zizitizi/nginx_odoo_letsencrypt.sh

## nginx_odoo_letsencrypt.sh
#!/bin/bash
#--------------------------------------------------
# Locale changing for localization
#--------------------------------------------------
echo "*********************************"
echo "*                               *"
echo "*       Changing Locales        *"
echo "*                               *"
echo "*********************************"
# Configure timezone and locale
echo -e "\n---- Setting Locales  ----"
sudo locale-gen --purge "en_US.UTF-8" && \
echo -e 'LANG="en_US.UTF-8"\nLANGUAGE="en_US:en"\n' > /etc/default/locale && \
sudo dpkg-reconfigure --frontend=noninteractive locales && \
sudo update-locale LANG=en_US.UTF-8
#---------------------------------------------------
# Timezone for Dominican Republic, change as needed
#---------------------------------------------------
echo -e "\n---- Setting Time Zone  ----"
echo "America/Santo_Domingo" > /etc/timezone && \
sudo dpkg-reconfigure -f noninteractive tzdata && \

#--------------------------------------------------
# Update Server
#--------------------------------------------------
echo "*********************************"
echo "*                               *"
echo "*     Updating and upgrading    *"
echo "*                               *"
echo "*********************************"
sudo apt-get update
sudo apt-get dist-upgrade -y

#--------------------------------------------------
# Nginx Install
#--------------------------------------------------
echo "*********************************"
echo "*                               *"
echo "*    NGINX and dependencies     *"
echo "*                               *"
echo "*********************************"
apt-get -y install nginx-light
apt-get -y install openssl
apt-get -y install git bc curl

#--------------------------------------------------
# Fixed parameters for NGINX
#--------------------------------------------------
#General Domain and Server
DOMAIN_NAME="EXAMPLE.COM" #change with your domain
SRVR_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)

#SSL Configuration
SSL_EMAIL="admin@example.com" #email for let's encrypt info
SSL_CERT=/root/.acme.sh/$DOMAIN_NAME/fullchain.cer              #ssl_certificate
SSL_CERTK=/root/.acme.sh/$DOMAIN_NAME/${DOMAIN_NAME}.key        #ssl_certificate_key

# Not sure about this conf, need some testing.
#SSL_CONF=/root/.acme.sh/$DOMAIN_NAME/${DOMAIN_NAME}.ssl.conf    #include ssl_settings.conf

#Odoo Web Gui configuration for Nginx
ODOO_SRVC="odoo"
ODOO_IP="$SRVR_IP" #$SRVR_IP or your private odoo server IP
ODOO_SRVR="odoo.${$DOMAIN_NAME}" #or change as you like
ODOO_PORT="8069"

#--------------------------------------------------
# Let's encrypt install and configuration for SSL
#--------------------------------------------------
echo "*********************************"
echo "*                               *"
echo "*    Getting Let's encrypt      *"
echo "*                               *"
echo "*********************************"
echo -e "\n---- Install acme.sh for Let's encrypt  ----"
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install  \
--accountemail  $SSL_EMAIL \
cd ~

echo -e "\n---- Install SSL Certificates for your domains  ----"
~/.acme.sh/acme.sh --issue -d $DOMAIN_NAME -d www.${DOMAIN_NAME} -d $ODOO_SRVR -w /usr/share/nginx/html

echo -e "\n---- Generate Strong Diffie-Hellman Group.  ----"
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

#--------------------------------------------------
# NGINX Configuration
#--------------------------------------------------
echo "*********************************"
echo "*                               *"
echo "* NGINX Conf as Reverse Proxy   *"
echo "*                               *"
echo "*********************************"

echo -e "\n---- Setting up Nginx configurations.  ----"
touch /etc/nginx/sites-available/$ODOO_SRVC


echo -e "\n---- Starting conf for $ODOO_SRVC.  ----"
cat <<EOF > /etc/nginx/sites-available/$ODOO_SRVC
upstream $ODOO_SRVC {
    server $ODOO_IP:$ODOO_PORT;
}

## http redirects to https ##
server {
    listen      80 default_server;
    server_name $DOMAIN_NAME *.${DOMAIN_NAME} www.${DOMAIN_NAME} $ODOO_SRVR;

    # Redirect 301 to HTTPS
    return 301 https://\$host\$request_uri;

    # log files
    access_log  /var/log/nginx/${ODOO_SRVC}.access.log;
    error_log   /var/log/nginx/${ODOO_SRVC}.error.log;
}

## https site##
server {
    listen      443;
    server_name $DOMAIN_NAME $ODOO_SRVR;

    root /usr/share/nginx/html;
    index index.html index.htm;

    # SSL Configuration
    ssl on;
    ssl_certificate $SSL_CERT;
    ssl_certificate_key $SSL_CERTK;
    # ssl_trusted_certificate $SSL_TRUST;
    # include $SSL_CONF;

    # Only allow the most secure SSL protocols and ciphers
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    # ssl_stapling on;
    # ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;

    # Specifies the maximum accepted body size of a client request,
    # as indicated by the request header Content-Length.
    client_max_body_size      200m;

    # add ssl specific settings
    keepalive_timeout         60;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers             16 64k;
    proxy_buffer_size         128k;

    # LetsEncrypt location
    location ~ /.well-known {
            allow all;
    }

    ## default location ##
    location / {
        proxy_pass            http://$ODOO_SRVC;

        # force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
        proxy_connect_timeout 3600;
        proxy_read_timeout    3600;
        proxy_send_timeout    3600;
        send_timeout          3600;

        # Set headers
        proxy_set_header    Host            \$host;
        proxy_set_header    X-Real-IP       \$remote_addr;
        proxy_set_header    X-Forwarded-For \$proxy_add_x_forwarded_for;

        # Let the Odoo web service know that we're using HTTPS, otherwise
        # it will generate URL using http:// and not https://
        proxy_set_header    X-Forwarded-Proto https;

        # By default, do not forward anything
        proxy_redirect      off;
    }

    location ~* /[0-9a-zA-Z_]*/static/ {
        proxy_cache_valid       200 60m;
        proxy_buffering         on;
        expires                 864000;
        proxy_pass              http://$ODOO_SRVC;
    }
} # $ODOO_SRVC Server
EOF

echo -e "\n---- Enable the new sites configuration in the /etc/nginx/sites-enabled.  ----"
ln -s /etc/nginx/sites-available/$ODOO_SRVC /etc/nginx/sites-enabled/$ODOO_SRVC

echo -e "\n---- Disabled the default site by deleting the symbolic link for it.  ----"
rm /etc/nginx/sites-available/default

echo -e "\n---- Verify Nginx conf file has the right syntax.  ----"
nginx -t

echo -e "\n---- Restart the services to load the new configurations.  ----"
service nginx restart

echo "-----------------------------------------------------------"
echo "Done! The Nginx Server is up and Running. Specifications:"
echo
echo "Server IP:$SRVR_IP"
echo "Odoo URL: https://$ODOO_SRVR"
echo
echo "-------------------------------------------"
echo "--Below is your /etc/hosts for validation -"
echo "-------------------------------------------"
echo
cat /etc/hosts
echo
echo "------------------------------------------------------------"
	#!/bin/bash
	#--------------------------------------------------
	# Locale changing for localization
	#--------------------------------------------------
	echo "*********************************"
	echo "* *"
	echo "* Changing Locales *"
	echo "* *"
	echo "*********************************"
	# Configure timezone and locale
	echo -e "\n---- Setting Locales ----"
	sudo locale-gen --purge "en_US.UTF-8" && \
	echo -e 'LANG="en_US.UTF-8"\nLANGUAGE="en_US:en"\n' > /etc/default/locale && \
	sudo dpkg-reconfigure --frontend=noninteractive locales && \
	sudo update-locale LANG=en_US.UTF-8
	#---------------------------------------------------
	# Timezone for Dominican Republic, change as needed
	#---------------------------------------------------
	echo -e "\n---- Setting Time Zone ----"
	echo "America/Santo_Domingo" > /etc/timezone && \
	sudo dpkg-reconfigure -f noninteractive tzdata && \

	#--------------------------------------------------
	# Update Server
	#--------------------------------------------------
	echo "*********************************"
	echo "* *"
	echo "* Updating and upgrading *"
	echo "* *"
	echo "*********************************"
	sudo apt-get update
	sudo apt-get dist-upgrade -y

	#--------------------------------------------------
	# Nginx Install
	#--------------------------------------------------
	echo "*********************************"
	echo "* *"
	echo "* NGINX and dependencies *"
	echo "* *"
	echo "*********************************"
	apt-get -y install nginx-light
	apt-get -y install openssl
	apt-get -y install git bc curl

	#--------------------------------------------------
	# Fixed parameters for NGINX
	#--------------------------------------------------
	#General Domain and Server
	DOMAIN_NAME="EXAMPLE.COM" #change with your domain
	SRVR_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)

	#SSL Configuration
	SSL_EMAIL="admin@example.com" #email for let's encrypt info
	SSL_CERT=/root/.acme.sh/$DOMAIN_NAME/fullchain.cer #ssl_certificate
	SSL_CERTK=/root/.acme.sh/$DOMAIN_NAME/${DOMAIN_NAME}.key #ssl_certificate_key

	# Not sure about this conf, need some testing.
	#SSL_CONF=/root/.acme.sh/$DOMAIN_NAME/${DOMAIN_NAME}.ssl.conf #include ssl_settings.conf

	#Odoo Web Gui configuration for Nginx
	ODOO_SRVC="odoo"
	ODOO_IP="$SRVR_IP" #$SRVR_IP or your private odoo server IP
	ODOO_SRVR="odoo.${$DOMAIN_NAME}" #or change as you like
	ODOO_PORT="8069"

	#--------------------------------------------------
	# Let's encrypt install and configuration for SSL
	#--------------------------------------------------
	echo "*********************************"
	echo "* *"
	echo "* Getting Let's encrypt *"
	echo "* *"
	echo "*********************************"
	echo -e "\n---- Install acme.sh for Let's encrypt ----"
	git clone https://github.com/Neilpang/acme.sh.git
	cd acme.sh
	./acme.sh --install \
	--accountemail $SSL_EMAIL \
	cd ~

	echo -e "\n---- Install SSL Certificates for your domains ----"
	~/.acme.sh/acme.sh --issue -d $DOMAIN_NAME -d www.${DOMAIN_NAME} -d $ODOO_SRVR -w /usr/share/nginx/html

	echo -e "\n---- Generate Strong Diffie-Hellman Group. ----"
	sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

	#--------------------------------------------------
	# NGINX Configuration
	#--------------------------------------------------
	echo "*********************************"
	echo "* *"
	echo "* NGINX Conf as Reverse Proxy *"
	echo "* *"
	echo "*********************************"

	echo -e "\n---- Setting up Nginx configurations. ----"
	touch /etc/nginx/sites-available/$ODOO_SRVC


	echo -e "\n---- Starting conf for $ODOO_SRVC. ----"
	cat <<EOF > /etc/nginx/sites-available/$ODOO_SRVC
	upstream $ODOO_SRVC {
	server $ODOO_IP:$ODOO_PORT;
	}

	## http redirects to https ##
	server {
	listen 80 default_server;
	server_name $DOMAIN_NAME *.${DOMAIN_NAME} www.${DOMAIN_NAME} $ODOO_SRVR;

	# Redirect 301 to HTTPS
	return 301 https://\$host\$request_uri;

	# log files
	access_log /var/log/nginx/${ODOO_SRVC}.access.log;
	error_log /var/log/nginx/${ODOO_SRVC}.error.log;
	}

	## https site##
	server {
	listen 443;
	server_name $DOMAIN_NAME $ODOO_SRVR;

	root /usr/share/nginx/html;
	index index.html index.htm;

	# SSL Configuration
	ssl on;
	ssl_certificate $SSL_CERT;
	ssl_certificate_key $SSL_CERTK;
	# ssl_trusted_certificate $SSL_TRUST;
	# include $SSL_CONF;

	# Only allow the most secure SSL protocols and ciphers
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	# ssl_stapling on;
	# ssl_stapling_verify on;
	add_header Strict-Transport-Security max-age=15768000;

	# Specifies the maximum accepted body size of a client request,
	# as indicated by the request header Content-Length.
	client_max_body_size 200m;

	# add ssl specific settings
	keepalive_timeout 60;

	# increase proxy buffer to handle some OpenERP web requests
	proxy_buffers 16 64k;
	proxy_buffer_size 128k;

	# LetsEncrypt location
	location ~ /.well-known {
	allow all;
	}

	## default location ##
	location / {
	proxy_pass http://$ODOO_SRVC;

	# force timeouts if the backend dies
	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
	proxy_connect_timeout 3600;
	proxy_read_timeout 3600;
	proxy_send_timeout 3600;
	send_timeout 3600;

	# Set headers
	proxy_set_header Host \$host;
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;

	# Let the Odoo web service know that we're using HTTPS, otherwise
	# it will generate URL using http:// and not https://
	proxy_set_header X-Forwarded-Proto https;

	# By default, do not forward anything
	proxy_redirect off;
	}

	location ~* /[0-9a-zA-Z_]*/static/ {
	proxy_cache_valid 200 60m;
	proxy_buffering on;
	expires 864000;
	proxy_pass http://$ODOO_SRVC;
	}
	} # $ODOO_SRVC Server
	EOF

	echo -e "\n---- Enable the new sites configuration in the /etc/nginx/sites-enabled. ----"
	ln -s /etc/nginx/sites-available/$ODOO_SRVC /etc/nginx/sites-enabled/$ODOO_SRVC

	echo -e "\n---- Disabled the default site by deleting the symbolic link for it. ----"
	rm /etc/nginx/sites-available/default

	echo -e "\n---- Verify Nginx conf file has the right syntax. ----"
	nginx -t

	echo -e "\n---- Restart the services to load the new configurations. ----"
	service nginx restart

	echo "-----------------------------------------------------------"
	echo "Done! The Nginx Server is up and Running. Specifications:"
	echo
	echo "Server IP:$SRVR_IP"
	echo "Odoo URL: https://$ODOO_SRVR"
	echo
	echo "-------------------------------------------"
	echo "--Below is your /etc/hosts for validation -"
	echo "-------------------------------------------"
	echo
	cat /etc/hosts
	echo
	echo "------------------------------------------------------------"