 600s;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

    location / {
        proxy_pass http://odoo:8069;
    }

    # Cache some static data in memory for 60mins.
    # Under heavy load this should relieve stress on the Odoo web interface a bit.
    location ~* /web/static/ {
        proxy_cache_valid 200 60m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://odoo:8069;
    }
}

dhparam.pem generated with:

$ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

files and folders on host:

/docker/
-- /odoo/
---- /db/
------ Database files ...
---- /nginx/
------ default.conf
------ /logs/
-------- access.log
-------- error.log
-------- odoo-access.log
-------- odoo-error.log
------ /ssl/
-------- dhparam.pem
-------- ca_bundle.crt
-------- server.crt
-------- server.key

[Kazebayashi]

Thank you to share your code hurik.

I can run postgres and odoo, but I got this error when trying to docker run nginx

docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"rootfs_linux.go:54: mounting \\\"/docker/odoo/nginx/default.conf\\\" to rootfs \\\"/var/lib/docker/aufs/mnt/6e612a56d7058a7fad31878d2cf7ed9caa15bd0daee0f95c77e787e81d68687d\\\" at \\\"/var/lib/docker/aufs/mnt/6e612a56d7058a7fad31878d2cf7ed9caa15bd0daee0f95c77e787e81d68687d/etc/nginx/conf.d/default.conf\\\" caused \\\"not a directory\\\"\""
: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.

Any idea where I'm wrong and how to fix it?
Thanks

[thomas15v]

Just leaving some automated resources here:

• https://hub.docker.com/r/dockercloud/haproxy/
• https://traefik.io/ (Automated let's encrypt certificates)
• https://hub.docker.com/r/steveltn/https-portal/ (same as above but with nginx)

@Kazebayashi looks like you forgot to define the default.conf, causing docker to make a folder, causing nginx to crash while trying to read a folder like a file 😉.

[Kazebayashi]

Thanks Thomas for your resources.
I couldn't manage to do it with my default.conf, but I succeeded with https-portal. Great solution for me!