Skip to content

Instantly share code, notes, and snippets.

@ryanc-me

ryanc-me/odoo-nginx.conf

Created August 26, 2025 01:55
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ryanc-me/f2b23c79349f2504073a820fbcc8d644 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ryanc-me/f2b23c79349f2504073a820fbcc8d644 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
odoo-nginx.conf
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoo-longpolling {
# two options for longpolling;
# 1st works when workers = >0
# 2nd works when workers = 0
server 127.0.0.1:8072;
#server 127.0.0.1:8069;
}
upstream node-exporter-local {
server 127.0.0.1:9100;
}
upstream postgres-exporter-local {
server 127.0.0.1:9187;
}
# set the DB filter here. this allows our consultants to 'override'
# the DB filter and access other databases. this only works with
# the dbfilter_from_header module
map $http_x_odoo_dbfilter $odoo_dbfilter {
# leave this as-is
default $http_x_odoo_dbfilter;
# uncomment to allow any database
"" "^.*\Z";
# uncomment to allow only "THE_CLIENT_NAME" DB
# "" "^THE_CLIENT_NAME\Z";
}
# for the /websocket endpoint
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# for static file serving (see the /static/ location block)
map $sent_http_content_type $content_type_csp {
default "";
~image/ "default-src 'none'";
}
server {
listen 80;
server_name localhost;
server_name CLIENT_DOMAIN_URL;
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
location / {
return 307 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name localhost;
server_name CLIENT_DOMAIN_URL;
# redirect http -> https (instead of showing "http request sent to https port")
error_page 497 301 =307 https://$host:$server_port$request_uri;
# increase maximum accepted body size
client_max_body_size 200m;
# increase proxy buffer to handle large Odoo web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# general proxy config
proxy_connect_timeout 60s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# proxy headers
proxy_set_header Host $http_host;
proxy_set_header X-Odoo-Dbfilter $http_x_odoo_dbfilter;
# default settings
proxy_redirect off;
proxy_buffering off;
# enable ssl - do not edit this
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
# alternative key/cert locations
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
#ssl_certificate /etc/letsencrypt/live/ENABLING_LETSENCRYPT/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/ENABLING_LETSENCRYPT/privkey.pem;
# log file locations
access_log /var/log/nginx/odoo-access.json json_analytics;
error_log /var/log/nginx/odoo-error.log;
# enable gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
# enable brotli
brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
# enable http2
http2 on;
# allow client cert verification
ssl_client_certificate /etc/step/certs/enabling-ca.crt;
ssl_verify_client optional;
ssl_verify_depth 2;
# serve xx/static/xx files directly
location @odoo {
proxy_pass http://odoo;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_cookie_flags session_id samesite=lax secure;
}
location ~ ^/[^/]+/static/.+$ {
root /mnt/odoo-addons;
try_files /odoo$uri /odoo-enterprise$uri /odoo-design-themes$uri /custom$uri /enabling$uri /submodules$uri /third-party$uri @odoo;
expires 24h;
add_header Content-Security-Policy $content_type_csp;
}
# serve filesotre files directly
location /web/filestore {
internal;
alias /mnt/odoo-data/filestore;
}
# proxy requests to the appropriate upstream
location /longpolling {
proxy_pass http://odoo-longpolling;
}
location /websocket {
proxy_pass http://odoo-longpolling;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_cookie_flags session_id samesite=lax secure;
}
location / {
proxy_pass http://odoo;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_cookie_flags session_id samesite=lax secure;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment