Ngotomatisasi instalasi WordPress nganggo Unit NGINX lan Ubuntu
Ana akeh tutorial babagan carane nginstal WordPress, panelusuran Google kanggo "WordPress install" bakal ngasilake kira-kira setengah yuta asil. Nanging, nyatane, ana sawetara pandhuan sing apik ing antarane, miturut sampeyan bisa nginstal lan ngatur WordPress lan sistem operasi sing ndasari supaya bisa ndhukung kanggo wektu sing suwe. Mbok menawa setelan sing bener gumantung banget marang kabutuhan tartamtu, utawa iki amarga panjelasan sing rinci ndadekake artikel kasebut angel diwaca.
Ing artikel iki, kita bakal nyoba nggabungake sing paling apik ing donya kanthi nyedhiyakake skrip bash kanggo nginstal WordPress kanthi otomatis ing Ubuntu, uga mlaku-mlaku, nerangake apa sing ditindakake saben bagean, uga kompromi sing ditindakake nalika ngembangake. . Yen sampeyan pangguna majeng, sampeyan bisa ngliwati teks artikel lan mung njupuk naskah kanggo modifikasi lan digunakake ing lingkungan sampeyan. Output saka skrip kasebut minangka instalasi WordPress khusus kanthi dhukungan Lets Encrypt, mlaku ing Unit NGINX lan cocog kanggo panggunaan produksi.
Arsitektur sing dikembangake kanggo nyebarake WordPress nggunakake Unit NGINX diterangake ing artikel lawas, saiki kita uga bakal luwih ngonfigurasi perkara sing ora ana ing kana (kaya ing akeh tutorial liyane):
WordPress CLI
Ayo Encrypt lan Sertifikat TLSSSL
Nganyari sertifikat otomatis
NGINX cache
Kompresi NGINX
Dhukungan HTTPS lan HTTP / 2
Otomatis proses
Artikel kasebut bakal njlèntrèhaké instalasi ing siji server, sing bakal dadi tuan rumah server pangolahan statis, server pangolahan PHP, lan basis data. Instalasi sing ndhukung macem-macem host lan layanan virtual minangka topik potensial kanggo mangsa ngarep. Yen sampeyan pengin kita nulis babagan sing ora ana ing artikel kasebut, tulis ing komentar.
syarat
Server kontainer (LXC utawa LXD), mesin virtual, utawa server wesi biasa kanthi paling sethithik 512MB RAM lan Ubuntu 18.04 utawa luwih anyar diinstal.
Port sing bisa diakses Internet 80 lan 443
Jeneng domain sing digandhengake karo alamat ip umum server iki
Akses root (sudo).
Ringkesan arsitektur
Arsitekture padha karo sing diterangake sadurunge, aplikasi web telung tingkat. Iku kasusun saka skrip PHP sing mlaku ing mesin PHP lan file statis sing diproses dening server web.
Prinsip umum
Akeh printah konfigurasi ing script kebungkus ing yen kondisi kanggo idempotensi: script bisa mbukak kaping pirang-pirang tanpa risiko ngganti setelan sing wis ana.
Skrip nyoba nginstal piranti lunak saka repositori, supaya sampeyan bisa ngetrapake nganyari sistem ing siji perintah (apt upgrade kanggo Ubuntu).
Printah nyoba ndeteksi yen lagi mlaku ing wadhah supaya bisa ngganti setelan kasebut.
Kanggo nyetel jumlah pangolahan utas sing diwiwiti ing setelan, skrip nyoba ngira setelan otomatis kanggo nggarap wadhah, mesin virtual, lan server hardware.
Nalika njlèntrèhaké setelan, kita tansah mikir pisanan kabeh babagan otomatisasi, sing, kita ngarep-arep, bakal dadi basis kanggo nggawe infrastruktur dhewe minangka kode.
Kabeh printah mbukak minangka pangguna ROOT, amarga padha ngganti setelan sistem dhasar, nanging langsung WordPress mlaku minangka pangguna biasa.
Nyetel variabel lingkungan
Setel variabel lingkungan ing ngisor iki sadurunge mbukak skrip:
WORDPRESS_DB_PASSWORD - Sandi database WordPress
WORDPRESS_ADMIN_USER - jeneng admin WordPress
WORDPRESS_ADMIN_PASSWORD - Sandi admin WordPress
WORDPRESS_ADMIN_EMAIL - Email admin WordPress
WORDPRESS_URL yaiku URL lengkap situs WordPress, diwiwiti ing https://.
LETS_ENCRYPT_STAGING - kosong kanthi gawan, nanging kanthi nyetel nilai dadi 1, sampeyan bakal nggunakake server pementasan Ayo Encrypt, sing perlu kanggo kerep njaluk sertifikat nalika nyoba setelan sampeyan, yen ora, Ayo Encrypt bisa sementara mblokir alamat ip sampeyan amarga akeh panjaluk. .
Skrip mriksa manawa variabel sing gegandhengan karo WordPress iki disetel lan metu yen ora.
Baris skrip 572-576 mriksa nilai LETS_ENCRYPT_STAGING.
Nyetel variabel lingkungan asale
Skrip ing baris 55-61 nyetel variabel lingkungan ing ngisor iki, kanggo sawetara nilai hard-coded utawa nggunakake nilai sing dipikolehi saka variabel sing disetel ing bagean sadurunge:
DEBIAN_FRONTEND="noninteractive" - Ngandhani aplikasi sing lagi mlaku ing skrip lan ora ana kemungkinan interaksi pangguna.
WORDPRESS_CLI_VERSION="2.4.0" yaiku versi aplikasi WordPress CLI.
WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c" — checksum saka file eksekusi WordPress CLI 2.4.0 (versi kasebut ditemtokake ing variabel WORDPRESS_CLI_VERSION). Skrip ing baris 162 nggunakake nilai iki kanggo mriksa manawa file CLI WordPress sing bener wis diundhuh.
UPLOAD_MAX_FILESIZE="16M" - ukuran file maksimal sing bisa diunggah ing WordPress. Setelan iki digunakake ing sawetara panggonan, dadi luwih gampang kanggo nyetel ing sak panggonan.
TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)" - hostname sistem, dijupuk saka variabel WORDPRESS_URL. Digunakake kanggo entuk sertifikat TLS/SSL sing cocog saka Ayo Encrypt uga verifikasi WordPress internal.
NGINX_CONF_DIR="/etc/nginx" - path menyang direktori kanthi setelan NGINX, kalebu file utama nginx.conf.
CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}" — path menyang sertifikat Ayo Encrypt kanggo situs WordPress, dijupuk saka variabel TLS_HOSTNAME.
Nemtokake jeneng host menyang server WordPress
Skrip nyetel jeneng host server supaya cocog karo jeneng domain situs. Iki ora dibutuhake, nanging luwih trep kanggo ngirim email metu liwat SMTP nalika nyetel server siji, minangka diatur dening script.
kode script
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fi
Nambahake jeneng host menyang /etc/hosts
Kajaba iku WP-Cron digunakake kanggo mbukak tugas periodik, mbutuhake WordPress bisa ngakses dhewe liwat HTTP. Kanggo mesthekake WP-Cron bisa digunakake kanthi bener ing kabeh lingkungan, skrip nambahake baris menyang file kasebut / etc / hostssupaya WordPress bisa ngakses dhewe liwat antarmuka loopback:
kode script
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi
Nginstal alat sing dibutuhake kanggo langkah sabanjure
Skrip liyane mbutuhake sawetara program lan nganggep repositori anyar. Kita nganyari dhaptar repositori, banjur nginstal alat sing dibutuhake:
kode script
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-release
Nambahake Unit NGINX lan Repositori NGINX
Skrip kasebut nginstal Unit NGINX lan NGINX sumber terbuka saka repositori NGINX resmi kanggo mesthekake yen versi kanthi patch keamanan paling anyar lan koreksi bug digunakake.
Skrip nambahake repositori Unit NGINX banjur repositori NGINX, nambahake kunci repositori lan file konfigurasi apt, nemtokake akses menyang repositori liwat Internet.
Instalasi nyata NGINX Unit lan NGINX kedadeyan ing bagean sabanjure. Kita wis nambah repositori supaya ora kudu nganyari metadata kaping pirang-pirang, sing nggawe instalasi luwih cepet.
kode script
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi
Nginstal NGINX, Unit NGINX, PHP MariaDB, Certbot (Ayo Encrypt) lan dependensi
Sawise kabeh repositori ditambahake, nganyari metadata lan instal aplikasi kasebut. Paket sing diinstal skrip uga kalebu ekstensi PHP sing disaranake nalika mbukak WordPress.org
kode script
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-server
Nyetel PHP kanggo digunakake karo Unit NGINX lan WordPress
Skrip nggawe file setelan ing direktori conf.d. Iki nyetel ukuran file maksimal kanggo unggahan PHP, nguripake output kesalahan PHP menyang STDERR supaya bakal ditulis ing log Unit NGINX, lan miwiti maneh Unit NGINX.
kode script
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart
Nemtokake Setelan Database MariaDB kanggo WordPress
Kita wis milih MariaDB liwat MySQL amarga luwih akeh kegiatan komunitas lan uga ana nyedhiyakake kinerja sing luwih apik kanthi standar (mbokmenawa, kabeh iku prasaja kene: kanggo nginstal MySQL, sampeyan kudu nambah gudang liyane, kira-kira. penerjemah).
Skrip nggawe database anyar lan nggawe kredensial kanggo ngakses WordPress liwat antarmuka loopback:
kode script
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"
Nginstal Program CLI WordPress
Ing langkah iki, skrip nginstal program kasebut WP-CLI. Kanthi, sampeyan bisa nginstal lan ngatur setelan WordPress tanpa kudu ngowahi file kanthi manual, nganyari database, utawa ngetik panel kontrol. Uga bisa digunakake kanggo nginstal tema lan add-ons lan nganyari WordPress.
kode script
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fi
Nginstal lan ngatur WordPress
Skrip nginstal versi WordPress paling anyar ing direktori /var/www/wordpresslan uga ngganti setelan:
Sambungan database dianggo liwat soket domain unix tinimbang TCP ing loopback kanggo ngurangi lalu lintas TCP.
WordPress nambahake ater-ater https:// menyang URL yen klien nyambung menyang NGINX liwat HTTPS, lan uga ngirim jeneng host remot (kaya sing diwenehake NGINX) menyang PHP. Kita nggunakake potongan kode kanggo nyetel iki.
WordPress mbutuhake HTTPS kanggo mlebu
Struktur URL standar adhedhasar sumber daya
Nyetel ijin sing bener ing sistem file kanggo direktori WordPress.
kode script
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fi
Nggawe Unit NGINX
Skrip kasebut ngatur Unit NGINX kanggo mbukak PHP lan ngolah jalur WordPress, ngisolasi ruang jeneng proses PHP lan ngoptimalake setelan kinerja. Ana telung fitur sing kudu digatekake ing kene:
Dhukungan kanggo namespaces ditemtokake dening kondisi, adhedhasar mriksa sing script mlaku ing wadhah. Iki perlu amarga umume persiyapan wadhah ora ndhukung peluncuran wadah.
Yen ana dhukungan kanggo namespaces, mateni namespace jaringan. Iki kanggo ngidini WordPress nyambung menyang loro titik pungkasan lan kasedhiya ing web ing wektu sing padha.
Jumlah maksimum pangolahan ditetepake kaya ing ngisor iki: (Memori sing kasedhiya kanggo mbukak MariaDB lan NGINX Uniy)/(watesan RAM ing PHP + 5)
Nilai iki disetel ing setelan Unit NGINX.
Nilai iki uga nuduhake manawa ana paling ora rong proses PHP sing mlaku, sing penting amarga WordPress nggawe akeh panjaluk asinkron kanggo awake dhewe, lan tanpa proses tambahan, mlaku, contone, WP-Cron bakal rusak. Sampeyan bisa uga pengin nambah utawa nyuda watesan kasebut adhedhasar setelan lokal, amarga setelan sing digawe ing kene konservatif. Ing umume sistem produksi, setelan antarane 10 lan 100.
kode script
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config
Nyetel NGINX
Konfigurasi Setelan dhasar NGINX
Skrip nggawe direktori kanggo cache NGINX banjur nggawe file konfigurasi utama nginx.conf. Pay manungsa waé menyang nomer pangolahan handler lan setelan saka ukuran file maksimum kanggo upload. Ana uga baris sing kalebu file setelan komprèsi ditetepake ing bagean sabanjuré, ngiring dening setelan caching.
Ngompres isi kanthi cepet sadurunge dikirim menyang klien minangka cara sing apik kanggo nambah kinerja situs, nanging mung yen kompresi dikonfigurasi kanthi bener. Bagean skrip iki adhedhasar setelan saka kene.
kode script
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOM
Nyetel NGINX kanggo WordPress
Sabanjure, skrip nggawe file konfigurasi kanggo WordPress default.conf ing katalog conf.d. Dikonfigurasi ing kene:
Ngaktifake sertifikat TLS sing ditampa saka Ayo Encrypt liwat Certbot (nyetel bakal ana ing bagean sabanjure)
Konfigurasi setelan keamanan TLS adhedhasar rekomendasi saka Ayo Encrypt
Aktifake panjalukan skip cache sajrone 1 jam kanthi standar
Pateni logging akses, uga logging kesalahan yen file ora ditemokake, kanggo rong file sing dijaluk umum: favicon.ico lan robots.txt
Nyegah akses menyang file sing didhelikake lan sawetara file .phpkanggo nyegah akses ilegal utawa wiwitan sing ora disengaja
Nambahake rute kanggo index.php lan statika liyane.
kode script
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOM
Nggawe Certbot kanggo sertifikat saka Ayo Encrypt lan nganyari otomatis
Srikandi minangka alat gratis saka Electronic Frontier Foundation (EFF) sing ngidini sampeyan entuk lan nganyari sertifikat TLS kanthi otomatis saka Ayo Encrypt. Skrip nindakake ing ngisor iki kanggo ngatur Certbot kanggo ngolah sertifikat saka Ayo Encrypt ing NGINX:
Mungkasi NGINX
Ngundhuh setelan TLS sing disaranake
Nganggo Certbot kanggo entuk sertifikat kanggo situs kasebut
Wiwiti maneh NGINX kanggo nggunakake sertifikat
Konfigurasi Certbot kanggo mbukak saben dina ing 3:24 AM kanggo mriksa yen sertifikat kudu gawe anyar, lan yen perlu, download sertifikat anyar lan miwiti maneh NGINX.
kode script
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi
Kustomisasi tambahan situs sampeyan
Kita ngomong ing ndhuwur babagan carane skrip kita ngatur NGINX lan NGINX Unit kanggo nglayani situs sing siap produksi kanthi TLSSSL aktif. Sampeyan uga bisa, gumantung saka kabutuhan, nambah ing mangsa ngarep:
nyokong Brotli, nambah kompresi on-the-fly liwat HTTPS
Postfix utawa msmtp supaya WordPress bisa ngirim email
Priksa situs sampeyan supaya sampeyan ngerti jumlah lalu lintas sing bisa ditangani
Kanggo kinerja situs sing luwih apik, disaranake upgrade menyang NGINX Plus, produk komersial, kelas perusahaan adhedhasar NGINX open source. Pelanggane bakal nampa modul Brotli sing dimuat kanthi dinamis, uga (kanggo biaya tambahan) NGINX ModSecurity WAF. Kita uga nawakake NGINX App Protect, modul WAF kanggo NGINX Plus adhedhasar teknologi keamanan sing unggul ing industri saka F5.
NB Kanggo dhukungan saka situs sing akeh dimuat, sampeyan bisa hubungi spesialis jembatan kidul. Kita bakal njamin operasi situs web utawa layanan sing cepet lan dipercaya ing beban apa wae.