Enwere ọtụtụ nkuzi gbasara otu esi etinye WordPress, ọchụchọ Google maka "WordPress install" ga-enweta ihe dị ka ọkara nde nsonaazụ. Otú ọ dị, n'eziokwu, e nwere ezigbo ntụziaka ole na ole n'etiti ha, dịka nke ị nwere ike ịwụnye na hazie WordPress na sistemụ arụmọrụ dị n'okpuru ka ha wee nwee ike ịkwado ogologo oge. Ikekwe ntọala ziri ezi na-adabere na mkpa ụfọdụ, ma ọ bụ nke a bụ n'ihi na nkọwa zuru ezu na-eme ka akụkọ ahụ sie ike ịgụ.
N'isiokwu a, anyị ga-agbalị ijikọta ihe kacha mma nke ụwa abụọ site n'inye bash script iji wụnye WordPress na-akpaghị aka na Ubuntu, yana ịgagharị na ya, na-akọwa ihe ibe ọ bụla na-eme, yana nkwekọrịta anyị mere n'ịzụlite ya. . Ọ bụrụ na ị bụ onye ọrụ dị elu, ị nwere ike ịwụpụ ederede nke isiokwu ahụ na naanị maka mgbanwe na ojiji na gburugburu gị. Ihe mmepụta nke edemede ahụ bụ nrụnye WordPress omenala na nkwado Lets Encrypt, na-agba ọsọ na NGINX Unit ma dị mma maka iji mmepụta ihe.
A na-akọwapụta ụkpụrụ ụlọ emepụtara maka ibuga WordPress site na iji nkeji NGINX , ugbu a, anyị ga-ahazikwa ihe ndị a na-ekpuchighị ebe ahụ (dị ka ọ dị n'ọtụtụ nkuzi ndị ọzọ):
- WordPress CLI
- Ka anyị ezoro ezo na asambodo TLSSSL
- Nkwalite asambodo akpaaka
- NGINX caching
- Mkpakọ NGINX
- Nkwado HTTPS na HTTP/2
- Usoro akpaaka
Akụkọ ahụ ga-akọwa nrụnye n'otu ihe nkesa, nke ga-abanye n'otu oge ihe nkesa nhazi static, ihe nkesa nhazi PHP, na nchekwa data. Ịwụnye na nkwado maka ọtụtụ ndị ọbịa na ọrụ mebere bụ isiokwu nwere ike maka ọdịnihu. Ọ bụrụ na ị chọrọ ka anyị dee banyere ihe na-adịghị na isiokwu ndị a, dee na nkọwa.
chọrọ
- Ihe nkesa arịa ( ma ọ bụ ), igwe mebere, ma ọ bụ ihe nkesa ígwè mgbe niile nwere opekata mpe 512MB nke RAM na Ubuntu 18.04 ma ọ bụ arụnyere ọhụrụ.
- Ọdụ ụgbọ mmiri nwere ike ịnweta ịntanetị 80 na 443
- Aha ngalaba jikọtara ya na adreesị IP ọha nke sava a
- Nweta mgbọrọgwụ (sudo).
Nchịkọta ihe owuwu ihe owuwu
The architecture bụ otu ihe ahụ ka akọwara , ngwa weebụ nwere ọkwa atọ. Ọ mejupụtara script PHP nke na-agba ọsọ na injin PHP yana faịlụ static nke sava weebụ na-ahazi.
Ụkpụrụ niile
- A na-ekpuchi ọtụtụ iwu nhazi na edemede ma ọ bụrụ na ọnọdụ maka idempotency: enwere ike ịmegharị edemede ahụ ọtụtụ ugboro n'enweghị ihe ize ndụ nke ịgbanwe ntọala ndị dịlarị.
- Edemede ahụ na-anwa ịwụnye sọftụwia sitere na ebe nchekwa, yabụ ị nwere ike itinye mmelite sistemụ n'otu iwu (
apt upgrademaka Ubuntu). - Iwu na-agbalị ịchọpụta na ha na-agba ọsọ n'ime akpa ka ha nwee ike ịgbanwe ntọala ha nke ọma.
- Iji tọọ ọnụ ọgụgụ nke usoro eri ga-amalite na ntọala, edemede ahụ na-anwa ịkọ ntọala akpaaka maka ịrụ ọrụ n'ime akpa, igwe mebere, na sava ngwaike.
- Mgbe ị na-akọwa ntọala, anyị na-echekarị ihe niile gbasara akpaaka, nke anyị na-atụ anya, ga-abụ ihe ndabere maka ịmepụta akụrụngwa nke gị dị ka koodu.
- A na-agba iwu niile dị ka onye ọrụ mgbọrọgwụ, n'ihi na ha na-agbanwe ntọala ntọala ntọala, mana WordPress na-agba ọsọ dị ka onye ọrụ mgbe niile.
Ịtọlite mgbanwe gburugburu ebe obibi
Tọọ mgbanwe gburugburu ebe a tupu ịme edemede ahụ:
WORDPRESS_DB_PASSWORD- WordPress nchekwa data paswọọdụWORDPRESS_ADMIN_USER- WordPress admin ahaWORDPRESS_ADMIN_PASSWORD- WordPress admin paswọọdụWORDPRESS_ADMIN_EMAIL- WordPress admin emailWORDPRESS_URLbụ URL zuru ezu nke saịtị WordPress, malite nahttps://.LETS_ENCRYPT_STAGING- efu na ndabara, mana site n'itinye uru na 1, ị ga-eji sava Let's Encrypt staging server, nke dị mkpa maka ịrịọ asambodo mgbe ị na-anwale ntọala gị, ma ọ bụghị ya, ka anyị Encrypt nwere ike igbochi adreesị IP gị nwa oge n'ihi ọtụtụ arịrịọ. .
Edemede ahụ na-enyocha na edobere mgbanwe ndị metụtara WordPress a wee pụọ ma ọ bụrụ na ọ bụghị.
Ahịrị edemede 572-576 lelee uru ya LETS_ENCRYPT_STAGING.
Ịtọlite mgbanwe gburugburu ebe obibi ewepụtara
Edemede dị na ahịrị 55-61 na-esetịpụ mgbanwe gburugburu ebe obibi ndị a, ma ọ bụ na uru ụfọdụ nwere koodu siri ike ma ọ bụ jiri uru enwetara site na mgbanwe ndị edobere na ngalaba gara aga:
DEBIAN_FRONTEND="noninteractive"- Na-agwa ngwa na ha na-agba ọsọ na edemede yana enweghị ike ịmekọrịta onye ọrụ.WORDPRESS_CLI_VERSION="2.4.0"bụ ụdị ngwa WordPress CLI.WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c"- checksum nke WordPress CLI 2.4.0 faịlụ executable (nke akọwapụtara ụdị ahụ na mgbanweWORDPRESS_CLI_VERSION). Edemede dị na ahịrị 162 na-eji uru a iji lelee na ebudatara faịlụ WordPress CLI ziri ezi.UPLOAD_MAX_FILESIZE="16M"- oke faịlụ nke enwere ike ibugo na WordPress. A na-eji ntọala a n'ọtụtụ ebe, yabụ ọ dị mfe ịtọ ya n'otu ebe.TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)"- aha nnabata nke sistemụ ahụ, ewepụtara na mgbanwe WORDPRESS_URL. Ejiri ya nweta asambodo TLS/SSL kwesịrị ekwesị site na Let's Encrypt yana nkwenye WordPress dị n'ime.NGINX_CONF_DIR="/etc/nginx"- ụzọ na ndekọ na ntọala NGINX, gụnyere isi faịlụnginx.conf.CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"- ụzọ nke Ka anyị Encrypt asambodo maka saịtị WordPress, nwetara site na mgbanweTLS_HOSTNAME.
Na-ekenye aha nnabata na sava WordPress
Edemede ahụ na-edobe aha nnabata nke ihe nkesa ka ọ dabara na ngalaba aha saịtị ahụ. Achọghị nke a, mana ọ ka mma izipu ozi na-apụ apụ site na SMTP mgbe ị na-edozi otu ihe nkesa, dị ka edemede ahaziri.
koodu edemede
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fiNa-agbakwụnye aha nnabata na /etc/hosts
Mgbakwunye eji na-arụ ọrụ oge ụfọdụ, chọrọ WordPress ka ọ nwee ike ịnweta onwe ya site na HTTP. Iji jide n'aka na WP-Cron na-arụ ọrụ nke ọma na gburugburu niile, edemede ahụ na-agbakwụnye ahịrị na faịlụ ahụ / wdg / ụsụụ ndị aghaka WordPress wee nweta onwe ya site na loopback interface:
koodu edemede
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fiỊwụnye ngwaọrụ achọrọ maka usoro ndị ọzọ
Edemede ndị ọzọ chọrọ mmemme ụfọdụ ma chee na ebe nchekwa ahụ dị ọhụrụ. Anyị na-emelite ndepụta nke ebe nchekwa, mgbe nke ahụ gasịrị, anyị wụnye ngwaọrụ ndị dị mkpa:
koodu edemede
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-releaseNa-agbakwunye nkeji NGINX na ebe nchekwa NGINX
Edemede a na-etinye NGINX Unit yana isi mmalite NGINX sitere na ebe nchekwa NGINX gọọmentị iji hụ na ejiri ụdị nchekwa nchekwa kachasị ọhụrụ na ndozi ahụhụ.
Edemede ahụ na-agbakwunye ebe nchekwa NGINX Unit na ebe nchekwa NGINX, na-agbakwunye igodo nchekwa na faịlụ nhazi. apt, na-akọwa ohere ịnweta ebe nchekwa site na ịntanetị.
Nrụnye nke NGINX Unit na NGINX na-eme na ngalaba na-esote. Anyị na-ebu ụzọ tinye ebe nchekwa ka anyị ghara imelite metadata ọtụtụ oge, nke na-eme ka nrụnye ngwa ngwa.
koodu edemede
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fiỊwụnye NGINX, NGINX Unit, PHP MariaDB, Certbot (Ka anyị Encrypt) na ndabere ha.
Ozugbo agbakwunyere ebe nchekwa niile, melite metadata wee wụnye ngwa ndị ahụ. Ihe ngwungwu arụnyere na edemede ahụ gụnyekwara ndọtị PHP akwadoro mgbe ị na-agba WordPress.org
koodu edemede
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-serverỊtọlite PHP maka ojiji na NGINX Unit na WordPress
Edemede ahụ na-emepụta faịlụ ntọala na ndekọ Ekpere. Nke a na-esetịpụ nha faịlụ kachasị maka nbudata PHP, gbanye mmepụta njehie PHP na STDERR ka e dee ha na NGINX Unit log, wee malitegharịa NGINX Unit.
koodu edemede
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restartIkowa ntọala nchekwa data MariaDB maka WordPress
Anyị ahọrọla MariaDB karịa MySQL n'ihi na ọ nwere ọtụtụ ọrụ obodo yana ọ nwekwara ike (eleghị anya, ihe niile dị mfe ebe a: iji wụnye MySQL, ịkwesịrị ịgbakwunye ebe nchekwa ọzọ, ihe ruru. onye ntụgharị).
Edemede ahụ na-emepụta nchekwa data ọhụrụ wee mepụta nzere iji nweta WordPress site na interface loopback:
koodu edemede
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"Ịwụnye mmemme CLI WordPress
Na nzọụkwụ a, edemede ahụ na-etinye mmemme ahụ . Na ya, ị nwere ike iwunye ma jikwaa ntọala WordPress na-enweghị iji aka dezie faịlụ, melite nchekwa data, ma ọ bụ tinye akara njikwa. Enwere ike iji ya tinye isiokwu na mgbakwunye na melite WordPress.
koodu edemede
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fiỊwụnye na nhazi WordPress
Edemede a na-etinye ụdị WordPress kachasị ọhụrụ na ndekọ /var/www/wordpressma gbanweekwa ntọala:
- Njikọ nchekwa data na-arụ ọrụ n'elu oghere ngalaba Unix kama TCP na loopback iji belata okporo ụzọ TCP.
- WordPress na-agbakwụnye prefix https:// na URL ma ọ bụrụ na ndị ahịa jikọọ na NGINX n'elu HTTPS, ma na-ezigakwa aha nnabata (dị ka NGINX nyere) na PHP. Anyị na-eji mpempe koodu hazie nke a.
- WordPress chọrọ HTTPS maka nbanye
- Ọdịdị URL ndabara dabere na akụrụngwa
- Na-edobe ikike ziri ezi na sistemụ faịlụ maka ndekọ aha WordPress.
koodu edemede
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fiỊtọlite Unit NGINX
Edemede ahụ na-ahazi Unit NGINX ka ọ na-agba ọsọ PHP ma hazie ụzọ WordPress, na-ekewapụ usoro aha PHP na ịkwalite ntọala arụmọrụ. Enwere atụmatụ atọ ị ga-elele ebe a:
- A na-ekpebi nkwado maka oghere aha site na ọnọdụ, dabere na ịlele na edemede ahụ na-agba ọsọ n'ime akpa. Nke a dị mkpa n'ihi na ọtụtụ nrụnye akpa anaghị akwado igba egbe nke akwu.
- Ọ bụrụ na enwere nkwado maka oghere aha, gbanyụọ oghere aha network. Nke a bụ iji kwe ka WordPress jikọọ na njedebe abụọ ma dị na webụ n'otu oge.
- A kọwapụtara ọnụ ọgụgụ kachasị nke usoro dị ka ndị a: (Ebe nchekwa dị maka ịgba ọsọ MariaDB na NGINX Uniy) / (oke RAM na PHP + 5)
Edebere uru a na ntọala NGINX.
Uru a na-egosikwa na enwere ma ọ dịkarịa ala abụọ usoro PHP na-agba ọsọ, nke dị mkpa n'ihi na WordPress na-eme ọtụtụ arịrịọ asynchronous n'onwe ya, na-enweghị usoro ndị ọzọ, na-agba ọsọ dịka WP-Cron ga-agbaji. Ị nwere ike ịba ụba ma ọ bụ ibelata oke ndị a dabere na ntọala mpaghara gị, n'ihi na ntọala ndị emepụtara ebe a bụ nchekwa. N'ọtụtụ usoro mmepụta, ntọala dị n'etiti 10 na 100.
koodu edemede
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/configỊtọlite NGINX
Na-ahazi Ntọala NGINX Basic
Edemede ahụ na-emepụta ndekọ maka cache NGINX wee mepụta faịlụ nhazi isi nginx.conf. Lezienụ anya na ọnụ ọgụgụ nke usoro njikwa na nhazi nke nha faịlụ kachasị maka bulite. Enwekwara ahịrị nke gụnyere faịlụ ntọala mkpakọ akọwapụtara na ngalaba na-esote, ntọala caching sochiri.
koodu edemede
# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy
echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include ${NGINX_CONF_DIR}/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size ${UPLOAD_MAX_FILESIZE};
keepalive_timeout 65;
# gzip settings
include ${NGINX_CONF_DIR}/gzip_compression.conf;
# Cache settings
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=wp_cache:10m
max_size=10g
inactive=60m
use_temp_path=off;
include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOMỊtọlite mkpakọ NGINX
Mkpakọ ọdịnaya na ijiji tupu iziga ya ndị ahịa bụ ụzọ dị mma isi melite arụmọrụ saịtị, mana ọ bụrụ na ahaziri mkpakọ nke ọma. Akụkụ nke edemede a dabere na ntọala .
koodu edemede
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOMỊtọlite NGINX maka WordPress
Na-esote, edemede ahụ na-emepụta faịlụ nhazi maka WordPress ndabara.conf na katalọgụ Ekpere. A haziri ya ebe a:
- Ịrụ ọrụ asambodo TLS natara n'aka Let's Encrypt site na Certbot (ịtọlite ya ga-abụ na ngalaba na-esote)
- Na-ahazi ntọala nche TLS dabere na ndụmọdụ sitere na Ka anyị Encrypt
- Kwado arịrịọ mwụda caching maka elekere 1 na ndabara
- Gbanyụọ ịbanye, yana ndekọ njehie ma ọ bụrụ na ahụghị faịlụ, maka faịlụ abụọ a na-arịọkarị: favicon.ico na robots.txt
- Gbochie ịnweta faịlụ ezoro ezo na ụfọdụ faịlụ .phpiji gbochie ohere iwu na-akwadoghị ma ọ bụ mmalite na-atụghị anya ya
- Gbanyụọ ohere ịbanye maka faịlụ static na font
- Ntọala nkụnye eji isi mee maka font faịlụ
- Na-agbakwụnye ụzọ maka index.php na statics ndị ọzọ.
koodu edemede
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOMỊtọlite Certbot maka asambodo sitere na Let's Encrypt na imelite ha na-akpaghị aka
bụ ngwa n'efu sitere na Electronic Frontier Foundation (EFF) na-enye gị ohere ịnweta ma megharịa asambodo TLS na-akpaghị aka site na Let's Encrypt. Edemede a na-eme ihe ndị a iji hazie Certbot ka ọ hazie asambodo sitere na Let's Encrypt na NGINX:
- Kwụsị NGINX
- Nbudata akwadoro ntọala TLS
- Na-agba Certbot iji nweta asambodo maka saịtị ahụ
- Malitegharịa NGINX iji jiri asambodo
- Na-ahazi Certbot ka ọ na-agba kwa ụbọchị na 3:24 AM iji lelee ma ọ dị mkpa ka emegharịa asambodo, ma ọ bụrụ na ọ dị mkpa, budata asambodo ọhụrụ wee malitegharịa NGINX.
koodu edemede
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fiNhazi ndị ọzọ nke saịtị gị
Anyị kwuru n'elu maka otu edemede anyị si ahazi NGINX na NGINX Unit ka ọ rụọ ọrụ saịtị dị njikere maka TLSSSL. Ị nwekwara ike, dabere na mkpa gị, tinye n'ọdịnihu:
- nkwado , emelitere mkpakọ na-efe efe karịa HTTPS
- с iji gbochie mwakpo akpaaka na saịtị gị
- maka WordPress nke dabara gị
- site n'enyemaka (na Ubuntu)
- Postfix ma ọ bụ msmtp ka WordPress nwee ike izipu ozi
- Na-enyocha saịtị gị ka ị ghọta otú okporo ụzọ ọ nwere ike ijikwa
Maka ịrụ ọrụ saịtị ka mma, anyị na-akwado ịkwalite ya , azụmahịa anyị, ngwaahịa ọkwa ụlọ ọrụ dabere na isi mmalite NGINX. Ndị debanyere aha ya ga-enweta modul Brotli na-arụ ọrụ ike, yana (maka ego ọzọ) . Anyị na-enyekwa , modul WAF maka NGINX Plus dabere na teknụzụ nchekwa nke ụlọ ọrụ sitere na F5.
NB Maka nkwado nke saịtị dị oke ibu, ị nwere ike ịkpọtụrụ ndị ọkachamara . Anyị ga-ahụ na ị na-arụ ọrụ ngwa ngwa na ntụkwasị obi nke weebụsaịtị ma ọ bụ ọrụ gị n'okpuru ibu ọ bụla.
isi: www.habr.com