前段日子用AppScan对odoo进行了一个漏斗扫描,发现未做ssl的odoo服务有巨大安全隐患,故需要对通过配置一个ssl来消除这些安全隐患,最终选择了通过nginx来做ssl加密
一:安装nginx
ubuntu:
apt-get install nginxlunix:
yum install nginx二:nginx.conf配置
安装好nginx后,使用如下配置
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
upstream oeserver{
server 127.0.0.1:8069;
}
server {
listen 443 default;
server_name _;
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
ssl on;
ssl_certificate cert/cdn.openerp.hk-ca-bundle.crt; # 之前生成的证书和key
ssl_certificate_key cert/cdn.openerp.hk.key;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols SSLv3 TLSv1;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8069;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_buffer_size 128k;
proxy_buffers 16 64k;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
}
location ~* /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://127.0.0.1:8069;
}
}
server {
listen 80;
server_name __;
add_header Strict-Transport-Security max-age=2592000;
rewrite ^/.*$ https://$host$request_uri? permanent;
}
}注意配置好ssl路径的位置以及权限
扫一扫
498
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
