init

Олександр Басенко
Showing 12 changed files with 380 additions and 0 deletions Side-by-side Diff
README
data/put_zip_volumes_here
docker-compose.yml
install.sh
nginx/Dockerfile
nginx/conf.d/default.conf
nginx/conf.d/ssl/crt.crt
nginx/conf.d/ssl/key.key
nginx/conf.d/ssl/put_certificates_here
odoo/Dockerfile
odoo/openerp-server.conf
template.yml
@@ -0,0 +1 @@
+sudo ./install.sh
 \ No newline at end of file
@@ -0,0 +1,51 @@
+    version: '2'
+    services:
+        postgres:
+            image: 2bas/postgres
+            container_name: db
+            restart: always
+            volumes:
+              - postgres_pgdata_foss:/var/lib/postgresql/data
+            environment:
+              - POSTGRES_USER=webportal
+              - POSTGRES_PASSWORD=XrUXlw1YlASdJgID
+
+        odoo:
+            build: ./odoo
+            image: odoo/webportal
+            container_name: odoo
+            restart: always
+            links:
+              - postgres:db
+            depends_on:
+              - postgres
+            volumes:
+              - odoo_repo_foss:/opt/odoo
+              - odoo_lib_foss:/var/lib/odoo
+              - odoo_etc_foss:/etc/odoo
+              - odoo_backup_foss:/backup
+
+        nginx:
+            build: ./nginx
+            image: nginx/webportal
+            container_name: nginx
+            restart: always
+            links:
+              - odoo:odoo
+            ports:
+              - "80:80"
+              - "443:443"
+            depends_on:
+              - odoo
+
+    volumes:
+        odoo_repo_foss:
+            external: true
+        odoo_lib_foss:
+            external: true
+        odoo_etc_foss:
+            external: true
+        odoo_backup_foss:
+            external: true
+        postgres_pgdata_foss:
+            external: true
 \ No newline at end of file
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+export COMPANY="foss"
+
+function write_data()
+{
+    if [ -f data/"$1".tar.gz ]; then
+	 docker run -it --rm -v "$1":/webportal -v $(pwd)/data:/backup busybox tar zxvf /backup/"$1".tar.gz -C / webportal
+    fi
+}
+
+function create_volume()
+{
+    IS_EXIST_VOLUME="$(docker volume ls -q -f name="^${1}$")"
+
+    if [ -z "${IS_EXIST_VOLUME}" ];then
+	echo "create volume: ${1}"
+	docker volume create --name  "$1"
+	write_data "$1"
+    else
+	while true; do
+	read -p "Volume ${1} already exist. Overwrite (no\yes)?" ny
+	case $ny in
+    	    [Yy]* ) docker volume rm "$1"; 
+		    docker volume create --name  "$1";
+		    write_data "$1"
+		    break;;
+    	    [Nn]* ) break;;
+    	    * ) echo "Please answer yes or no.";;
+	esac
+	done
+    fi
+}
+
+export ODOO_REPO="odoo_repo_"$COMPANY""
+export ODOO_LIB="odoo_lib_"$COMPANY""
+export ODOO_ETC="odoo_etc_"$COMPANY""
+export ODOO_BACKUP="odoo_backup_"$COMPANY""
+export POSTGRES_PGDATA="postgres_pgdata_"$COMPANY""
+
+create_volume $ODOO_REPO
+
+REPO_IMAGE_NAME="repo/webportal"
+IS_EXIST_REPO="$(docker images | grep ^\\b${REPO_IMAGE_NAME})"
+if [ -z "${IS_EXIST_REPO}" ];then
+    echo "Build ${REPO_IMAGE_NAME}:"
+    docker build -t ${REPO_IMAGE_NAME} -f repo/Dockerfile ./repo/.
+else 
+    echo "${REPO_IMAGE_NAME} already exist"
+fi
+docker run -it --rm -v "$ODOO_REPO":/webportal -w /webportal "$REPO_IMAGE_NAME" /bin/bash "-c" "git pull; exit;"
+
+create_volume $ODOO_LIB
+create_volume $ODOO_ETC
+create_volume $ODOO_BACKUP
+create_volume $POSTGRES_PGDATA
+
+rm -rf docker-compose.yml; 
+envsubst < "template.yml" > "docker-compose.yml";
+
+docker-compose up -d --build
+docker-compose logs -f
+
+
+
@@ -0,0 +1,5 @@
+
+FROM nginx:1.11
+
+COPY conf.d /etc/nginx/conf.d
+
@@ -0,0 +1,149 @@
+
+
+#user  nobody;
+#worker_processes  1;
+
+#error_log  /var/log/nginx/error.log warn;
+#pid        /var/run/nginx.pid;
+
+#events {
+#    worker_connections  1024;
+#}
+
+#http {
+	# redirect all http traffic to https
+	server {
+		listen 80;
+		server_name webportal.com www.webportal.com;
+		client_max_body_size 100m;
+		return 301 https://$host$request_uri;
+	}
+	
+	upstream odoo8 {
+		server odoo:8069;
+	}
+
+	upstream odoo8-im {
+		server odoo:8072;
+	}
+	
+	# don't send the nginx version number in error pages and Server header
+	server_tokens off;
+	
+	# config to don't allow the browser to render the page inside an frame or iframe
+	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
+	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
+	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+	add_header X-Frame-Options SAMEORIGIN;
+
+	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
+	# to disable content-type sniffing on some browsers.
+	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
+	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
+	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
+	add_header X-Content-Type-Options nosniff;
+
+	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
+	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
+	# this particular website if it was disabled by the user.
+	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+	add_header X-XSS-Protection "1; mode=block";
+
+	# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
+	# you can tell the browser that it can only download content from the domains you explicitly allow
+	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+	# https://www.owasp.org/index.php/Content_Security_Policy
+	# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
+	# directives for css and js(if you have inline css or js, you will need to keep it too).
+	# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
+	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
+	
+	server {
+		listen 443 ssl;
+		server_name webportal.com www.webportal.com;
+
+		client_max_body_size 100m;
+
+		ssl_certificate /etc/nginx/conf.d/ssl/crt.crt;
+		ssl_certificate_key /etc/nginx/conf.d/ssl/key.key;
+
+		# enable session resumption to improve https performance
+		# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
+		ssl_session_cache shared:SSL:50m;
+		ssl_session_timeout 5m;
+
+		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+		#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+		# enables server-side protection from BEAST attacks
+		# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
+		ssl_prefer_server_ciphers on;
+		
+		# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+		
+		# ciphers chosen for forward secrecy and compatibility
+		# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
+		ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+		# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
+		# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
+		resolver 8.8.8.8;
+		ssl_stapling on;
+		#ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;
+
+		# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+		# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
+		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+
+		# ... the rest of your configuration
+		#access_log /var/log/nginx/odoo.access.log;
+		#error_log /var/log/nginx/odoo.error.log;
+		
+		location / {
+			proxy_read_timeout 300000;
+			proxy_pass http://odoo8;
+			
+			proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+			proxy_redirect off;
+
+			# set headers
+			proxy_set_header    Host            $host;
+			proxy_set_header    X-Real-IP       $remote_addr;
+			proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header    X-Forwarded-Proto https;
+		}
+
+		location /longpolling {
+			proxy_read_timeout 300000;
+			proxy_pass http://odoo8-im;
+
+			proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+			proxy_redirect off;
+
+			# set headers
+			proxy_set_header    Host            $host;
+			proxy_set_header    X-Real-IP       $remote_addr;
+			proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header    X-Forwarded-Proto https;
+		}
+
+		# cache some static data in memory for 60mins.
+		# under heavy load this should relieve stress on the OpenERP web interface a bit.
+		location /web/static/ {
+			proxy_cache_valid 200 60m;
+			proxy_buffering on;
+			expires 864000;
+			proxy_pass http://odoo8;
+			proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+			proxy_redirect off;
+
+			# set headers
+			proxy_set_header    Host            $host;
+			proxy_set_header    X-Real-IP       $remote_addr;
+			proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header    X-Forwarded-Proto https;
+		}
+	}
+#}
 \ No newline at end of file
@@ -0,0 +1,5 @@
+FROM 2bas/odoo
+
+COPY ./openerp-server.conf /etc/odoo/openerp-server.conf
+
+ENTRYPOINT ["/opt/odoo/odoo.py", "--without-demo=True"]    
@@ -0,0 +1,53 @@
+[options]
+addons_path = /opt/odoo/openerp/addons,/opt/odoo/addons,/mnt/extra-addons
+data_dir = /var/lib/odoo
+auto_reload = False
+admin_passwd = ysLiGMPkey64bef0uPElsM8Xix77GpgB
+csv_internal_sep = ,
+db_host = db
+db_maxconn = 64
+db_name = webportal
+db_template = template1
+db_user = webportal
+db_password = XrUXlw1YlASdJgID
+;dbfilter = *
+debug_mode = False
+demo = {}
+email_from = False
+import_partial = 
+limit_memory_hard = 2684354560
+limit_memory_soft = 2147483648
+limit_request = 8192
+limit_time_cpu = 60
+limit_time_real = 120
+list_db = True
+log_db = False
+log_db_level = warning
+log_handler = :DEBUG
+log_level = info
+logfile = /var/log/odoo/odoo.log
+logrotate = False
+longpolling_port = 8072
+max_cron_threads = 2
+osv_memory_age_limit = 1.0
+osv_memory_count_limit = False
+pidfile = False
+proxy_mode = False
+reportgz = False
+;
+;secure_cert_file = server.cert
+;secure_pkey_file = server.pkey
+;
+;server_wide_modules = None
+; smtp_password = False
+; smtp_port = 25
+; smtp_server = localhost
+; smtp_ssl = False
+; smtp_user = False
+; workers = 0
+;xmlrpc = True
+; xmlrpc_interface = 
+;xmlrpc_port = 8069
+;xmlrpcs = True
+; xmlrpcs_interface = 
+;xmlrpcs_port = 8071
 \ No newline at end of file
@@ -0,0 +1,51 @@
+    version: '2'
+    services:
+        postgres:
+            image: 2bas/postgres
+            container_name: db
+            restart: always
+            volumes:
+              - ${POSTGRES_PGDATA}:/var/lib/postgresql/data
+            environment:
+              - POSTGRES_USER=webportal
+              - POSTGRES_PASSWORD=XrUXlw1YlASdJgID
+
+        odoo:
+            build: ./odoo
+            image: odoo/webportal
+            container_name: odoo
+            restart: always
+            links:
+              - postgres:db
+            depends_on:
+              - postgres
+            volumes:
+              - ${ODOO_REPO}:/opt/odoo
+              - ${ODOO_LIB}:/var/lib/odoo
+              - ${ODOO_ETC}:/etc/odoo
+              - ${ODOO_BACKUP}:/backup
+
+        nginx:
+            build: ./nginx
+            image: nginx/webportal
+            container_name: nginx
+            restart: always
+            links:
+              - odoo:odoo
+            ports:
+              - "80:80"
+              - "443:443"
+            depends_on:
+              - odoo
+
+    volumes:
+        ${ODOO_REPO}:
+            external: true
+        ${ODOO_LIB}:
+            external: true
+        ${ODOO_ETC}:
+            external: true
+        ${ODOO_BACKUP}:
+            external: true
+        ${POSTGRES_PGDATA}:
+            external: true
 \ No newline at end of file
...	...	@@ -0,0 +1 @@
	1	+sudo ./install.sh
0	2	\ No newline at end of file
...	...	@@ -0,0 +1,51 @@
	1	+ version: '2'
	2	+ services:
	3	+ postgres:
	4	+ image: 2bas/postgres
	5	+ container_name: db
	6	+ restart: always
	7	+ volumes:
	8	+ - postgres_pgdata_foss:/var/lib/postgresql/data
	9	+ environment:
	10	+ - POSTGRES_USER=webportal
	11	+ - POSTGRES_PASSWORD=XrUXlw1YlASdJgID
	12	+
	13	+ odoo:
	14	+ build: ./odoo
	15	+ image: odoo/webportal
	16	+ container_name: odoo
	17	+ restart: always
	18	+ links:
	19	+ - postgres:db
	20	+ depends_on:
	21	+ - postgres
	22	+ volumes:
	23	+ - odoo_repo_foss:/opt/odoo
	24	+ - odoo_lib_foss:/var/lib/odoo
	25	+ - odoo_etc_foss:/etc/odoo
	26	+ - odoo_backup_foss:/backup
	27	+
	28	+ nginx:
	29	+ build: ./nginx
	30	+ image: nginx/webportal
	31	+ container_name: nginx
	32	+ restart: always
	33	+ links:
	34	+ - odoo:odoo
	35	+ ports:
	36	+ - "80:80"
	37	+ - "443:443"
	38	+ depends_on:
	39	+ - odoo
	40	+
	41	+ volumes:
	42	+ odoo_repo_foss:
	43	+ external: true
	44	+ odoo_lib_foss:
	45	+ external: true
	46	+ odoo_etc_foss:
	47	+ external: true
	48	+ odoo_backup_foss:
	49	+ external: true
	50	+ postgres_pgdata_foss:
	51	+ external: true
0	52	\ No newline at end of file
...	...	@@ -0,0 +1,65 @@
	1	+#!/bin/bash
	2	+
	3	+export COMPANY="foss"
	4	+
	5	+function write_data()
	6	+{
	7	+ if [ -f data/"$1".tar.gz ]; then
	8	+ docker run -it --rm -v "$1":/webportal -v $(pwd)/data:/backup busybox tar zxvf /backup/"$1".tar.gz -C / webportal
	9	+ fi
	10	+}
	11	+
	12	+function create_volume()
	13	+{
	14	+ IS_EXIST_VOLUME="$(docker volume ls -q -f name="^${1}$")"
	15	+
	16	+ if [ -z "${IS_EXIST_VOLUME}" ];then
	17	+ echo "create volume: ${1}"
	18	+ docker volume create --name "$1"
	19	+ write_data "$1"
	20	+ else
	21	+ while true; do
	22	+ read -p "Volume ${1} already exist. Overwrite (no\yes)?" ny
	23	+ case $ny in
	24	+ [Yy]* ) docker volume rm "$1";
	25	+ docker volume create --name "$1";
	26	+ write_data "$1"
	27	+ break;;
	28	+ [Nn]* ) break;;
	29	+ * ) echo "Please answer yes or no.";;
	30	+ esac
	31	+ done
	32	+ fi
	33	+}
	34	+
	35	+export ODOO_REPO="odoo_repo_"$COMPANY""
	36	+export ODOO_LIB="odoo_lib_"$COMPANY""
	37	+export ODOO_ETC="odoo_etc_"$COMPANY""
	38	+export ODOO_BACKUP="odoo_backup_"$COMPANY""
	39	+export POSTGRES_PGDATA="postgres_pgdata_"$COMPANY""
	40	+
	41	+create_volume $ODOO_REPO
	42	+
	43	+REPO_IMAGE_NAME="repo/webportal"
	44	+IS_EXIST_REPO="$(docker images \| grep ^\\b${REPO_IMAGE_NAME})"
	45	+if [ -z "${IS_EXIST_REPO}" ];then
	46	+ echo "Build ${REPO_IMAGE_NAME}:"
	47	+ docker build -t ${REPO_IMAGE_NAME} -f repo/Dockerfile ./repo/.
	48	+else
	49	+ echo "${REPO_IMAGE_NAME} already exist"
	50	+fi
	51	+docker run -it --rm -v "$ODOO_REPO":/webportal -w /webportal "$REPO_IMAGE_NAME" /bin/bash "-c" "git pull; exit;"
	52	+
	53	+create_volume $ODOO_LIB
	54	+create_volume $ODOO_ETC
	55	+create_volume $ODOO_BACKUP
	56	+create_volume $POSTGRES_PGDATA
	57	+
	58	+rm -rf docker-compose.yml;
	59	+envsubst < "template.yml" > "docker-compose.yml";
	60	+
	61	+docker-compose up -d --build
	62	+docker-compose logs -f
	63	+
	64	+
	65	+
...	...	@@ -0,0 +1,5 @@
	1	+
	2	+FROM nginx:1.11
	3	+
	4	+COPY conf.d /etc/nginx/conf.d
	5	+
...	...	@@ -0,0 +1,149 @@
	1	+
	2	+
	3	+#user nobody;
	4	+#worker_processes 1;
	5	+
	6	+#error_log /var/log/nginx/error.log warn;
	7	+#pid /var/run/nginx.pid;
	8	+
	9	+#events {
	10	+# worker_connections 1024;
	11	+#}
	12	+
	13	+#http {
	14	+ # redirect all http traffic to https
	15	+ server {
	16	+ listen 80;
	17	+ server_name webportal.com www.webportal.com;
	18	+ client_max_body_size 100m;
	19	+ return 301 https://$host$request_uri;
	20	+ }
	21	+
	22	+ upstream odoo8 {
	23	+ server odoo:8069;
	24	+ }
	25	+
	26	+ upstream odoo8-im {
	27	+ server odoo:8072;
	28	+ }
	29	+
	30	+ # don't send the nginx version number in error pages and Server header
	31	+ server_tokens off;
	32	+
	33	+ # config to don't allow the browser to render the page inside an frame or iframe
	34	+ # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	35	+ # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	36	+ # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	37	+ add_header X-Frame-Options SAMEORIGIN;
	38	+
	39	+ # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	40	+ # to disable content-type sniffing on some browsers.
	41	+ # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	42	+ # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	43	+ # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	44	+ # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	45	+ add_header X-Content-Type-Options nosniff;
	46	+
	47	+ # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	48	+ # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	49	+ # this particular website if it was disabled by the user.
	50	+ # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	51	+ add_header X-XSS-Protection "1; mode=block";
	52	+
	53	+ # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
	54	+ # you can tell the browser that it can only download content from the domains you explicitly allow
	55	+ # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	56	+ # https://www.owasp.org/index.php/Content_Security_Policy
	57	+ # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
	58	+ # directives for css and js(if you have inline css or js, you will need to keep it too).
	59	+ # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
	60	+ add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
	61	+
	62	+ server {
	63	+ listen 443 ssl;
	64	+ server_name webportal.com www.webportal.com;
	65	+
	66	+ client_max_body_size 100m;
	67	+
	68	+ ssl_certificate /etc/nginx/conf.d/ssl/crt.crt;
	69	+ ssl_certificate_key /etc/nginx/conf.d/ssl/key.key;
	70	+
	71	+ # enable session resumption to improve https performance
	72	+ # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	73	+ ssl_session_cache shared:SSL:50m;
	74	+ ssl_session_timeout 5m;
	75	+
	76	+ # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	77	+ #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	78	+
	79	+ # enables server-side protection from BEAST attacks
	80	+ # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	81	+ ssl_prefer_server_ciphers on;
	82	+
	83	+ # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	84	+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	85	+
	86	+ # ciphers chosen for forward secrecy and compatibility
	87	+ # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	88	+ ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	89	+
	90	+ # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	91	+ # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	92	+ resolver 8.8.8.8;
	93	+ ssl_stapling on;
	94	+ #ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;
	95	+
	96	+ # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	97	+ # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	98	+ add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
	99	+
	100	+ # ... the rest of your configuration
	101	+ #access_log /var/log/nginx/odoo.access.log;
	102	+ #error_log /var/log/nginx/odoo.error.log;
	103	+
	104	+ location / {
	105	+ proxy_read_timeout 300000;
	106	+ proxy_pass http://odoo8;
	107	+
	108	+ proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
	109	+ proxy_redirect off;
	110	+
	111	+ # set headers
	112	+ proxy_set_header Host $host;
	113	+ proxy_set_header X-Real-IP $remote_addr;
	114	+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	115	+ proxy_set_header X-Forwarded-Proto https;
	116	+ }
	117	+
	118	+ location /longpolling {
	119	+ proxy_read_timeout 300000;
	120	+ proxy_pass http://odoo8-im;
	121	+
	122	+ proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
	123	+ proxy_redirect off;
	124	+
	125	+ # set headers
	126	+ proxy_set_header Host $host;
	127	+ proxy_set_header X-Real-IP $remote_addr;
	128	+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	129	+ proxy_set_header X-Forwarded-Proto https;
	130	+ }
	131	+
	132	+ # cache some static data in memory for 60mins.
	133	+ # under heavy load this should relieve stress on the OpenERP web interface a bit.
	134	+ location /web/static/ {
	135	+ proxy_cache_valid 200 60m;
	136	+ proxy_buffering on;
	137	+ expires 864000;
	138	+ proxy_pass http://odoo8;
	139	+ proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
	140	+ proxy_redirect off;
	141	+
	142	+ # set headers
	143	+ proxy_set_header Host $host;
	144	+ proxy_set_header X-Real-IP $remote_addr;
	145	+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	146	+ proxy_set_header X-Forwarded-Proto https;
	147	+ }
	148	+ }
	149	+#}
0	150	\ No newline at end of file
...	...	@@ -0,0 +1,5 @@
	1	+FROM 2bas/odoo
	2	+
	3	+COPY ./openerp-server.conf /etc/odoo/openerp-server.conf
	4	+
	5	+ENTRYPOINT ["/opt/odoo/odoo.py", "--without-demo=True"]
...	...	@@ -0,0 +1,53 @@
	1	+[options]
	2	+addons_path = /opt/odoo/openerp/addons,/opt/odoo/addons,/mnt/extra-addons
	3	+data_dir = /var/lib/odoo
	4	+auto_reload = False
	5	+admin_passwd = ysLiGMPkey64bef0uPElsM8Xix77GpgB
	6	+csv_internal_sep = ,
	7	+db_host = db
	8	+db_maxconn = 64
	9	+db_name = webportal
	10	+db_template = template1
	11	+db_user = webportal
	12	+db_password = XrUXlw1YlASdJgID
	13	+;dbfilter = *
	14	+debug_mode = False
	15	+demo = {}
	16	+email_from = False
	17	+import_partial =
	18	+limit_memory_hard = 2684354560
	19	+limit_memory_soft = 2147483648
	20	+limit_request = 8192
	21	+limit_time_cpu = 60
	22	+limit_time_real = 120
	23	+list_db = True
	24	+log_db = False
	25	+log_db_level = warning
	26	+log_handler = :DEBUG
	27	+log_level = info
	28	+logfile = /var/log/odoo/odoo.log
	29	+logrotate = False
	30	+longpolling_port = 8072
	31	+max_cron_threads = 2
	32	+osv_memory_age_limit = 1.0
	33	+osv_memory_count_limit = False
	34	+pidfile = False
	35	+proxy_mode = False
	36	+reportgz = False
	37	+;
	38	+;secure_cert_file = server.cert
	39	+;secure_pkey_file = server.pkey
	40	+;
	41	+;server_wide_modules = None
	42	+; smtp_password = False
	43	+; smtp_port = 25
	44	+; smtp_server = localhost
	45	+; smtp_ssl = False
	46	+; smtp_user = False
	47	+; workers = 0
	48	+;xmlrpc = True
	49	+; xmlrpc_interface =
	50	+;xmlrpc_port = 8069
	51	+;xmlrpcs = True
	52	+; xmlrpcs_interface =
	53	+;xmlrpcs_port = 8071
0	54	\ No newline at end of file