ProHoster > Блог > Gudanarwa > Shigar da WordPress ta atomatik tare da NGINX Unit da Ubuntu

Shigar da WordPress ta atomatik tare da NGINX Unit da Ubuntu

Shigar da WordPress ta atomatik tare da NGINX Unit da Ubuntu

Akwai darussa da yawa kan yadda ake shigar da WordPress, binciken Google na "WordPress install" zai sami sakamako kusan rabin miliyan. Koyaya, a zahiri, akwai jagorori masu kyau kaɗan a cikinsu, bisa ga abin da zaku iya shigar da saita WordPress da tsarin aiki na asali don su sami damar tallafawa na dogon lokaci. Wataƙila saitunan daidaitattun sun dogara sosai akan takamaiman buƙatu, ko kuma wannan ya faru ne saboda gaskiyar cewa cikakken bayani yana sa labarin ya yi wuyar karantawa.

A cikin wannan labarin, za mu yi ƙoƙari mu haɗa mafi kyawun duniyoyin biyu ta hanyar samar da rubutun bash don shigar da WordPress ta atomatik akan Ubuntu, da kuma tafiya ta ciki, tare da bayanin abin da kowane yanki yake yi, da kuma sasantawa da muka yi wajen haɓaka shi. . Idan kai mai amfani ne mai ci gaba, zaku iya tsallake rubutun labarin kuma kawai ɗauki rubutun don gyarawa da amfani a cikin mahallin ku. Fitowar rubutun shine shigarwar WordPress na al'ada tare da tallafin Lets Encrypt, yana gudana akan Unit NGINX kuma ya dace da amfani da samarwa.

An bayyana tsarin gine-ginen da aka haɓaka don tura WordPress ta amfani da sashin NGINX a ciki tsohon labarin, yanzu kuma za mu ƙara daidaita abubuwan da ba a rufe su a can ba (kamar yadda a cikin sauran darussan da yawa):

  • WordPress CLI
  • Bari Mu Rufewa da Takaddun shaida na TLSSSL
  • Sabunta takaddun shaida ta atomatik
  • NGINX caching
  • NGINX matsawa
  • HTTPS da HTTP/2 goyon baya
  • Aiki aiki da kai

Labarin zai bayyana shigarwa akan uwar garken guda ɗaya, wanda zai dauki nauyin sabar sarrafawa a lokaci guda, uwar garken sarrafa PHP, da kuma bayanan bayanai. Shigarwa wanda ke goyan bayan runduna da ayyuka da yawa shine babban jigo na gaba. Idan kuna son mu rubuta game da wani abu da ba a cikin waɗannan labaran ba, rubuta a cikin sharhi.

bukatun

  • uwar garken kwantena (LXC ko LXD), na'ura mai mahimmanci, ko uwar garken ƙarfe na yau da kullun tare da aƙalla 512MB na RAM da Ubuntu 18.04 ko sabo.
  • Tashar jiragen ruwa masu samun damar Intanet 80 da 443
  • Sunan yanki mai alaƙa da adireshin IP na jama'a na wannan uwar garken
  • Tushen shiga (sudo).

Bayanin gine-gine

Gine-gine iri ɗaya ne kamar yadda aka kwatanta a baya, aikace-aikacen gidan yanar gizo mai hawa uku. Ya ƙunshi rubutun PHP waɗanda ke gudana akan injin PHP da kuma fayilolin da suke aiki da sabar gidan yanar gizo.

Shigar da WordPress ta atomatik tare da NGINX Unit da Ubuntu

Janar ka'idodi

  • Yawancin umarnin daidaitawa a cikin rubutun an nannade su idan yanayi don idempotency: ana iya gudanar da rubutun sau da yawa ba tare da haɗarin canza saitunan da aka riga aka yi ba.
  • Rubutun yana ƙoƙarin shigar da software daga wuraren ajiya, don haka zaku iya amfani da sabunta tsarin a cikin umarni ɗaya (apt upgrade don Ubuntu).
  • Umurnai na ƙoƙarin gano cewa suna gudana a cikin akwati don su iya canza saitunan su daidai.
  • Domin saita adadin hanyoyin tafiyar da zaren don farawa a cikin saitunan, rubutun yana ƙoƙarin kimanta saitunan atomatik don aiki a cikin kwantena, injina, da sabar kayan masarufi.
  • Lokacin bayyana saituna, koyaushe muna tunani da farko game da aiki da kai, wanda, muna fata, zai zama tushen ƙirƙirar kayan aikin ku azaman lamba.
  • Ana gudanar da duk umarni azaman mai amfani tushen, saboda suna canza saitunan tsarin tsarin asali, amma kai tsaye WordPress yana gudana azaman mai amfani na yau da kullun.

Saita masu canjin yanayi

Saita masu canjin yanayi masu zuwa kafin gudanar da rubutun:

  • WORDPRESS_DB_PASSWORD - WordPress database kalmar sirri
  • WORDPRESS_ADMIN_USER - Sunan admin na WordPress
  • WORDPRESS_ADMIN_PASSWORD - WordPress admin kalmar sirri
  • WORDPRESS_ADMIN_EMAIL - WordPress admin imel
  • WORDPRESS_URL shine cikakken URL na rukunin yanar gizon WordPress, farawa a https://.
  • LETS_ENCRYPT_STAGING - fanko ta tsohuwa, amma ta hanyar saita ƙimar zuwa 1, zaku yi amfani da sabar saiti na Let's Encrypt, waɗanda suke da mahimmanci don yawan neman takaddun shaida lokacin gwada saitunanku, in ba haka ba Bari Encrypt na iya toshe adireshin IP na ɗan lokaci saboda buƙatun da yawa. .

Rubutun yana duba cewa an saita waɗannan masu alaƙa da WordPress kuma suna fita idan ba haka ba.
Layukan rubutun 572-576 duba ƙimar LETS_ENCRYPT_STAGING.

Saita sauye-sauyen yanayi da aka samu

Rubutun kan layi na 55-61 yana saita masu canjin yanayi masu zuwa, ko dai zuwa wasu ƙima mai ƙarfi ko amfani da ƙimar da aka samu daga masu canjin da aka saita a sashin da ya gabata:

  • DEBIAN_FRONTEND="noninteractive" - Yana gaya wa aikace-aikacen cewa suna gudana a cikin rubutun kuma cewa babu yuwuwar hulɗar mai amfani.
  • WORDPRESS_CLI_VERSION="2.4.0" shine sigar aikace-aikacen CLI na WordPress.
  • WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c" - checksum na WordPress CLI 2.4.0 fayil mai aiwatarwa (an ƙayyade sigar a cikin madaidaicin WORDPRESS_CLI_VERSION). Rubutun kan layi na 162 yana amfani da wannan ƙimar don bincika cewa an sauke ainihin fayil ɗin CLI na WordPress.
  • UPLOAD_MAX_FILESIZE="16M" - matsakaicin girman fayil ɗin da za'a iya lodawa a cikin WordPress. Ana amfani da wannan saitin a wurare da yawa, don haka yana da sauƙin saita shi wuri ɗaya.
  • TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)" - sunan mai masaukin tsarin, wanda aka dawo dashi daga madaidaicin WORDPRESS_URL. Ana amfani dashi don samun takaddun takaddun TLS/SSL masu dacewa daga Bari Mu Encrypt da kuma tabbatarwar WordPress na ciki.
  • NGINX_CONF_DIR="/etc/nginx" - hanyar zuwa kundin adireshi tare da saitunan NGINX, gami da babban fayil nginx.conf.
  • CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}" - hanyar zuwa Takaddun shaida na Bari Mu Encrypt don rukunin yanar gizon WordPress, wanda aka samo daga mai canzawa TLS_HOSTNAME.

Sanya sunan mai masauki ga uwar garken WordPress

Rubutun yana saita sunan uwar garken don dacewa da sunan yankin. Ba a buƙatar wannan, amma ya fi dacewa don aika saƙo mai fita ta hanyar SMTP lokacin kafa sabar guda ɗaya, kamar yadda rubutun ya tsara.

lambar rubutun

# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
  echo " Changing hostname to ${TLS_HOSTNAME}"
  hostnamectl set-hostname "${TLS_HOSTNAME}"
fi

Ƙara sunan mai masauki zuwa /etc/hosts

.Arin ƙari WP-Cron ana amfani da shi don gudanar da ayyuka na lokaci-lokaci, yana buƙatar WordPress don samun damar shiga kanta ta hanyar HTTP. Don tabbatar da WP-Cron yana aiki daidai akan duk mahalli, rubutun yana ƙara layi zuwa fayil ɗin / sauransu / rundunadon WordPress iya samun dama ga kanta ta hanyar loopback dubawa:

lambar rubutun

# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
  echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
  printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi

Shigar da kayan aikin da ake buƙata don matakai na gaba

Sauran rubutun yana buƙatar wasu shirye-shirye kuma yana ɗauka cewa ma'ajin sun sabunta. Muna sabunta jerin wuraren ajiya, bayan haka mun shigar da kayan aikin da suka dace:

lambar rubutun

# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y 
  bc 
  ca-certificates 
  coreutils 
  curl 
  gnupg2 
  lsb-release

Ƙara NGINX Unit da NGINX Repositories

Rubutun yana shigar da Unit NGINX da buɗaɗɗen tushen NGINX daga ma'ajiyar NGINX na hukuma don tabbatar da cewa an yi amfani da sifofin da sabbin facin tsaro da gyaran kwaro.

Rubutun yana ƙara ma'ajiyar NGINX Unit sannan kuma ma'ajiyar NGINX, yana ƙara maɓallin ma'ajiyar da fayilolin daidaitawa. apt, ma'anar samun dama ga ma'ajiyar bayanai ta Intanet.

Ainihin shigarwa na NGINX Unit da NGINX yana faruwa a sashe na gaba. Mun riga mun ƙara ma'ajiyar don kada mu sabunta metadata sau da yawa, wanda ke sa shigarwa cikin sauri.

lambar rubutun

# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
  echo " Installing NGINX Unit repository"
  curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
  echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi

# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
  echo " Installing NGINX repository"
  curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
  echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi

Shigar da NGINX, NGINX Unit, PHP MariaDB, Certbot (Bari Mu Encrypt) da kuma abubuwan dogaro.

Da zarar an ƙara duk ma'ajiyar, sabunta metadata kuma shigar da aikace-aikacen. Fakitin da rubutun ya shigar kuma sun haɗa da kari na PHP da aka ba da shawarar lokacin gudanar da WordPress.org

lambar rubutun

echo " Updating repository metadata"
apt-get -qq update

# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends 
  certbot 
  python3-certbot-nginx 
  php-cli 
  php-common 
  php-bcmath 
  php-curl 
  php-gd 
  php-imagick 
  php-mbstring 
  php-mysql 
  php-opcache 
  php-xml 
  php-zip 
  ghostscript 
  nginx 
  unit 
  unit-php 
  mariadb-server

Kafa PHP don amfani tare da NGINX Unit da WordPress

Rubutun yana ƙirƙirar fayil ɗin saiti a cikin kundin adireshi conf.d. Wannan yana saita matsakaicin girman fayil don loda PHP, yana kunna fitowar kuskuren PHP zuwa STDERR don haka za a rubuta su zuwa log ɗin Unit NGINX, sannan a sake farawa NGINX Unit.

lambar rubutun

# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"

if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
  echo " Configuring PHP for use with NGINX Unit and WordPress"
  # Add PHP configuration overrides
  cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi

# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart

Ƙayyadaddun Saitunan Bayanai na MariaDB don WordPress

Mun zaɓi MariaDB akan MySQL saboda yana da ƙarin ayyukan al'umma kuma yana iya yiwuwa yana ba da kyakkyawan aiki ta tsohuwa (tabbas, komai ya fi sauƙi a nan: don shigar da MySQL, kuna buƙatar ƙara wani wurin ajiya, kusan fassara).

Rubutun ya ƙirƙiri sabon bayanan bayanai kuma yana ƙirƙirar takaddun shaida don samun damar WordPress ta hanyar madaidaicin madauki:

lambar rubutun

# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"

Shigar da Shirin CLI na WordPress

A wannan mataki, rubutun yana shigar da shirin Farashin WP CLI. Tare da shi, zaku iya shigarwa da sarrafa saitunan WordPress ba tare da gyara fayiloli da hannu ba, sabunta bayanan bayanai, ko shigar da kwamitin sarrafawa. Hakanan ana iya amfani dashi don shigar da jigogi da ƙari-kan da sabunta WordPress.

lambar rubutun

if [ ! -f /usr/local/bin/wp ]; then
  # Install the WordPress CLI
  echo " Installing the WordPress CLI tool"
  curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
  echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
  chmod +x /usr/local/bin/wp
fi

Shigarwa da daidaita WordPress

Rubutun yana shigar da sabon sigar WordPress a cikin kundin adireshi /var/www/wordpresskuma yana canza saitunan:

  • Haɗin bayanan yana aiki akan soket ɗin yanki na unix maimakon TCP akan madauki don yanke zirga-zirgar TCP.
  • WordPress yana ƙara prefix https:// zuwa URL idan abokan ciniki sun haɗa zuwa NGINX akan HTTPS, kuma suna aika sunan mai watsa shiri na nesa (kamar yadda NGINX ya bayar) zuwa PHP. Muna amfani da guntun lamba don saita wannan.
  • WordPress yana buƙatar HTTPS don shiga
  • Tsohuwar tsarin URL ya dogara ne akan albarkatu
  • Yana saita madaidaitan izini akan tsarin fayil don kundin adireshin WordPress.

lambar rubutun

if [ ! -d /var/www/wordpress ]; then
  # Create WordPress directories
  mkdir -p /var/www/wordpress
  chown -R www-data:www-data /var/www

  # Download WordPress using the WordPress CLI
  echo " Installing WordPress"
  su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data

  WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""

  # This snippet is injected into the wp-config.php file when it is created;
  # it informs WordPress that we are behind a reverse proxy and as such
  # allows it to generate links using HTTPS
  cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
    $_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
    $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM

  # Create WordPress configuration
  su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
  rm /tmp/wp_forwarded_for.php
  su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data

  # Install WordPress
  WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
  su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data

  # Set permalink structure to a sensible default that isn't in the UI
  su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data

  # Remove sample file because it is cruft and could be a security problem
  rm /var/www/wordpress/wp-config-sample.php

  # Ensure that WordPress permissions are correct
  find /var/www/wordpress -type d -exec chmod g+s {} ;
  chmod g+w /var/www/wordpress/wp-content
  chmod -R g+w /var/www/wordpress/wp-content/themes
  chmod -R g+w /var/www/wordpress/wp-content/plugins
fi

Kafa NGINX Unit

Rubutun yana daidaita Sashin NGINX don gudanar da PHP da aiwatar da hanyoyin WordPress, keɓance tsarin sunan PHP da haɓaka saitunan aiki. Akwai siffofi guda uku da ya kamata a duba anan:

  • Goyon baya ga wuraren suna ana ƙaddara ta yanayi, dangane da duba cewa rubutun yana gudana a cikin akwati. Wannan ya zama dole saboda yawancin saitin kwantena ba sa goyan bayan ƙaddamar da kwantena.
  • Idan akwai goyan bayan wuraren suna, musaki filin suna cibiyar sadarwa. Wannan don ba da damar WordPress don haɗawa zuwa ƙarshen ƙarshen biyu kuma kasancewa akan yanar gizo a lokaci guda.
  • Matsakaicin adadin matakai an bayyana shi kamar haka: ( Akwai ƙwaƙwalwar ajiya don gudanar da MariaDB da NGINX Uniy) / (Iyakar RAM a cikin PHP + 5)
    An saita wannan ƙimar a cikin saitunan NGINX Unit.

Wannan ƙimar kuma tana nuna cewa koyaushe akwai aƙalla matakai guda biyu na PHP waɗanda ke gudana, wanda ke da mahimmanci saboda WordPress yana yin buƙatun asynchronous da yawa ga kanta, kuma ba tare da ƙarin matakai ba, gudana misali WP-Cron zai karye. Kuna iya ƙara ko rage waɗannan iyakoki dangane da saitunan gida, saboda saitunan da aka ƙirƙira a nan masu ra'ayin mazan jiya ne. A yawancin tsarin samarwa, saitunan suna tsakanin 10 da 100.

lambar rubutun

if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
  NAMESPACES='"namespaces": {
        "cgroup": true,
        "credential": true,
        "mount": true,
        "network": false,
        "pid": true,
        "uname": true
    }'
else
  NAMESPACES='"namespaces": {}'
fi

PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."

echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
  "settings": {
    "http": {
      "header_read_timeout": 30,
      "body_read_timeout": 30,
      "send_timeout": 30,
      "idle_timeout": 180,
      "max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
    }
  },
  "listeners": {
    "127.0.0.1:8080": {
      "pass": "routes/wordpress"
    }
  },
  "routes": {
    "wordpress": [
      {
        "match": {
          "uri": [
            "*.php",
            "*.php/*",
            "/wp-admin/"
          ]
        },
        "action": {
          "pass": "applications/wordpress/direct"
        }
      },
      {
        "action": {
          "share": "/var/www/wordpress",
          "fallback": {
            "pass": "applications/wordpress/index"
          }
        }
      }
    ]
  },
  "applications": {
    "wordpress": {
      "type": "php",
      "user": "www-data",
      "group": "www-data",
      "processes": {
        "max": ${MAX_PHP_PROCESSES},
        "spare": 1
      },
      "isolation": {
        ${NAMESPACES}
      },
      "targets": {
        "direct": {
          "root": "/var/www/wordpress/"
        },
        "index": {
          "root": "/var/www/wordpress/",
          "script": "index.php"
        }
      }
    }
  }
}
EOM

curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config

Saita NGINX

Ana saita Saitunan NGINX na asali

Rubutun yana ƙirƙirar kundin adireshi don cache na NGINX sannan ya haifar da babban fayil ɗin sanyi nginx.conf. Kula da yawan matakan sarrafawa da saitin matsakaicin girman fayil don lodawa. Hakanan akwai layin da ya ƙunshi fayil ɗin saitunan matsawa wanda aka ayyana a sashe na gaba, sannan saitin caching.

lambar rubutun

# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy

echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       ${NGINX_CONF_DIR}/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    client_max_body_size ${UPLOAD_MAX_FILESIZE};
    keepalive_timeout  65;
    # gzip settings
    include ${NGINX_CONF_DIR}/gzip_compression.conf;
    # Cache settings
    proxy_cache_path /var/cache/nginx/proxy
        levels=1:2
        keys_zone=wp_cache:10m
        max_size=10g
        inactive=60m
        use_temp_path=off;
    include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOM

Saita matsawar NGINX

Matsa abun ciki akan tashi kafin aika shi ga abokan ciniki hanya ce mai kyau don inganta aikin rukunin yanar gizon, amma idan an saita matsawa daidai. Wannan sashe na rubutun ya dogara ne akan saituna daga nan.

lambar rubutun

cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression                                                        |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
  application/atom+xml
  application/geo+json
  application/javascript
  application/x-javascript
  application/json
  application/ld+json
  application/manifest+json
  application/rdf+xml
  application/rss+xml
  application/vnd.ms-fontobject
  application/wasm
  application/x-web-app-manifest+json
  application/xhtml+xml
  application/xml
  font/eot
  font/otf
  font/ttf
  image/bmp
  image/svg+xml
  text/cache-manifest
  text/calendar
  text/css
  text/javascript
  text/markdown
  text/plain
  text/xml
  text/vcard
  text/vnd.rim.location.xloc
  text/vtt
  text/x-component
  text/x-cross-domain-policy;
EOM

Saita NGINX don WordPress

Na gaba, rubutun yana ƙirƙirar fayil ɗin sanyi don WordPress tsoho.conf a cikin kasida conf.d. An saita shi anan:

  • Kunna takaddun takaddun TLS da aka karɓa daga Bari mu Encrypt ta Certbot (tsarin shi zai kasance a sashe na gaba)
  • Ana saita saitunan tsaro na TLS bisa shawarwari daga Mu Encrypt
  • Kunna buƙatun tsallake caching na awa 1 ta tsohuwa
  • Kashe shiga shiga, da kuma shigar da kuskure idan fayil ba a samo shi ba, don fayiloli guda biyu da ake buƙata: favicon.ico da robots.txt
  • Hana isa ga ɓoye fayiloli da wasu fayiloli .phpdon hana shiga ba bisa ka'ida ba ko fara da ba da niyya ba
  • Kashe shiga shiga don fayilolin rubutu a tsaye da font
  • Saitin kai Samun dama-Control-Ba da izinin Asalin don fayilolin font
  • Ƙara hanyar tafiya don index.php da sauran ƙididdiga.

lambar rubutun

cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
    server 127.0.0.1:8080;
    keepalive 32;
}
server {
    listen 80;
    listen [::]:80;
    # ACME-challenge used by Certbot for Let's Encrypt
    location ^~ /.well-known/acme-challenge/ {
      root /var/www/certbot;
    }
    location / {
      return 301 https://${TLS_HOSTNAME}$request_uri;
    }
}
server {
    listen      443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${TLS_HOSTNAME};
    root        /var/www/wordpress/;
    # Let's Encrypt configuration
    ssl_certificate         ${CERT_DIR}/fullchain.pem;
    ssl_certificate_key     ${CERT_DIR}/privkey.pem;
    ssl_trusted_certificate ${CERT_DIR}/chain.pem;
    include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
    ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # Proxy caching
    proxy_cache wp_cache;
    proxy_cache_valid 200 302 1h;
    proxy_cache_valid 404 1m;
    proxy_cache_revalidate on;
    proxy_cache_background_update on;
    proxy_cache_lock on;
    proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Deny all attempts to access hidden files such as .htaccess, .htpasswd,
    # .DS_Store (Mac)
    # Keep logging the requests to parse later (or to pass to firewall utilities
    # such as fail2ban)
    location ~ /. {
        deny all;
    }
    # Deny access to any files with a .php extension in the uploads directory;
    # works in subdirectory installs and also in multi-site network.
    # Keep logging the requests to parse later (or to pass to firewall utilities
    # such as fail2ban).
    location ~* /(?:uploads|files)/.*.php$ {
        deny all;
    }
    # WordPress: deny access to wp-content, wp-includes PHP files
    location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
        deny all;
    }
    # Deny public access to wp-config.php
    location ~* wp-config.php {
        deny all;
    }
    # Do not log access for static assets, media
    location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        access_log off;
    }
    location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        access_log off;
    }
    location / {
        try_files $uri @index_php;
    }
    location @index_php {
        proxy_socket_keepalive on;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_pass       http://unit_php_upstream;
    }
    location ~* .php$ {
        proxy_socket_keepalive on;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        try_files        $uri =404;
        proxy_pass       http://unit_php_upstream;
    }
}
EOM

Kafa Certbot don takaddun shaida daga Bari Mu Encrypt da sabunta su ta atomatik

Certbot kayan aiki ne na kyauta daga Gidauniyar Wutar Lantarki (EFF) wacce ke ba ku damar samun da sabunta takaddun takaddun TLS ta atomatik daga Mu Encrypt. Rubutun yana yin haka don saita Certbot don aiwatar da takaddun shaida daga Bari Mu Encrypt a NGINX:

  • Tsaida NGINX
  • Zazzagewar shawarar saitunan TLS
  • Yana gudanar da Certbot don samun takaddun shaida na rukunin yanar gizon
  • Yana sake kunna NGINX don amfani da takaddun shaida
  • Yana saita Certbot don gudana kullum a 3:24 AM don bincika idan ana buƙatar sabunta takaddun shaida, kuma idan ya cancanta, zazzage sababbin takaddun shaida kuma sake kunna NGINX.

lambar rubutun

echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop

mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot

if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
  echo " Downloading recommended TLS parameters"
  curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT" 
    -o "${NGINX_CONF_DIR}/options-ssl-nginx.conf" 
    "https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf" 
    || echo "Couldn't download latest options-ssl-nginx.conf"
fi

if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
  echo " Downloading recommended TLS DH parameters"
  curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT" 
    -o "${NGINX_CONF_DIR}/ssl-dhparams.pem" 
    "https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem" 
    || echo "Couldn't download latest ssl-dhparams.pem"
fi

# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
  echo " Removing self-signed certificates"
  rm -rf "${CERT_DIR}"
fi

if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
  CERTBOT_STAGING_FLAG=""
else
  CERTBOT_STAGING_FLAG="--staging"
fi

if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
  echo " Generating certificates with Let's Encrypt"
  certbot certonly --standalone 
         -m "${WORDPRESS_ADMIN_EMAIL}" 
         ${CERTBOT_STAGING_FLAG} 
         --agree-tos --force-renewal --non-interactive 
         -d "${TLS_HOSTNAME}"
fi

echo " Starting NGINX in order to use new configuration"
service nginx start

# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
  echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
  (crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi

Ƙarin gyare-gyare na rukunin yanar gizon ku

Mun yi magana a sama game da yadda rubutun mu ke daidaita NGINX da NGINX Unit don hidimar wurin da aka shirya tare da kunna TLSSSL. Hakanan zaka iya, dangane da bukatun ku, ƙara a nan gaba:

  • goyon baya Brotli, ingantattun matsawa akan-tashi akan HTTPS
  • Mod Tsaro с dokokin wordpressdon hana kai hari ta atomatik akan rukunin yanar gizonku
  • Ajiyayyen don WordPress wanda ya dace da ku
  • Kariya tare da taimakon AppArmor (na Ubuntu)
  • Postfix ko msmtp don WordPress iya aika wasiku
  • Duba rukunin yanar gizon ku don ku fahimci yawan zirga-zirgar da zai iya ɗauka

Don ma mafi kyawun aikin rukunin yanar gizon, muna ba da shawarar haɓakawa zuwa NGINX Plus, Kasuwancinmu, samfurin kasuwancinmu bisa tushen budewa NGINX. Masu biyan kuɗin sa za su karɓi tsarin Brotli mai ɗorewa, haka kuma (don ƙarin kuɗi) NGINX ModSecurity WAF. Mun kuma bayar Kariyar App na NGINX, Tsarin WAF don NGINX Plus bisa tushen fasahar tsaro na masana'antu daga F5.

NB Don goyan bayan rukunin yanar gizon da aka yi lodi sosai, zaku iya tuntuɓar masana Southbridge. Za mu tabbatar da sauri da ingantaccen aiki na gidan yanar gizonku ko sabis ɗinku ƙarƙashin kowane kaya.

source: www.habr.com