Odoo中文社区可以通过以下两个域名访问:shine-it.net , odoo.net.cn

由于系统升迁的原因,本论坛部分较早期的内容存在格式和链接损坏失效的问题,并非本论坛系统本身的缺陷,望谅解

本社区没有维护任何QQ群讨论组,任何与本社区同名的QQ群讨论组的言论与本社区无关!

开发人员可以登录gitter讨论组: http://gitter.im/odoo-china/Talk, 需要github账号

如果您登录系统碰到问题,请在微信公众号留言:

如何使用SSL加密



  • 常在公网上跑,必须要加SSL.
    没有证书,去找StartSSL.com.

    Openerp的6.1似乎没有考虑这个,patch上。
    打开wsgi/core.py
    serve方法:

    <br /><br />&nbsp; &nbsp; try:<br />&nbsp; &nbsp; &nbsp; &nbsp; import werkzeug.serving<br />&nbsp; &nbsp; &nbsp; &nbsp; if config&#91;&#039;proxy_mode&#039;]:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; from werkzeug.contrib.fixers import ProxyFix<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; app = ProxyFix(application)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; suffix = &#039; (in proxy mode)&#039;<br />&nbsp; &nbsp; &nbsp; &nbsp; else:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; app = application<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; suffix = &#039;&#039;<br />&nbsp; &nbsp; &nbsp; &nbsp; if config.has_ssl and config&#91;&#039;secure_pkey_file&#039;] and config&#91;&#039;secure_cert_file&#039;]:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ctx = {}<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; from OpenSSL import SSL<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ctx = SSL.Context(SSL.SSLv23_METHOD)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ctx.use_privatekey_file(config&#91;&#039;secure_pkey_file&#039;])<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ctx.use_certificate_file(config&#91;&#039;secure_cert_file&#039;])<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; httpd = werkzeug.serving.make_server(interface, port, app, threaded=True, ssl_context=ctx)<br />&nbsp; &nbsp; &nbsp; &nbsp; else:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; httpd = werkzeug.serving.make_server(interface, port, app, threaded=True)<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br />&nbsp; &nbsp; &nbsp; &nbsp; _logger.info(&#039;HTTP service (werkzeug) running on %s:%s%s&#039;, interface, port, suffix)<br />&nbsp; &nbsp; except ImportError:<br />&nbsp; &nbsp; &nbsp; &nbsp; import wsgiref.simple_server<br />&nbsp; &nbsp; &nbsp; &nbsp; _logger.warning(&#039;Werkzeug module unavailable, falling back to wsgiref.&#039;)<br />&nbsp; &nbsp; &nbsp; &nbsp; if config&#91;&#039;proxy_mode&#039;]:<br />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; _logger.warning(&#039;Werkzeug module unavailable, not using proxy mode.&#039;)<br />&nbsp; &nbsp; &nbsp; &nbsp; httpd = wsgiref.simple_server.make_server(interface, port, application)<br />&nbsp; &nbsp; &nbsp; &nbsp; _logger.info(&#039;HTTP service (wsgiref) running on %s:%s&#039;, interface, port)<br /><br />
    




    (需要Openssl的支持)

    启动服务时,别忘记加上 --cert-file, --pkey-file两个参数。

    over.



  • 强人



  • 谢谢楼主贡献~

    补充下:StartSSL.com 提供单域名为期一年的SSL证书服务。下面提供一个自己制作SSL证书方法:

    $ openssl genrsa 1024 > server.key    生成密钥
    $ openssl req -new -key server.key > server.csr  生成csr证书
    $ openssl req -x509 -days 3650 -key server.key -in server.csr > server.crt  生成crt证书,期限10年

    自己生成的证书是未经各大机构签名,部署上去浏览器会提示证书无效,可以不管直接忽略。当然安全性可没有打折,还是SSL 1024  位加密。



  • StartSSL 可以续签的。不过,revoke需要钱。。。


    [quote author=wangbuke link=topic=4335.msg11875#msg11875 date=1346395837]
    谢谢楼主贡献~

    补充下:StartSSL.com 提供单域名为期一年的SSL证书服务。下面提供一个自己制作SSL证书方法:

    $ openssl genrsa 1024 > server.key    生成密钥
    $ openssl req -new -key server.key > server.csr  生成csr证书
    $ openssl req -x509 -days 3650 -key server.key -in server.csr > server.crt  生成crt证书,期限10年

    自己生成的证书是未经各大机构签名,部署上去浏览器会提示证书无效,可以不管直接忽略。当然安全性可没有打折,还是SSL 1024  位加密。
    [/quote]


Log in to reply