Nui nā kumu aʻo e pili ana i ka hoʻokomo ʻana i WordPress, kahi hulina Google no "WordPress install" e hoʻohuli ʻia ma kahi o ka hapalua miliona mau hopena. Eia naʻe, ʻo ka ʻoiaʻiʻo, he liʻiliʻi nā alakaʻi maikaʻi i waena o lākou, e like me ia e hiki ai iā ʻoe ke hoʻouka a hoʻonohonoho i ka WordPress a me ka ʻōnaehana hana i lalo i hiki iā lākou ke kākoʻo no ka manawa lōʻihi. Ua hilinaʻi nui ʻia nā hoʻonohonoho kūpono i nā pono kikoʻī, a i ʻole ma muli o ka wehewehe kikoʻī e paʻakikī ai ka heluhelu ʻana.
Ma kēia ʻatikala, e hoʻāʻo mākou e hoʻohui i nā mea maikaʻi loa o nā ao ʻelua ma ka hāʻawi ʻana i kahi palapala bash e hoʻokomo maʻalahi i ka WordPress ma Ubuntu, a me ka hele ʻana ma laila, e wehewehe ana i ka mea a kēlā me kēia ʻāpana e hana ai, a me nā kuʻikahi a mākou i hana ai i ka hoʻomohala ʻana. . Inā he mea hoʻohana holomua ʻoe, hiki iā ʻoe ke hoʻokuʻu i ka kikokikona o ka ʻatikala a pololei no ka hoʻololi a hoʻohana ʻana i kāu mau kaiapuni. ʻO ka hoʻopuka o ka palapala kahi hoʻonohonoho WordPress maʻamau me ke kākoʻo Lets Encrypt, e holo ana ma NGINX Unit a kūpono no ka hoʻohana ʻana.
ʻO ka hoʻolālā kūkulu ʻia no ka hoʻohana ʻana i ka WordPress me ka hoʻohana ʻana i ka NGINX Unit i wehewehe ʻia ma , i kēia manawa e hoʻonohonoho hou mākou i nā mea i uhi ʻole ʻia ma laila (e like me nā kumu aʻo ʻē aʻe he nui):
- WordPress CLI
- E hoʻopaʻa a me nā palapala hōʻoia TLSSSL
- Hoʻohou ʻakomi i nā palapala hōʻoia
- ʻO ka hoʻokoe ʻana o NGINX
- NGINX Compression
- Kākoʻo HTTPS a me HTTP/2
- Kaʻina Hana
E wehewehe ka ʻatikala i ka hoʻokomo ʻana ma hoʻokahi kikowaena, nāna e hoʻokipa i kahi kikowaena hoʻoponopono static, kahi kikowaena hana PHP, a me kahi waihona. ʻO kahi hoʻonohonoho e kākoʻo ana i nā host virtual a me nā lawelawe he kumuhana kūpono no ka wā e hiki mai ana. Inā makemake ʻoe e kākau mākou e pili ana i kahi mea ʻaʻole i loko o kēia mau ʻatikala, e kākau i nā manaʻo.
koi
- kikowaena pahu ( ai ole ia, ), he mīkini virtual, a i ʻole he kikowaena hao maʻamau me ka liʻiliʻi o 512MB o RAM a me Ubuntu 18.04 a i ʻole ka mea hou i hoʻokomo ʻia.
- Loaʻa nā awa pūnaewele 80 a me 443
- Ka inoa inoa pili me ka helu IP lehulehu o kēia kikowaena
- Loaʻa ke kumu (sudo).
Nānā Hoʻolālā
ʻO ka hoʻolālā e like me ka mea i wehewehe ʻia , he palapala noi pūnaewele ʻekolu. Loaʻa iā ia nā palapala PHP e holo ana ma ka ʻenekini PHP a me nā faila static i hana ʻia e ka pūnaewele pūnaewele.
Nā kulekele nui
- Hoʻopili ʻia nā kauoha hoʻonohonoho he nui i loko o kahi palapala inā nā kūlana no ka idempotency: hiki ke holo ka palapala i nā manawa he nui me ka ʻole o ka hoʻololi ʻana i nā hoʻonohonoho i kau ʻia.
- Ke hoʻāʻo nei ka ʻatikala e hoʻokomo i nā polokalamu mai nā waihona, no laila hiki iā ʻoe ke hoʻohana i nā hoʻoponopono ʻōnaehana i hoʻokahi kauoha (
apt upgradeno Ubuntu). - Ke ho'āʻo nei nā kauoha e ʻike e holo ana lākou i loko o kahi pahu i hiki iā lākou ke hoʻololi i kā lākou hoʻonohonoho e like me ia.
- No ka hoʻonohonoho ʻana i ka helu o nā kaʻina hana e hoʻomaka ai i nā hoʻonohonoho, hoʻāʻo ka ʻatikala e koho i nā hoʻonohonoho maʻalahi no ka hana ʻana i nā ipu, nā mīkini virtual, a me nā kikowaena lako.
- I ka wehewehe ʻana i nā hoʻonohonoho, noʻonoʻo mua mākou i nā mea āpau e pili ana i ka automation, a mākou e manaʻo nei, e lilo ia i kumu no ka hana ʻana i kāu ʻōnaehana ponoʻī e like me ke code.
- Hoʻohana ʻia nā kauoha a pau ma ke ʻano he mea hoʻohana aa, no ka mea, hoʻololi lākou i nā ʻōnaehana kumu, akā holo pololei ʻo WordPress ma ke ʻano he mea hoʻohana maʻamau.
Ka hoʻonohonoho ʻana i nā mea hoʻololi kaiapuni
E hoʻonoho i nā mea hoʻololi kaiapuni ma mua o ka holo ʻana i ka palapala:
WORDPRESS_DB_PASSWORD- ʻO ka ʻōlelo huna ʻikepili WordPressWORDPRESS_ADMIN_USER- Ka inoa admin WordPressWORDPRESS_ADMIN_PASSWORD- WordPress admin passwordWORDPRESS_ADMIN_EMAIL- Leka leka uila WordPressWORDPRESS_URLʻo ia ka URL piha o ka pūnaewele WordPress, e hoʻomaka ana mahttps://.LETS_ENCRYPT_STAGING- kaawale ma ka paʻamau, akā ma ka hoʻonohonoho ʻana i ka waiwai i ka 1, e hoʻohana ʻoe i nā kikowaena staging Let's Encrypt, i pono no ka noi pinepine ʻana i nā palapala hōʻoia i ka wā e hoʻāʻo ai i kāu mau hoʻonohonoho, inā ʻaʻole hiki iā Let's Encrypt ke hoʻopaʻa i kāu leka uila no ka nui o nā noi. .
Nānā ka ʻatikala ua hoʻonohonoho ʻia kēia mau mea pili i ka WordPress a puka i waho inā ʻaʻole.
E nānā i ka waiwai o nā laina palapala 572-576 LETS_ENCRYPT_STAGING.
Hoʻonohonoho i nā mea hoʻololi kaiapuni i loaʻa
Hoʻonohonoho ka palapala ma nā laina 55-61 i nā ʻano hoʻololi kaiapuni ma lalo nei, i kekahi waiwai paʻakikī a i ʻole e hoʻohana ana i kahi waiwai i loaʻa mai nā mea hoʻololi i hoʻonohonoho ʻia ma ka pauku mua:
DEBIAN_FRONTEND="noninteractive"- Hōʻike i nā noi e holo ana lākou i kahi palapala a ʻaʻohe hiki ke launa pū me nā mea hoʻohana.WORDPRESS_CLI_VERSION="2.4.0"ʻo ia ka mana o ka polokalamu CLI WordPress.WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c"— checksum o ka WordPress CLI 2.4.0 executable file (ua ho'ākāka 'ia ka mana ma ka loli.WORDPRESS_CLI_VERSION). Hoʻohana ka palapala ma ka laina 162 i kēia waiwai no ka nānā ʻana ua hoʻoiho ʻia ka faila WordPress CLI pololei.UPLOAD_MAX_FILESIZE="16M"- ka nui o ka faila hiki ke hoʻouka ʻia ma WordPress. Hoʻohana ʻia kēia hoʻonohonoho ma nā wahi he nui, no laila ʻoi aku ka maʻalahi o ka hoʻonohonoho ʻana ma kahi hoʻokahi.TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)"- ka inoa hoʻokipa o ka ʻōnaehana, kiʻi ʻia mai ka hoʻololi WORDPRESS_URL. Hoʻohana ʻia e kiʻi i nā palapala TLS/SSL kūpono mai Let's Encrypt a me ka hōʻoia WordPress kūloko.NGINX_CONF_DIR="/etc/nginx"- ke ala i ka papa kuhikuhi me nā hoʻonohonoho NGINX, me ka faila nuinginx.conf.CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"— ke ala i nā palapala hōʻoia Let's Encrypt no ka pūnaewele WordPress, i loaʻa mai ka mea hoʻololiTLS_HOSTNAME.
Hāʻawi i kahi inoa hoʻokipa i kahi kikowaena WordPress
Hoʻonohonoho ka palapala i ka inoa hoʻokipa o ke kikowaena e hoʻohālikelike i ka inoa kikowaena o ka pūnaewele. ʻAʻole koi ʻia kēia, akā ʻoi aku ka maʻalahi o ka hoʻouna ʻana i ka leka uila ma o SMTP i ka wā e hoʻonohonoho ai i kahi kikowaena hoʻokahi, e like me ka mea i hoʻonohonoho ʻia e ka palapala.
code palapala
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fiHoʻohui i ka inoa inoa i /etc/hosts
Hoʻohui hoʻohana ʻia e holo i nā hana maʻamau, koi iā WordPress e hiki ke komo iā ia iho ma o HTTP. No ka hōʻoia i ka hana pololei ʻana o WP-Cron ma nā wahi āpau, hoʻohui ka palapala i kahi laina i ka faila / etc / maui hiki iā WordPress ke komo iā ia iho ma o ka loopback interface:
code palapala
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fiKe kau nei i nā mea hana e pono ai no nā ʻanuʻu aʻe
Pono ke koena o ka palapala i kekahi mau papahana a manaʻo ʻo ia nā waihona i kēia lā. Hoʻopau mākou i ka papa inoa o nā waihona, a laila hoʻokomo mākou i nā pono pono:
code palapala
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-releaseHoʻohui i ka NGINX Unit a me NGINX Repositories
Hoʻokomo ka palapala i ka NGINX Unit a me ka open source NGINX mai nā waihona NGINX kūhelu e hōʻoia i ka hoʻohana ʻana i nā mana me nā pale palekana hou a me nā hoʻoponopono bug.
Hoʻohui ka palapala i ka waihona NGINX Unit a laila ka waihona NGINX, me ka hoʻohui ʻana i nā kī repositories a me nā faila hoʻonohonoho. apt, e wehewehe ana i ke komo ʻana i nā waihona ma o ka Pūnaewele.
ʻO ka hoʻokomo maoli ʻana o NGINX Unit a me NGINX i ka ʻāpana aʻe. Hoʻohui mua mākou i nā waihona no laila ʻaʻole pono mākou e hoʻonui i ka metadata i nā manawa he nui, ʻoi aku ka wikiwiki o ka hoʻonohonoho ʻana.
code palapala
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fiKe hoʻokomo nei i ka NGINX, NGINX Unit, PHP MariaDB, Certbot (E hoʻopili kākou) a me kā lākou mau hilinaʻi.
Ke hoʻohui ʻia nā waihona a pau, hoʻohou i ka metadata a hoʻokomo i nā noi. Hoʻokomo pū ʻia nā pūʻolo i hoʻokomo ʻia e ka palapala i nā hoʻonui PHP i ʻōlelo ʻia i ka wā e holo ana i WordPress.org
code palapala
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-serverHoʻonohonoho i ka PHP no ka hoʻohana ʻana me NGINX Unit a me WordPress
Hoʻokumu ka palapala i kahi faila hoʻonohonoho i ka papa kuhikuhi conf.d. Hoʻonohonoho kēia i ka nui loa no ka hoʻouka ʻana o PHP, hoʻohuli i ka PHP error output i STDERR no laila e kākau ʻia lākou i ka log NGINX Unit, a hoʻomaka hou i ka NGINX Unit.
code palapala
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restartKa wehewehe ʻana i nā hoʻonohonoho ʻikepili MariaDB no WordPress
Ua koho mākou iā MariaDB ma luna o MySQL no ka mea ʻoi aku ka nui o ka hana kaiāulu a hiki nō hoʻi (ʻoi aku ka maʻalahi o nā mea a pau: e hoʻokomo i ka MySQL, pono ʻoe e hoʻohui i kahi waihona hou, kokoke. unuhi).
Hoʻokumu ka palapala i kahi waihona hou a hana i nā hōʻoia e komo i ka WordPress ma o ka loopback interface:
code palapala
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"Ke hoʻokomo nei i ka Polokalamu CLI WordPress
Ma kēia ʻanuʻu, hoʻokomo ka ʻatikala i ka polokalamu . Me ia, hiki iā ʻoe ke hoʻouka a hoʻokele i nā hoʻonohonoho WordPress me ka ʻole e hoʻoponopono lima i nā faila, hoʻohou i ka waihona, a i ʻole e komo i ka papa mana. Hiki ke hoʻohana ʻia e hoʻokomo i nā kumumanaʻo a me nā mea hoʻohui a hoʻonui i ka WordPress.
code palapala
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fiHoʻokomo a hoʻonohonoho i ka WordPress
Hoʻokomo ka ʻatikala i ka mana hou o WordPress i kahi papa kuhikuhi /var/www/wordpressa hoʻololi pū i nā hoʻonohonoho:
- Hoʻohana ka pilina waihona ma luna o ke kumu unix domain ma kahi o TCP ma ka loopback e ʻoki iho i ka holo TCP.
- Hoʻohui ʻo WordPress i kahi prefix https:// i ka URL inā pili nā mea kūʻai aku iā NGINX ma luna o HTTPS, a hoʻouna pū i ka hostname mamao (e like me ka hāʻawi ʻia e NGINX) i PHP. Hoʻohana mākou i kahi ʻāpana code e hoʻonohonoho i kēia.
- Pono ʻo WordPress i ka HTTPS no ke komo ʻana
- Hoʻokumu ʻia ka hoʻolālā URL paʻamau i nā kumuwaiwai
- Hoʻonohonoho i nā ʻae pololei ma ka ʻōnaehana waihona no ka papa kuhikuhi WordPress.
code palapala
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fiHoʻonohonoho i ka NGINX Unit
Hoʻonohonoho ka ʻatikala i ka NGINX Unit e holo i ka PHP a me ka hana ʻana i nā ala WordPress, ka hoʻokaʻawale ʻana i ka namespace kaʻina PHP a me ka hoʻonohonoho ʻana i nā hoʻonohonoho hana. ʻEkolu mau hiʻohiʻona e nānā ai ma ʻaneʻi:
- Hoʻoholo ʻia ke kākoʻo no nā namespaces e ke kūlana, ma muli o ka nānā ʻana e holo ana ka palapala i loko o kahi pahu. Pono kēia no ka mea ʻaʻole kākoʻo ka hapa nui o nā mea hoʻonohonoho ipu i ka hoʻomaka ʻana o nā ipu.
- Inā loaʻa ke kākoʻo no nā namespaces, e hoʻopau i ka namespace i ulanaʻia. ʻO kēia ka mea e ʻae ai i ka WordPress e hoʻopili i nā hopena ʻelua a loaʻa i ka pūnaewele i ka manawa like.
- Ua wehewehe ʻia ka helu kiʻekiʻe o nā kaʻina hana penei: (Loaʻa ka hoʻomanaʻo no ka holo ʻana iā MariaDB a me NGINX Uniy)/(Ka palena RAM ma PHP + 5)
Hoʻonohonoho ʻia kēia waiwai ma nā hoʻonohonoho NGINX Unit.
Hōʻike pū kēia waiwai i ʻelua mau kaʻina PHP e holo nei, he mea nui ia no ka mea e hana nui ʻo WordPress i nā noi asynchronous iā ia iho, a me ka ʻole o nā kaʻina hana, e holo ana e laʻa WP-Cron e haki. Makemake paha ʻoe e hoʻonui a hoʻemi paha i kēia mau palena e pili ana i kāu hoʻonohonoho kūloko, no ka mea, ʻo nā hoʻonohonoho i hana ʻia ma aneʻi he conservative. Ma ka hapanui o nā ʻōnaehana hana, aia nā hoʻonohonoho ma waena o 10 a me 100.
code palapala
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/configHoʻonohonoho i ka NGINX
Ka hoʻonohonoho ʻana i nā ʻōkuhi NGINX kumu
Hoʻokumu ka palapala i kahi papa kuhikuhi no ka cache NGINX a laila hana i ka faila hoʻonohonoho nui nginx.conf. E nānā i ka helu o nā kaʻina hana lima a me ka hoʻonohonoho ʻana i ka nui o ka faila no ka hoʻouka ʻana. Aia kekahi laina e hoʻokomo i ka faila hoʻonohonoho hoʻopili i wehewehe ʻia ma ka ʻāpana aʻe, a ukali ʻia e nā hoʻonohonoho caching.
code palapala
# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy
echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include ${NGINX_CONF_DIR}/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size ${UPLOAD_MAX_FILESIZE};
keepalive_timeout 65;
# gzip settings
include ${NGINX_CONF_DIR}/gzip_compression.conf;
# Cache settings
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=wp_cache:10m
max_size=10g
inactive=60m
use_temp_path=off;
include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOMHoʻonohonoho ʻana i ka hoʻopili NGINX
ʻO ka hoʻopaʻa ʻana i ka ʻike ma ka lele ma mua o ka hoʻouna ʻana i nā mea kūʻai aku he ala maikaʻi loa ia e hoʻomaikaʻi ai i ka hana o ka pūnaewele, akā inā ua hoʻonohonoho pololei ʻia ka hoʻopili ʻana. Hoʻokumu ʻia kēia ʻāpana o ka palapala i nā hoʻonohonoho .
code palapala
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOMHoʻonohonoho i ka NGINX no WordPress
A laila, hana ka palapala i kahi faila hoʻonohonoho no WordPress default.conf i ka papa kuhikuhi conf.d. Ua hoʻonohonoho ʻia ma aneʻi:
- Ke hoʻā ʻana i nā palapala hōʻoia TLS i loaʻa mai Let's Encrypt ma o Certbot (e hoʻonohonoho ʻia ma ka ʻāpana aʻe)
- Ke hoʻonohonoho nei i nā hoʻonohonoho palekana TLS e pili ana i nā ʻōlelo aʻoaʻo mai Let's Encrypt
- E ho'ā i nā noi ho'oku'u 'ia no 1 hola ma ke 'ano pa'amau
- Hoʻopau i ka hoʻopaʻa inoa ʻana, a me ka hoʻopaʻa inoa hewa inā ʻaʻole i loaʻa ka faila, no ʻelua faila i noi maʻamau: favicon.ico a me robots.txt
- Kāohi i ke komo ʻana i nā faila huna a me kekahi mau faila .phpe pale aku i ke komo hewa ʻole a i ʻole ka hoʻomaka ʻana ʻole
- Hoʻopaʻa i ka hoʻopaʻa inoa ʻana no nā faila static a me nā faila
- Hoʻonohonoho poʻomanaʻo no nā faila font
- Hoʻohui ʻana i ke alahele no index.php a me nā mea ʻokoʻa ʻē aʻe.
code palapala
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOMHoʻonohonoho ʻia ʻo Certbot no nā palapala hōʻoia mai Let's Encrypt a hoʻololi hou iā lākou
He mea hana manuahi ia mai ka Electronic Frontier Foundation (EFF) e hiki ai iā ʻoe ke loaʻa a hoʻololi hou i nā palapala hōʻoia TLS mai Let's Encrypt. Hana ka palapala i kēia e hoʻonohonoho iā Certbot e hana i nā palapala hōʻoia mai Let's Encrypt ma NGINX:
- Hoʻopau iā NGINX
- Hoʻoiho i nā hoʻonohonoho TLS i manaʻo ʻia
- Holo iā Certbot e kiʻi i nā palapala hōʻoia no ka pūnaewele
- Hoʻomaka hou iā NGINX e hoʻohana i nā palapala hōʻoia
- Hoʻonohonoho iā Certbot e holo i kēlā me kēia lā ma 3:24 AM e nānā inā pono e hoʻololi hou ʻia nā palapala hōʻoia, a inā pono, e hoʻoiho i nā palapala hōʻoia hou a hoʻomaka hou i ka NGINX.
code palapala
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fiHoʻopilikino hou aku o kāu pūnaewele
Ua kamaʻilio mākou ma luna e pili ana i ka hoʻonohonoho ʻana o kā mākou palapala i ka NGINX a me NGINX Unit e lawelawe i kahi pūnaewele mākaukau hana me TLSSSL. Hiki iā ʻoe, ma muli o kāu mau pono, e hoʻohui i ka wā e hiki mai ana:
- kākoʻo , hoʻomaikaʻi i ka hoʻoemi ma ka lele ʻana ma luna o HTTPS
- с e pale aku i nā hoʻouka ʻokoʻa ma kāu pūnaewele
- no WordPress i kūpono iā ʻoe
- me ke kōkuaʻana o (ma Ubuntu)
- Postfix a i ʻole msmtp i hiki iā WordPress ke hoʻouna i ka leka uila
- Ke nānā nei i kāu pūnaewele i ʻike ʻoe i ka nui o nā kaʻa e hiki ke mālama
No ka hana ʻoi aku ka maikaʻi o ka pūnaewele, paipai mākou e hoʻonui i , kā mākou huahana pāʻoihana, ʻoihana ʻoihana ma muli o ke kumu open source NGINX. E loaʻa i kāna poʻe kākau inoa kahi modula Brotli i hoʻouka ʻia, a me (no ka uku hou) . Hāʻawi pū mākou , he module WAF no NGINX Plus e pili ana i ka ʻenehana palekana alakaʻi ʻoihana mai F5.
NB No ke kākoʻo ʻana i kahi kahua paʻa nui, hiki iā ʻoe ke hoʻokaʻaʻike i nā loea . E hōʻoia mākou i ka hana wikiwiki a hilinaʻi o kāu pūnaewele a i ʻole lawelawe ma lalo o kekahi ukana.
Source: www.habr.com