nginx - 用于 Odoo 的 CI/CD 的 Nginx 配置
问题描述
我正在为运行 Odoo 的 Web 服务器配置 nginx。我对第一个 nginx 服务器(以 root 身份运行)的配置是:
#odoo server
upstream runbot_odoo {
server 127.0.0.1:8080;
}
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name runbot.mydomain.com;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name runbot.mydomain.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
基本上它是将80重定向到443,然后反向代理到正确的端口8069和8072
然后我有另一个 nginx 服务器(以普通用户身份运行),配置如下:
pid /home/odoo/src/runbot/runbot/static/nginx/nginx.pid;
error_log /home/odoo/src/runbot/runbot/static/nginx/error.log;
worker_processes 1;
events { worker_connections 1024; }
http {
include /etc/nginx/mime.types;
server_names_hash_max_size 512;
server_names_hash_bucket_size 256;
client_max_body_size 10M;
index index.html;
log_format full '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time';
access_log /home/odoo/src/runbot/runbot/static/nginx/access.log full;
error_log /home/odoo/src/runbot/runbot/static/nginx/error.log;
client_body_temp_path /home/odoo/src/runbot/runbot/static/nginx;
fastcgi_temp_path /home/odoo/src/runbot/runbot/static/nginx;
autoindex on;
gzip on;
gzip_types text/css text/plain application/xml application/json application/javascript;
proxy_temp_path /home/odoo/src/runbot/runbot/static/nginx;
proxy_read_timeout 600;
proxy_connect_timeout 600;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
server {
listen 8080 default;
location / { proxy_pass http://127.0.0.1:8069; }
location /longpolling/im/poll { return 404; }
location /longpolling/poll { return 404; }
location /runbot/static/ {
alias /home/odoo/src/runbot/runbot/static/;
autoindex off;
location ~ /runbot/static/build/[^/]+/(logs|tests)/ {
autoindex on;
}
}
}
server {
# this is for testing master branch
# you can see it in the server_name
# the first part 00058 is the incremental number of the build, so this is the 58'th build
# the second part master-d9d6e8 is the name of the branch, and I think a random number
# the last part runbot.mydomain.com, is the domain.
listen 8080;
server_name ~^00058\-master\-d9d6e8(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
location / { proxy_pass http://127.0.0.1:2000; }
location /longpolling { proxy_pass http://127.0.0.1:2001; }
}
server {
# another build
listen 8080;
server_name ~^00057\-dev\-hr\-operations\-d64c8d(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
location / { proxy_pass http://127.0.0.1:2003; }
location /longpolling { proxy_pass http://127.0.0.1:2004; }
}
server {
# another build
listen 8080;
server_name ~^00056\-dev\-returns\-68ca49(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
location / { proxy_pass http://127.0.0.1:2006; }
location /longpolling { proxy_pass http://127.0.0.1:2007; }
}
server {
# another build
listen 8080;
server_name ~^00055\-dev\-56c2e4(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
location / { proxy_pass http://127.0.0.1:2009; }
location /longpolling { proxy_pass http://127.0.0.1:2010; }
}
server {
# another build
listen 8080;
server_name ~^00054\-master\-06503a(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
location / { proxy_pass http://127.0.0.1:2012; }
location /longpolling { proxy_pass http://127.0.0.1:2013; }
}
server {
listen 8080;
server_name ~.+\.runbot\.mydomain\.com$;
location / { return 404; }
}
}
关于第二个配置文件的注释:
第一个服务器块是默认的反向代理到主服务器。除最后一个之外的其他服务器块用于要测试的每个构建。每个构建都在 docker 容器上运行,并公开两个 http 端口(例如:2012 和 2013)。
我的问题是如何使具有这样的域的所有请求 *.runbot.mydomain.com 例如 build-01.runbot.mydomain.com 正确“代理”到端口 8080 上的第二个 nginx 服务器,该服务器会将它们代理到正确的端口取决于子域名。我已经有第二个 nginx 服务器正确重定向子域,但我无法让第一个 nginx(以 root 身份运行)代理到第二个。l
我最好的尝试是将以下配置添加到主 nginx:
upstream runbot_odoo {
#this upstream is the second nginx server
server 127.0.0.1:8080;
}
......
server {
# a copy from the first config file above with few edits (not the entire file just the 443 server block)
# 1. changed server_name to *.runbot.gsk-erp.com I inteded to catch all subdomains and proxy them to 8080 which can then proxy them to then correct port (2012 for example)
# 2. the location block which now proxy to 8080 instead of 8069
listen 443;
server_name *.runbot.gsk-erp.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/instances.odoo.access.log;
error_log /var/log/nginx/instances.odoo.error.log;
# Redirect requests to runbot config file
location / { proxy_pass http://runbot_odoo; }
# common gzip
gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
在编写http://00058-master-d9d6e8.runbot.mydomain.com时,请求由运行在 8069 而不是 8080 上的主服务器处理,这意味着第一个 443 服务器块仍在处理请求,而不是新的一个带有 *.runbot.mydomain.com 的 server_name
另一个尝试:
我在第一个之前移动了带有 *.runbot.mydomain.com 的 443 服务器块。现在它正在处理子域请求,但浏览器上的 url 更改为https://runbot_odoo(而不是反向代理它正在重定向)
解决方案
在这个答案中找到了解决方案。
将此行添加到位置块
proxy_set_header HOST $host;
完整的 nginx 配置文件:主 nginx(以 root 身份运行)
#odoo server
upstream odoorunbot {
server 127.0.0.1:8080;
}
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name runbot.mydomain.com;
rewrite ^(.*) https://$host$1 permanent;
}
# runbot build instances
server {
listen 443;
server_name *.runbot.mydomain.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/instances.odoo.access.lo full;
error_log /var/log/nginx/instances.odoo.error.log;
# Redirect requests to runbot config file
#location / { proxy_pass http://odoorunbot; }
location /longpolling {
proxy_pass http://odoorunbot;
}
# Redirect requests to odoo backend server
location / {
#proxy_redirect off;
proxy_pass http://odoorunbot;
proxy_set_header HOST $host;
}
# common gzip
gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
server {
listen 443;
server_name runbot.mydomain.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
另一个 nginx 以普通用户(runbot 用户)运行
pid /home/odoo/src/runbot/runbot/static/nginx/nginx.pid;
error_log /home/odoo/src/runbot/runbot/static/nginx/error.log;
worker_processes 1;
events { worker_connections 1024; }
http {
include /etc/nginx/mime.types;
server_names_hash_max_size 512;
server_names_hash_bucket_size 256;
client_max_body_size 10M;
index index.html;
log_format full '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time';
access_log /home/odoo/src/runbot/runbot/static/nginx/access.log full;
error_log /home/odoo/src/runbot/runbot/static/nginx/error.log;
client_body_temp_path /home/odoo/src/runbot/runbot/static/nginx;
fastcgi_temp_path /home/odoo/src/runbot/runbot/static/nginx;
autoindex on;
gzip on;
gzip_types text/css text/plain application/xml application/json application/javascript;
proxy_temp_path /home/odoo/src/runbot/runbot/static/nginx;
proxy_read_timeout 600;
proxy_connect_timeout 600;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
server {
listen 8081 default;
location / { proxy_pass http://127.0.0.1:8069; }
location /longpolling/im/poll { return 404; }
location /longpolling/poll { return 404; }
location /runbot/static/ {
alias /home/odoo/src/runbot/runbot/static/;
autoindex off;
location ~ /runbot/static/build/[^/]+/(logs|tests)/ {
autoindex on;
}
}
}
server {
listen 8080;
server_name ~^00066\-master\-d9d6e8(-[a-z0-9]+)?\.runbot\.mydomain\.com$;
location / { proxy_redirect off; proxy_pass http://127.0.0.1:2000; }
location /longpolling { proxy_pass http://127.0.0.1:2001; }
}
server {
listen 8080;
server_name ~.+\.runbot\.mydomain\.com$;
location / { return 404; }
}
}
在另一个文件中,我只将第一个服务器块更改为收听 8081 而不是 8080,因为我认为它会导致问题,但可能不是。所以我建议保持runbot的nginx文件不变。
推荐阅读
- css - 使用 fontawesome 图标时的方形图标
- r - 在R中的分组条形图ggplot中更改颜色
- jdbc - 从属性文件 JDBC Java 加载查询
- c# - 无法安装 XUnit.runner.devices(与 Net451 不兼容)
- django - Django过滤模板中的related_name子集
- python - 从 solr 查询的结果中删除标题
- javascript - 我什么时候可以开始访问 localStorage?
- xml - UTF-8 编码格式的文本文件无法转换为 XML
- azure-storage - 纱线上的mapreduce作业以exitCode退出:-1000,因为src文件系统上的资源已更改
- java - 在eclipse中卸载Tomcat服务器和JDK后出错