Plures sunt tutoriales quomodo instituere WordPress, quaesitio Google "WordPress install" proveniet circiter dimidium decies centena millia proventuum. Re quidem vera, paucissimi sunt inter eos boni duces, secundum quos WordPress et ratio operandi subjecta et conformare et configurare potes, ut per longum tempus sustentari possint. Forsitan rectae occasus valde pendent a peculiaribus necessitatibus, vel hoc ex eo quod explicatio accurata ad lectundum articulum facit.
In hoc articulo temptabimus optimos utriusque mundi miscere, providendo scripturam verissimam ut automatice instituat WordPress de Ubuntu, tum per illud ambulandum, explicando quid singulae partes, sicut etiam compromissationes quas fecimus in enucleando. . Si usor provectus es, textum articuli et iustus omittere potes ad modificationem et usum in ambitibus tuis. Inscriptio scripturae consuetudo est WordPress institutionem cum Lets Encrypt firmamentum, currentem in NGINX Unit et ad usum productionem apta.
Architectura elaborata ad explicandam WordPress usura NGINX Unit describitur nunc etiam plura configurabimus quae ibi non sunt obtecta (ut in multis aliis tutoriis);
- WordPress CLI
- Lets Encrypt et TLSSSL Testimonia
- Automatic renovatio libellorum
- NGINX caching
- NGINX Cogo
- HTTPS et HTTP / II firmamentum
- Processus Automation
Articulus institutionem in uno servo describet, qui eodem tempore ministrabit static processui, PHP server processui et datorum datorum. Institutionem quae plures virtuales exercitus et officia sustentat est thema potentiale pro futuro. Si vis scribere aliquid quod in his articulis non est, scribe in commentarios.
commodum
- Continens servo ( aut ) machina virtualis vel ferraria regularis cum saltem 512MB de RAM et Ubuntu 18.04 vel recentior inaugurata.
- Interrete aditus portus 80 et 443
- Nomen domain coniungitur cum inscriptione publica IP huius servo
- Radix aditus (sudo).
Architecture overview
Architectura eadem est quae descriptus est ordo interretialis trium applicationis est. Constat e scriptis PHP quae in machinam PHP ac static currunt, quae a servo interreti discursum sunt.
general principles
- Multae configurationis mandata in scripto involvuntur si condiciones ad idempotentiam: scriptio multiplex tempora currere potest sine periculo mutandi occasus, qui iam sunt.
- Scriptum a repositoriis instituere conatur, ut updates systema in uno imperio adhibere potes (
apt upgradefor Decuria). - Mandata deprehendere conantur ut in continente currant ut suos ordines mutare possint.
- Ut numerus processus sequelae in uncinis committitur, scriptura occasus automaticos coniicere conatur ad operandum in vasis, machinis virtualis, et ferrariis servientibus.
- Cum describamus occasus, semper ante omnia cogitamus de automatione, quam speramus fore fundamentum ad infrastructuram tuam creandi tamquam codicem.
- Omnia mandata currunt utentis radix, quia occasus systematis fundamentalis mutant, sed directe WordPress currit ut user ordinarius.
Profecta amet variables
Pone hoc amet variabiles ante currit scriptum:
WORDPRESS_DB_PASSWORD- WordPress database passwordWORDPRESS_ADMIN_USER- WordPress admin nameWORDPRESS_ADMIN_PASSWORD- WordPress admin passwordWORDPRESS_ADMIN_EMAIL- WordPress admin emailWORDPRESS_URLDomicilium plenum situs Verbi Press, incipiens ahttps://.LETS_ENCRYPT_STAGING- vacua per defaltam, sed valorem ad 1, ponendo utere ministrantibus Let's Encrypt choragi, quae necessariae sunt ut saepe libellos rogantes tuos unctiones experiantur, secus Let's Encrypt tempus tuam obstruere potest ob magnum numerum petitionum. .
Scriptum inhibet has variabiles WordPress relatas esse exitus et exitus nisi.
Scriptor lines 572-576 reprehendo valoris LETS_ENCRYPT_STAGING.
Profecti inde environment variables
Scriptum in lineis 55-61 ponit variabiles ambitus sequentes, vel ad valorem durum codicem vel ad obtinendum valorem e variabilibus in sectione praecedenti statutis;
DEBIAN_FRONTEND="noninteractive"- Nuntiat applicationes se in scriptione currere et nullam esse posse utentis commercii.WORDPRESS_CLI_VERSION="2.4.0"est versio Verbi Press CLI applicationis.WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c"β checksum of the WordPress CLI 2.4.0 documentum exsecutabile (versio specificatur in variabiliWORDPRESS_CLI_VERSION). Scriptum in linea 162 hoc valore utitur ad reprimendam rectam WordPress fasciculi CLI receptae sunt.UPLOAD_MAX_FILESIZE="16M"- Amplissima magnitudo fasciculi qui in WordPress potest uploaded. Hic locus pluribus in locis adhibetur, ut facilius sit in uno loco ponere.TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)"- hostname systematis, e variabili WORDPRESS_URL recepta. Aptum TLS/SSL libellos de Encrypt tum interna verificationis WordPress impetrare solebant.NGINX_CONF_DIR="/etc/nginx"- iter indicem cum occasus NGINX, fasciculus principalis includensnginx.conf.CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"- iter ad Let's Encrypt libellos pro situ WordPress, ex invariabili consecutoTLS_HOSTNAME.
Tribuens hostname ad WordPress server
Scriptum ponit servo hostname ut congruit situs domain nomen. Hoc non requiritur, sed commodius est mittere emissarios per SMTP cum unum servo instituens, sicut per scripturam figuratum.
scriptum codice
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fiAddens hostname ad /etc/exercitium
praeter curricula periodica currebant, WordPress requirit ut se per HTTP accedere possit. Fac ut WP-Cron in omnibus ambitibus recte operetur, scriptum lineam in tabella addit / Etc / exercituum:ut WordPress accedere se per loopback interface possit:
scriptum codice
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fiInstrumenta ad installing gradus in proximo requiritur
Reliquae scriptionis programmata quaedam desiderant et repositoria sumit in hodiernum diem. Repositorium indicem renovamus, post quod instrumenta necessaria instituimus:
scriptum codice
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-releaseAddit NGINX Unit et NGINX repositoria
Scriptum confirmat NGINX Unitas et fons apertum NGINX ex repositoria officialis NGINX ad certas versiones cum inaequalitatibus securitatis et bug fixiones adhibentur.
Scriptum repositorium addit NGINX et deinde repositorium NGINX, additis repositoriis clavem et limam configurationis aptaccessum definiens ad repositoria per Internet.
Actualis institutio de NGINX Unit et NGINX in sectione sequenti fit. Repositoria prae-addimus ideo non necesse habemus ut metadata multiplex tempora renovare, quae institutionem citius facit.
scriptum codice
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fiInstalling NGINX, NGINX Unitas, PHP MariaDB, Certbot (Encrypt) eorumque clientelas
Postquam omnia repositoria addita sunt, metadatam renovare et applicationes instituere. Fasciculi per scripturam installati includuntur extensiones PHP commendatae cum currentibus WordPress.org
scriptum codice
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-serverProfecti sunt PHP ad usum cum NGINX Unit et WordPress
Scriptum facit occasus lima in indicem conf.d. Hic ponit magnitudinem maximam ad PHP oneratorum, in PHP errorum ad STDERR vertit, sic scribentur ad NGINX Truncum Unitum, et NGINX Unitas sileo.
scriptum codice
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restartSpecificare MariaDB Database Occasus pro WordPress
Elegimus MariaDB super MySQL sicut plus habet actionem communitatis ac etiam verisimile est (Probabiliter omnia hic simpliciora sunt: ββMySQL installare, aliud repositio addere debes, approx. interpres).
Scriptum novum database creat et documentorum aditum WordPress per loopback interface:
scriptum codice
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"Installing WordPress CLI Programme
In hoc passu, scriptor programmata inaugurat . Cum eo, potes WordPress occasus installare et administrare sine lima manually recensere, datorum update, vel panel imperium ingredi. Adhiberi etiam potest ad themata instituenda et additiones addendi ac renovandi WordPress.
scriptum codice
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fiInstalling ac Vestibulum WordPress
Scriptum installat novissimam versionem WordPress in indicem /var/www/wordpresset etiam occasus mutat;
- Connexio database super unix domain nervum operatur loco TCP in loopback ut excidere negotiatio TCP.
- WordPress addit praepositionem https:// ad Domicilium si clientes cum NGINX super HTTPS coniungunt, et etiam remotam hostname (praescriptum NGINX) ad PHP mittit. Fragmentum codicis utimur ut hoc constituamus.
- WordPress opus est HTTPS pro login
- Congue URL structura fundatur opibus
- Rectas permissiones in tabella systematis ponit pro presul WordPress.
scriptum codice
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fiNGINX Unit erigens
Scriptum Unitas NGINX conformat ad tramites PHP ac processum WordPress currere, PHP processum spatii nominandi secludens et occasus optimizing effectus. Tres notae hic sunt quaerendae:
- Firmamentum in spatiis nominalibus condicione determinatur, secundum annotando scriptum in vase currere. Hoc necessarium est, quod maxime vasorum setups non sustinent deductio vasorum nidificatorum.
- Si spatium spatiis adsit, disable in spatio nominali Network. Hoc est permittere WordPress ad utrumque terminos coniungere et simul in interreti praesto esse.
- Maximus processus numerus sic definitur: (Praesto memoria ad cursus MariaDB et NGINX Uniy)/(RAM limitem in PHP + 5)
Hic valor in NGINX Unitis occasus positus est.
Hoc valore etiam implicat semper duos saltem processus PHP cursus, quod magni momenti est quod WordPress multum postulationes asynchronas sibi facit, et sine processibus additis, e.g. WP-Cron currens franget. Hos limites augere vel diminuere licet in uncinis tuis localibus fundatis, quia occasus hic creati sunt conservativae. In plerisque systematibus productionis, occasus inter 10 et 100 sunt.
scriptum codice
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/configOccasus sursum NGINX
Vestibulum Vulgate NGINX Occasus
Scriptum directorium pro NGINX cache creat et configurationem lima principalis nginx.conf. Attende numerum tracto processuum et occasum maximi fasciculi ad onerandum. Est etiam linea quae compressionem uncinorum includit in sectione sequenti definitam, quam occasus caching sequitur.
scriptum codice
# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy
echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include ${NGINX_CONF_DIR}/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size ${UPLOAD_MAX_FILESIZE};
keepalive_timeout 65;
# gzip settings
include ${NGINX_CONF_DIR}/gzip_compression.conf;
# Cache settings
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=wp_cache:10m
max_size=10g
inactive=60m
use_temp_path=off;
include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOMErexerit NGINX compressionem
Compressio contenta in musca antequam eam ad clientes mittat, magna via est ad meliorem locum perficiendi, sed solum si compressio recte configuratur. Haec sectio scriptoris in occasus fundatur .
scriptum codice
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOMProfecti sunt NGINX pro WordPress
Deinceps scriptura limam configurationem pro WordPress creat default.conf in catalogo conf.d. Conformatur hic;
- Activatio TLS testimoniales ex Let's Encrypt per Certbot receptas (si illud erit in altera sectione)
- Vestibulum TLS securitas occasus secundum suasiones Lets Encrypt
- Admitte caching omit petitiones I hora per defaltam
- Accessum inactivare logging, sicut et error logging si fasciculus non inventus est, pro duobus fasciculis rogatis communibus: favicon.ico et robots.txt
- Praeveni aditum ad occulta lima et aliqua files .phpaccessum ne liceat aut ignorata initium
- Inactivare aditum colligationem pro stabili et font files
- Header occasum ad font files
- Addens fudisset index.php et alia statica.
scriptum codice
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOMProrexerant Certbot libellos de Encrypt et auto- renovantes
liberum instrumentum est e Fundatione Electronic Fines (EFF) quae te permittit obtinere ac sponte renovare TLS testimoniales de Let's Encrypt. Scriptum facit sequentia configurare Certbot ad libellos processus ab Let's Encrypt in NGINX:
- desinit NGINX
- Downloads commendatur TLS occasus
- Certbot ad testimonium decurrit ad locum
- Restarts NGINX ad libellorum
- Configurat Certbot ut cotidie ad 3:24 AM reprimatur si testimonia renovanda sunt et, si opus est, novos libellos excipe et sileo NGINX.
scriptum codice
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fiAdditional customization of your site
Locuti sumus supra de quomodo scriptum nostrum configurat NGINX et NGINX Unit ut situs productionis paratae cum TLSSSL parato inserviat. Potes etiam, pro tuis necessitatibus, in futuro addere;
- auxilium , melius in-the-compressionem musca super HTTPS
- Ρ automated impetus ne in situ
- pro WordPress quod decet te
- propter (ex Ubuntu)
- Postfix vel msmtp sic WordPress mittere potest
- Reprehendo vestri situs sic intellegis quantum negotiationis potest tractare
Ad meliorem situm perficiendum commendamus upgrading nostrum commercii, incepti-gradus producti sub fonte aperto NGINX. Signatores eius moduli dynamice onerati Brotli recipient, tum (pro feudo addito) . Nos quoque offerre , WAF modulus pro NGINX Plus fundatur in industria technologiae securitatis ducens ab F5.
NB Ad sustentationem magni situs oneratus, peritis contactum esse potes . Faciemus ieiunium et certa operatio website vel servitium sub aliquo onere.
Source: www.habr.com