WordPress ááá·áºááœááºážáááºážááá¯ááºáᬠáááºáááºážá á¬áá»á¬ážá áœá¬ááŸáááŒá®ážá "WordPress ááá·áºááœááºážááŒááºáž" á¡ááœáẠGoogle ááŸá¬ááœá±ááŒááºážááẠááááºáá±á«ááºáž áááºážáááºááá·áº ááœááºáá±á«áºáá¬áááºááŒá áºáááºá ááá¯á·áá±á¬áºá á¡ááŸááºááááºááœááºá áááºážááá¯á·ááœáẠá¡áá»áááºááŒá¬ááŒáá·áºá áœá¬ áá¶á·ááá¯ážáá±ážááá¯ááºá á±ááẠWordPress ááŸáá·áº á¡áááºážáá¶áááºáááºááŸá¯á áá áºááᯠáááºááá·áºááœááºážáᬠááŒááºáááºáááºááŸááºááá¯ááºáááºááŸáá·áºá¡áá® áááºážááá¯á·ááœáẠáá±á¬ááºážááœááºáá±á¬áááºážááœáŸááºáá»ááºáá»á¬áž á¡ááœááºáááºážáá«ážáá«áááºá ááŸááºáááºáá±á¬áááºáááºáá»á¬ážááẠáááá»áá±á¬ááá¯á¡ááºáá»ááºáá»á¬ážáá±á«áºááœáẠáá»á¬ážá áœá¬áá°áááºáá±ááá¯ááºáááºá ááá¯á·ááá¯áẠá¡áá±ážá áááºááŸááºážáááºážáá»ááºááẠáá±á¬ááºážáá«ážááá¯áááºááŸá¯áááºáááºáá²á á±áááºáá°áá±á¬á¡áá»ááºááŒá±á¬áá·áºááŒá áºáááºá
á€áá±á¬ááºážáá«ážááœááºá Ubuntu ááœáẠWordPress ááá¯á¡ááá¯á¡áá»á±á¬ááºááá·áºááœááºážááẠbash script ááá¯áá¶á·ááá¯ážáá±ážááŒááºážááŒáá·áº bash script ááá¯áá¶á·ááá¯ážáá±ážááŒááºážááŒáá·áºá á€áá±á¬ááºážáá«ážááœááºá á¡ááá¯ááºážáá
áºáá¯áá»ááºážá
á®ááá¯ááºáá±á¬ááºáá¯á¶ááá¯ááŸááºážááŒááŒááºážááŸáá·áºáááºážááá¯áá®ááœááºáá¬ááœááºáá»áœááºá¯ááºááá¯á·áá¯ááºáá±á¬ááºáá²á·áá±á¬á¡áá±ážá¡áá°áá»á¬ážááá¯ááŸááºážááŒááŒááºážááŒáá·áºá€áá±á¬ááºážáá«ážááœááºááá¹áá¬ááŸá
áºáá¯áá¯á¶ážáá¡áá±á¬ááºážáá¯á¶ážááá¯áá±á«ááºážá
ááºáááºááŒáá¯ážá
á¬ážáá«áááºá . áááºááẠá¡ááá·áºááŒáá·áºá¡áá¯á¶ážááŒá¯áá°ááŒá
áºáá«áá áááºááẠáá±á¬ááºážáá«ážáá
á¬áá¬ážááᯠáá»á±á¬áºááœá¬ážááá¯ááºáááºá
NGINX Unit ááᯠá¡áá¯á¶ážááŒá¯á WordPress ááá¯á¡áá¯á¶ážáá»áááºá¡ááœáẠáá®ááœááºáá¬ážáá±á¬ áááá¯áá¬áááºáá¬ááᯠááœááºáá±á¬áºááŒáá¬ážáááºá
- WordPress CLI
- áá¯ááºááŸáá·áº TLSSSL áááºááŸááºáá»á¬ážááᯠááŸááºááŒáá«á áá¯á·
- áááºááŸááºáá»á¬ážááᯠá¡ááá¯á¡áá»á±á¬ááºáááºáááºážááá¯ážááŒááºážá
- NGINX ááááºážáááºážááŒááºážá
- NGINX Compression
- HTTPS ááŸáá·áº HTTP/2 áá¶á·ááá¯ážááŸá¯
- áá¯ááºáááºážá áẠá¡ááá¯á¡áá»á±á¬ááºá áá áº
áá±á¬ááºážáá«ážááœáẠstatic processing serverá PHP processing server ááŸáá·áº database ááᯠáááŒáá¯ááºááẠáááºáá¶áá±á¬ááºááœááºáá±ážááá·áº áá¬áá¬áá áºáá¯ááœáẠáááºáááºááŸá¯ááᯠáá±á¬áºááŒáá«áááºá virtual host áá»á¬ážááŸáá·áº áááºáá±á¬ááºááŸá¯áá»á¬ážá áœá¬ááᯠáá¶á·ááá¯ážáá±ážááá·áº áááºáááºááŸá¯ááẠá¡áá¬áááºá¡ááœáẠááŒá áºááá¯ááºááŒá±ááŸááá±á¬ á¡ááŒá±á¬ááºážá¡áá¬áá áºáá¯ááŒá áºáááºá á€áá±á¬ááºážáá«ážáá»á¬ážááœáẠááá«áááºááá·áº á¡ááŒá±á¬ááºážá¡áá¬áá»á¬ážááᯠáá±ážááá¯áá«á ááŸááºáá»ááºáá»á¬ážááœáẠáá±ážáá«á
ááá¯á¡ááºáá»ááº
- ááœááºááááºáá¬áá¬áᬠ(
LXC ááá¯á·ááá¯ááºLXD ) virtual machine ááá¯á·ááá¯áẠá¡áááºážáá¯á¶áž RAM 512MB ááŸáá·áº Ubuntu 18.04 ááá¯á·ááá¯áẠáááºážáááºááá¯áá±á¬ ááá·áºááœááºážáá¬ážáá±á¬ áá¯á¶ááŸááºáá¶áá¬áá¬áá áºáá¯á - á¡ááºáá¬áááºáá¯á¶ážááá¯ááºáá±á¬ port 80 ááŸáá·áº 443
- á€áá¬áá¬á á¡áá»á¬ážáá°ááŸá¬ IP ááááºá á¬ááŸáá·áº áááºá ááºáá±áá±á¬ ááá¯ááááºážá¡áááº
- Root Access (sudo)á
áááá¯áá¬á¡ááŒááº
áááá¯áá¬ááá¬ááẠáá±á¬áºááŒáá¬ážááá·áºá¡ááá¯ááºážááẠááŒá
áºáááºá
á¡ááœá±ááœá±á¡ááŒá±áá¶áá°
- áá¬ááºááœáŸááºážáá áºáá¯ááŸá ááœá²á·á ááºážááŸá¯ááá¯ááºáᬠááœáŸááºááŒá¬ážáá»ááºáá»á¬ážá áœá¬ááẠá¡á áœááºážáááºááŒááºážá¡ááœáẠá¡ááŒá±á¡áá±áá»á¬ážááŸááá«á áá áºáááºáá¬ážáááº- áá¬ááºááœáŸááºážááẠáá±áá¬ááŸáááŒá®ážáá¬áž áááºáááºáá»á¬ážááᯠááŒá±á¬ááºážáá²ááŒááºážá¡áá¹ááá¬ááºáááŸááá² á¡ááŒáááºáá±á«ááºážáá»á¬ážá áœá¬ áá¯ááºáá±á¬ááºááá¯ááºáááºá
- script ááẠrepositories á០software ááᯠinstall áá¯ááºáááºááŒáá¯ážá
á¬ážáááºá ááá¯á·ááŒá±á¬áá·áº command áá
áºáá¯áááºážááœáẠsystem updates áá»á¬ážááá¯áááºá¡áá¯á¶ážááŒá¯ááá¯ááºááẠ(
apt upgrade
Ubuntu á¡ááœááº)á - ááœááºááááºáá¬áá áºáá¯á¡ááœááºáž áááºážááá¯á·áá¯ááºáá±á¬ááºáá±ááá·áºá¡áá¬áá»á¬ážááᯠááááŸáááá¯ááºááẠááœááºááááºáá¬áá»á¬ážááẠáááºážááá¯á·ááááºáááºáá»á¬ážááᯠááá¯ááºáá»á±á¬áá®ááœá±ááŒá±á¬ááºážáá²ááá¯ááºá á±ááẠááŒáá¯ážá á¬ážáááºá
- áááºáááºáá»á¬ážááœáẠá áááºááẠthread process á¡áá±á¡ááœááºááᯠáááºááŸááºáááºá¡ááœáẠscript ááẠcontainersá virtual machines ááŸáá·áº hardware servers áá»á¬ážááœáẠá¡áá¯ááºáá¯ááºáááºá¡ááœáẠá¡ááá¯á¡áá»á±á¬ááºáááºáááºáá»á¬ážááᯠááá·áºááŸááºážááẠááŒáá¯ážá á¬ážáá«áááºá
- áááºáááºáá»á¬ážááá¯áá±á¬áºááŒááá·áºá¡áá«á áá»áœááºá¯ááºááá¯á·ááẠááá·áºááá¯ááºááá¯ááºá¡ááŒá±áá¶á¡áá±á¬ááºá¡á¡á¯á¶ááá¯áá¯ááºá¡ááŒá áºáááºáá®ážáááºá¡ááœáẠá¡ááŒá±áá¶ááŒá áºáá¬áááá·áºáááºáᯠáá»áœááºá¯ááºááá¯á·áá»áŸá±á¬áºááá·áºáá¬ážááá·áºá¡áá¬á¡á¬ážáá¯á¶ážáá¡ááá¯á¡áá»á±á¬ááºáá¯ááºáá±á¬ááºááŒááºážá¡ááŒá±á¬ááºáž áŠážá áœá¬áááá ááºážá á¬ážáá«áááºá
- á¡áááá·áºá¡á¬ážáá¯á¶ážááᯠá¡áá¯á¶ážááŒá¯áá°á¡ááŒá Ạáá¯ááºáá±á¬ááºáááºá á¡ááŒá áºá¡ááŒá±á¬ááºážááŸá¬á áááºážááá¯á·ááẠá¡ááŒá±áá¶á áá áºáááºáááºáá»á¬ážááᯠááŒá±á¬ááºážáá²áá±á¬áºáááºáž WordPress ááẠáá¯á¶ááŸááºá¡áá¯á¶ážááŒá¯áá°á¡ááŒá Ạááá¯ááºááá¯ááºá¡áá¯ááºáá¯ááºáá±á¬ááŒá±á¬áá·áºááŒá áºáááºá
áááºáááºážáá»ááºááŒá±á¬ááºážááœá²áá»ááºáá»á¬ážááᯠáááºááŸááºááŒááºážá
script ááá¯ááá¯ááºáá±á¬ááºáá® á¡á±á¬ááºáá«áááºáááºážáá»áẠááááºážááŸááºáá»á¬ážááᯠáááºááŸááºáá«-
WORDPRESS_DB_PASSWORD
- WordPress áá±áá¬áá±á·á áºá áá¬ážááŸááºWORDPRESS_ADMIN_USER
- WordPress á á®áá¶ááá·áºááœá²áá°á¡áááºWORDPRESS_ADMIN_PASSWORD
- WordPress á á®áá¶ááá·áºááœá²áá° á áá¬ážááŸááºWORDPRESS_ADMIN_EMAIL
- WordPress á á®áá¶ááá·áºááœá²áá°á¡á®ážáá±ážááºWORDPRESS_URL
ááŸá áááºá WordPress site á URL á¡ááŒáá·áºá¡á á¯á¶ááŒá áºáááºáhttps://
.LETS_ENCRYPT_STAGING
- áá¯á¶áá±á¡á¬ážááŒáá·áº ááá¬ááŒá áºáá±áá±á¬áºáááºáž áááºááá¯ážááᯠ1 áá¯áááºááŸááºááŒááºážááŒáá·áºá áááºááẠáááºááááºáááºáá»á¬ážááᯠá ááºážáááºááá·áºá¡áá« áááºááŸááºáá»á¬ážááᯠáááŒá¬áááá±á¬ááºážááá¯áááºá¡ááœáẠááá¯á¡ááºáá±á¬ Let's Encrypt staging servers ááᯠá¡áá¯á¶ážááŒá¯áááá·áºáááºá ááá¯á·ááá¯ááºáá«á Let's Encrypt ááẠáá±á¬ááºážááá¯ááŸá¯á¡áá»á¬ážá¡ááŒá¬ážááŒá±á¬áá·áº áááºá ip ááááºá á¬ááᯠáá¬áá®ááááºááá¯á·ááœá¬ážáááºááŒá áºáá«áááºá .
Script ááẠဠWordPress ááŸáá·áºáááºáááºáá±á¬ ááááºážááŸááºáá»á¬ážááᯠáááºááŸááºááŒá®áž ááá¯ááºáá«á ááœááºááŒá±á¬ááºáž á
á
áºáá±ážáá«áááºá
Script ááá¯ááºážáá»á¬áž 572-576 áááºááá¯ážááᯠá
á
áºáá±ážáá«á LETS_ENCRYPT_STAGING
.
áááºážáááºáá¬áá±á¬ áááºáááºážáá»áẠááááºážááŸááºáá»á¬ážááᯠáááºááŸááºááŒááºážá
á á¬ááŒá±á¬ááºáž 55-61 ááŸá script ááẠhard-coded áááºááá¯ážá¡áá»áá¯á· ááá¯á·ááá¯áẠááááºá¡ááá¯ááºážááŸá ááááºážááŸááºáá»á¬ážááŸáááŸááá±á¬áááºááá¯ážááᯠá¡áá¯á¶ážááŒá¯á á¡á±á¬ááºáá«áááºáááºážáá»áẠááááºážááŸááºáá»á¬ážááᯠáááºááŸááºáá±ážáááº-
DEBIAN_FRONTEND="noninteractive"
- á¡ááá®áá±ážááŸááºážáá»á¬ážá¡á¬áž áááºážááá¯á·ááẠscript áá áºáá¯ááœáẠá¡áá¯ááºáá¯ááºáá±ááŒá±á¬ááºážááŸáá·áº á¡áá¯á¶ážááŒá¯áá° á¡ááŒááºá¡ááŸááºáá¯á¶á·ááŒááºááá¯ááºááŒá±áááŸáááŒá±á¬ááºáž ááŒá±á¬ááŒáááºáWORDPRESS_CLI_VERSION="2.4.0"
WordPress CLI á¡ááá®áá±ážááŸááºážááá¬ážááŸááºážááŒá áºáááºáWORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c"
â WordPress CLI 2.4.0 executable file á checksum (áá¬ážááŸááºážááᯠvariable ááœááºáá±á¬áºááŒáá¬ážáááºWORDPRESS_CLI_VERSION
) ááŸááºáááºáá±á¬ WordPress CLI ááá¯ááºááᯠáá±á«ááºážáá¯ááºáá¯ááºááŒá®ážááŒá±á¬ááºáž á á áºáá±ážááẠá á¬ááŒá±á¬ááºáž 162 á០script ááẠá€áááºááá¯ážááᯠá¡áá¯á¶ážááŒá¯áááºáUPLOAD_MAX_FILESIZE="16M"
- WordPress ááœáẠá¡ááºáá¯ááºáá¯ááºááá¯ááºáá±á¬ á¡áá»á¬ážáá¯á¶ážááá¯ááºá¡ááœááºá¡á á¬ážá á€áááºáááºááᯠáá±áá¬áá»á¬ážá áœá¬ááœáẠá¡áá¯á¶ážááŒá¯áá¬ážáá±á¬ááŒá±á¬áá·áº áá áºáá±áá¬áááºážááœáẠáááºááŸááºááẠááá¯ááá¯ááœááºáá°áá«áááºáTLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)"
- WORDPRESS_URL ááŒá±á¬ááºážáá²ááá¯ááºáá±á¬á áá áºá០ááá°áá¬ážáá±á¬ á áá áºá hostnameá Let's Encrypt á¡ááŒáẠá¡ááœááºáž WordPress á¡áááºááŒá¯ááŒááºážá០ááá·áºáá»á±á¬áºáá±á¬ TLS/SSL áááºááŸááºáá»á¬ážááᯠááá°ááẠá¡áá¯á¶ážááŒá¯áá«áááºáNGINX_CONF_DIR="/etc/nginx"
- áááºáááá¯ááºá¡áá«á¡ááẠNGINX áááºáááºáá»á¬ážááŒáá·áº áááºážááœáŸááºááá¯á· áááºážááŒá±á¬ááºážnginx.conf
.CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"
â variable ááŸáááŸááá±á¬ WordPress ááá¯ááºá¡ááœáẠLet's Encrypt áááºááŸááºáá»á¬ážáá®ááá¯á· áááºážááŒá±á¬ááºážTLS_HOSTNAME
.
WordPress áá¬áá¬ááá¯á· hostname áá áºáá¯áááºááŸááºááŒááºážá
script ááẠááá¯ááºá ááá¯ááááºážá¡áááºááŸáá·áº ááá¯ááºáá®á á±ááẠáá¬áá¬á hostname ááᯠáááºááŸááºáá±ážáá«áááºá áááºážááẠáááá¯á¡ááºáá±á¬áºáááºážá script ááŒáá·áº configure áá¯ááºáá¬ážááá·áºá¡ááá¯ááºáž áá¬áá¬áá áºáá¯áááºážááᯠá áá áºááá·áºááœááºážááá·áºá¡áá«ááœáẠSMTP ááŸáá áºááá·áº á¡ááœááºáá±ážááºááᯠáá±ážááá¯á·ááẠááá¯ááá¯á¡áááºááŒá±áá«áááºá
áá¬ááºááœáŸááºážáá¯ááº
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fi
/etc/hosts ááá¯á· hostname ááá·áºááŒááºážá
ááá¯á·á¡ááŒááº
áá¬ááºááœáŸááºážáá¯ááº
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi
áá±á¬ááºá¡ááá·áºáá»á¬ážá¡ááœáẠááá¯á¡ááºáá±á¬ áááááá¬áá»á¬ážááᯠáááºáááºááŒááºážá
áá»ááºáá±á¬ script áá»á¬ážááẠá¡áá»áá¯á·áá±á¬ áááá¯ááááºáá»á¬áž ááá¯á¡ááºááŒá®áž repositories áá»á¬ážááẠáá±ááºáá®áááºáᯠáá°ááá«áááºá áá»áœááºá¯ááºááá¯á·ááẠááá¯á¡ááºáá±á¬áááááá¬áá»á¬ážááᯠááá·áºááœááºážááŒá®ážáá±á¬áẠááá¯ááŸá±á¬ááºáá¬á á¬áááºážááᯠá¡ááºááááºáá¯ááºáá«áááºá
áá¬ááºááœáŸááºážáá¯ááº
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-release
NGINX Unit ááŸáá·áº NGINX Repositories ááá¯ááá·áºááŒááºážá
Script ááẠáá±á¬ááºáá¯á¶ážáá±á«áº áá¯á¶ááŒá¯á¶áá±ážáá¬áá±ážááŸá¯áá»á¬ážááŸáá·áº áá»áœááºááœááºážáá»ááºááŒááºáááºááŸá¯áá»á¬ážáá«ááŸááá±á¬ áá¬ážááŸááºážáá»á¬ážááᯠá¡áá¯á¶ážááŒá¯ááŒá±á¬ááºážáá±áá»á¬á á±ááẠScript ááẠNGINX Unit ááŸáá·áº open source NGINX ááᯠááá¬ážááẠNGINX ááá¯ááŸá±á¬ááºááŸá¯áá»á¬ážá០ááá·áºááœááºážáá±ážáá«áááºá
script ááẠNGINX Unit repository ááŸáá·áº NGINX repository ááᯠáá±á«ááºážááá·áºáááºá repositories key ááŸáá·áº configuration files áá»á¬ážááᯠáá±á«ááºážááá·áºááẠapt
á¡ááºáá¬áááºááŸáááá·áº ááá¯ááŸá±á¬ááºáá¯á¶áá»á¬ážááá¯á· áááºáá±á¬ááºááœáá·áºááᯠáááºááŸááºááŒááºážá
NGINX Unit ááŸáá·áº NGINX á á¡ááŸááºáááẠáááºáááºááŸá¯ááẠáá±á¬ááºá¡ááá¯ááºážááœáẠááŒá áºáááá·áºáááºá áá»áœááºá¯ááºááá¯á·ááẠááá¯ááŸá±á¬ááºáááºážáá»á¬ážááᯠááŒáá¯áááºááá·áºááœááºážáá¬ážáá±á¬ááŒá±á¬áá·áº áááºáááºááŸá¯ááá¯ááá¯ááŒááºáááºá á±ááá·áºá¡ááœáẠáááºáá¬áá±áá¬ááᯠá¡ááŒáááºáá»á¬ážá áœá¬ á¡ááºááááºáá¯ááºááẠáááá¯á¡ááºáá«á
áá¬ááºááœáŸááºážáá¯ááº
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi
NGINXá NGINX Unitá PHP MariaDBá Certbot (á á¬ááŸááºááŒáá«á áá¯á·) ááŸáá·áº áááºážááá¯á·á ááŸá®ááá¯ááŸá¯áá»á¬ážááᯠááá·áºááœááºážááŒááºáž
ááá¯ááŸá±á¬ááºááŸá¯á¡á¬ážáá¯á¶ážááᯠáá±á«ááºážááá·áºááŒá®ážáááºááŸáá·áºá áááºáá¬áá±áá¬ááᯠá¡ááºááááºáá¯ááºááŒá®áž á¡ááá®áá±ážááŸááºážáá»á¬ážááᯠááá·áºááœááºážáá«á script ááŸááá·áºááœááºážáá¬ážáá±á¬áááºáá±á·áá»áºáá»á¬ážááœáẠWordPress.org ááá¯á¡áá¯á¶ážááŒá¯áá±á¬á¡áá«á¡ááŒá¶ááŒá¯áá¬ážáá±á¬ PHP extensions áá»á¬ážáááºážáá«áááºáááºá
áá¬ááºááœáŸááºážáá¯ááº
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-server
NGINX Unit ááŸáá·áº WordPress ááŒáá·áº á¡áá¯á¶ážááŒá¯áááºá¡ááœáẠPHP ááᯠââá áá áºááá·áºááœááºážááŒááºážá
áá¬ááºááœáŸááºážááẠáááºážááœáŸááºááœáẠáááºáááºááá¯ááºáá áºáá¯ááᯠáááºáá®ážáááºá conf.d. áááºážááẠPHP á¡ááºáá¯ááºáá»á¬ážá¡ááœáẠá¡ááŒáá·áºáá¯á¶ážááá¯ááºá¡ááœááºá¡á á¬ážááᯠáááºááŸááºáá±ážáᬠPHP á¡ááŸá¬ážá¡ááœááºážá¡ááœááºááᯠSTDERR ááá¯á·ááœáá·áºáá±ážáááºááŒá áºáá±á¬ááŒá±á¬áá·áº áááºážááá¯á·ááᯠNGINX áá°áá áºááŸááºáááºážááá¯á· á á¬áá±ážááŒá®áž NGINX áá°áá áºááᯠááŒááºáááºá áááºáááºá
áá¬ááºááœáŸááºážáá¯ááº
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart
WordPress á¡ááœáẠMariaDB áá±áá¬áá±á·á áºáááºáááºáá»á¬ážááᯠáááºááŸááºááŒááºážá
áá»áœááºá¯ááºááá¯á·ááẠMySQL ááœáẠááœááºááŒá°ááá®áá¯ááºáá±á¬ááºááŸá¯áá»á¬áž ááá¯ááá¯áá»á¬ážááŒá¬ážááŒá®áž ááŒá
áºááá¯ááºááŒá±ááŸááá±á¬ááŒá±á¬áá·áº áá»áœááºá¯ááºááá¯á·ááẠMariaDB ááᯠááœá±ážáá»ááºáá¬ážáá«áááºá
script ááẠáá±áá¬áá±á·á áºá¡áá áºáá áºáá¯ááᯠáááºáá®ážááŒá®áž loopback interface ááŸáá áºááá·áº WordPress ááᯠáááºáá±á¬ááºááẠá¡áá±á¬ááºá¡áá¬ážáá»á¬ážááᯠáááºáá®ážáááº-
áá¬ááºááœáŸááºážáá¯ááº
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"
WordPress CLI áááá¯ááááºááᯠááá·áºááœááºážááŒááºážá
á€á¡ááá·áºááœááºá script ááẠprogram ááᯠinstall áá¯ááºáááºá
áá¬ááºááœáŸááºážáá¯ááº
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fi
WordPress ááᯠááá·áºááœááºážááŒááºážááŸáá·áº ááŒááºáááºáááºááŸááºááŒááºážá
áá¬ááºááœáŸááºážááẠáááºážááœáŸááºáá
áºáá¯ááœáẠWordPress á áá±á¬ááºáá¯á¶ážáá¬ážááŸááºážááᯠááá·áºááœááºážáááºá /var/www/wordpress
ááŸáá·áº áááºáááºáá»á¬ážááá¯áááºáž ááŒá±á¬ááºážáá²áááº-
- áá±áá¬áá±á·á áºáá»áááºáááºááŸá¯ááẠTCP á¡ááœá¬ážá¡áá¬ááá¯ááŒááºáá±á¬ááºááẠTCP á¡ááœá¬ážá¡áá¬ááᯠááŒááºáá±á¬ááºááẠTCP á¡á á¬áž loopback á¡á á¬áž unix domain socket ááœááºá¡áá¯ááºáá¯ááºáááºá
- WordPress ááẠááŸá±á·áááºáá áºáᯠááá·áºáááºá https:// á¡áááºá client áá»á¬ážááẠHTTPS ááŸáááá·áº NGINX ááá¯á· áá»áááºáááºááŒá®áž á¡áá±ážá០áááºáá¶áá°á¡ááẠ(NGINX á០áá¶á·ááá¯ážáá±ážáá¬ážááá·áºá¡ááá¯ááºáž) PHP ááá¯á·áááºáž áá±ážááá¯á·áá«á URL ááá¯á· áá±ážááá¯á·áá«á áá«ááᯠá áá áºááá·áºááœááºážááẠáá»áœááºá¯ááºááá¯á·ááẠáá¯ááºáá áºááá¯ááºážááᯠá¡áá¯á¶ážááŒá¯áá«áááºá
- WordPress ááẠáááºáá±á¬ááºáááºá¡ááœáẠHTTPS ááá¯á¡ááºáááºá
- áá°áááºáž URL ááœá²á·á ááºážáá¯á¶ááẠá¡áááºážá¡ááŒá áºáá»á¬ážá¡áá±á«áº á¡ááŒá±áá¶áááºá
- WordPress áááºážááœáŸááºá¡ááœáẠááá¯ááºá áá áºááœáẠááŸááºáááºáá±á¬ááœáá·áºááŒá¯áá»ááºáá»á¬ážááᯠáááºááŸááºáá±ážáááºá
áá¬ááºááœáŸááºážáá¯ááº
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fi
NGINX áá°áá áºááᯠá áá áºááá·áºááœááºážááŒááºážá
script ááẠPHP ááᯠâârun áááºááŸáá·áº WordPress áááºážááŒá±á¬ááºážáá»á¬ážááá¯áá¯ááºáá±á¬ááºááẠNGINX Unit ááᯠconfigure áá¯ááºáááºá PHP process namespace ááá¯ááœá²áá¯ááºááŒá®áž á áœááºážáá±á¬ááºáááºáááºáááºáá»á¬ážááᯠááá¯áá±á¬ááºážá¡á±á¬ááºááŒá¯áá¯ááºáá±ážáááºá á€áá±áá¬ááœáẠááŒáá·áºááŸá¯ááẠá¡ááºá¹áá«áááºáá¯á¶ážáᯠááŸááá«áááºá
- áá¬ááºááœáŸááºážááẠááœááºááááºáá¬áá áºáá¯á¡ááœááºáž á¡áá¯ááºáá¯ááºáá±ááŒá±á¬ááºáž á á áºáá±ážááŒááºážá¡áá±á«áº á¡ááŒá±áá¶á namespaces á¡ááœáẠáá¶á·ááá¯ážááŸá¯ááᯠá¡ááŒá±á¡áá±á¡ááá¯áẠáá¯á¶ážááŒááºáááºá ááœááºááááºáá¬á áá áºááá·áºááœááºážááŸá¯á¡áá»á¬ážá á¯ááẠááœááºááááºáá¬áá»á¬ážá nested launch ááá¯ááá¶á·ááá¯ážááá¯ááºáá±á¬ááŒá±á¬áá·áº áááºážááẠááá¯á¡ááºáá«áááºá
- namespace áá»á¬ážá¡ááœáẠáá¶á·ááá¯ážááŸá¯ááŸááá«á namespace ááᯠááááºáá«á Network ááá¯. áááºážááẠWordPress á endpoints ááŸá áºáá¯áá¯á¶ážááᯠáá»áááºáááºáááºááŸáá·áº áááºáá±á«áºááœáẠáá áºáá»áááºáááºážááœáẠáááá¯ááºá á±áááºááŒá áºáááºá
- áá¯ááºáááºážá
ááºáá»á¬ážá á¡áá»á¬ážáá¯á¶ážá¡áá±á¡ááœááºááᯠá¡á±á¬ááºáá«á¡ááá¯ááºáž áááºááŸááºáááºá (MariaDB ááŸáá·áº NGINX Uniy á¡áá¯á¶ážááŒá¯áááºá¡ááœáẠáááá¯ááºáá±á¬ memory)/(RAM ááá·áºáááºáá»áẠPHP + 5)
á€áááºááá¯ážááᯠNGINX Unit áááºáááºáá»á¬ážááœáẠáááºááŸááºáá¬ážáááºá
á€áááºááá¯ážááẠá¡áááºážáá¯á¶áž PHP áá¯ááºáááºážá ááºááŸá áºáᯠá¡ááŒá²áááºáááºáá±áááºáᯠá¡áááá¹áá¬ááºáááºáá±á¬ááºáááºá á¡áááºááŒá±á¬áá·áºááá¯áá±á¬áº WordPress ááẠáá°á·ááá¯ááºáá° ááŒááºááŒááºáá¬ážáá¬ážáá±á¬ááºážááá¯ááŸá¯áá»á¬ážáá»á¬ážá áœá¬ááŒá¯áá¯ááºááŒá®áž á¡ááá¯áá¯ááºáá±á¬ááºááŸá¯áá»á¬ážáááŸááá²á á¥ááá¬á¡á¬ážááŒáá·áº WP-Cron ááẠáá»ááºááœá¬ážáá±á¬ááŒá±á¬áá·áºááŒá áºáááºá á€áá±áá¬ááœáẠáááºáá®ážáá¬ážáá±á¬ áááºáááºáá»á¬ážááẠááŸá±ážááá¯ážáááºáá±á¬ááŒá±á¬áá·áº ááá·áºáá±áááœááºáž áááºáááºáá»á¬ážááᯠá¡ááŒá±áá¶á á€ááá·áºáááºáá»ááºáá»á¬ážááᯠááá¯ážááŒáŸáá·áº ááá¯á·ááá¯áẠáá»áŸá±á¬á·áá»ááá¯ááá¯ááºáá«áááºá áá¯ááºáá¯ááºááŸá¯á áá áºá¡áá»á¬ážá á¯ááœááºá áááºáááºáá»á¬ážááẠ10 ááŸáá·áº 100 ááŒá¬ážááŸááááºá
áá¬ááºááœáŸááºážáá¯ááº
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config
NGINX ááᯠá áá áºááá·áºááœááºážááŒááºážá
á¡ááŒá±áᶠNGINX áááºáááºáá»á¬ážááᯠááŒááºáááºááŒááºážá
áá¬ááºááœáŸááºážááẠNGINX áááºááŸáºá¡ááœáẠáááºážááœáŸááºáá
áºáá¯ááᯠáááºáá®ážááŒá®áž áááºáááœá²á·á
ááºážáá¯á¶ááá¯ááºááᯠáááºáá®ážáááºá nginx.conf
. ááá¯ááºááœááºáá°áá¯ááºáááºážá
ááºá¡áá±á¡ááœááºááŸáá·áº á¡ááºáá¯ááºá¡ááœáẠá¡áá»á¬ážáá¯á¶ážááá¯ááºá¡ááœááºá¡á
á¬ážá áááºáááºááᯠááá¯ááŒá¯áá«á áá±á¬ááºá¡ááá¯ááºážááœáẠáááºááŸááºáá¬ážáá±á¬ áá»á¯á¶á·ááŸá¯áááºáááºááá¯ááºáá»á¬ážáá«áááºááŒá®áž áááºááŸáºáááºáááºáá»á¬ážáá±á¬ááºááœáẠááá¯ááºážáá
áºáá¯áááºážááŸááááºá
áá¬ááºááœáŸááºážáá¯ááº
# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy
echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include ${NGINX_CONF_DIR}/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size ${UPLOAD_MAX_FILESIZE};
keepalive_timeout 65;
# gzip settings
include ${NGINX_CONF_DIR}/gzip_compression.conf;
# Cache settings
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=wp_cache:10m
max_size=10g
inactive=60m
use_temp_path=off;
include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOM
NGINX áá»á¯á¶á·ááŸá¯ááᯠá áá áºááá·áºááœááºážááŒááºážá
áá±á¬ááºáááºáá»á¬ážáᶠáááá¯á·áá® á¡ááŒá±á¬ááºážá¡áá¬ááᯠáá»ááºááŒááºá
áœá¬ áá»á¯á¶á·ááŒááºážááẠáááºááá¯ááºá
áœááºážáá±á¬ááºáááºááᯠááŒáŸáá·áºáááºááẠáááºážáááºážáá±á¬ááºážáá
áºáá¯ááŒá
áºáá±á¬áºáááºáž áá»á¯á¶á·ááŸá¯ááᯠááŸááºáááºá
áœá¬ á
á®á
ááºáááºááŸááºáá¬ážááŸáá¬áá»áŸáẠááŒá
áºáááºá áá¬ááºááœáŸááºážá á€ááá¹áááẠáááºáááºáá»á¬ážá¡áá±á«áº á¡ááŒá±áá¶áá¬ážáááºá
áá¬ááºááœáŸááºážáá¯ááº
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOM
WordPress á¡ááœáẠNGINX ááᯠá áá áºááá·áºááœááºážááŒááºážá
ááá¯á·áá±á¬ááºá script ááẠWordPress á¡ááœáẠconfiguration file áá áºáá¯ááᯠáááºáá®ážáááºá default.conf catalog áá²ááŸá¬ conf.d. áááºážááᯠá€áá±áá¬ááœáẠá á®á ááºáá¬ážáááº-
- Let's Encrypt á០áááºáá¶áááŸááá±á¬ TLS áááºááŸááºáá»á¬ážááᯠCertbot ááŸáá áºááá·áº á¡áááºááœááºážááŒááºáž (áááºážááᯠáááºááŸááºááŒááºážááẠáá±á¬ááºá¡ááá¯ááºážááœáẠááŸááá«áááº)
- Let's Encrypt á០á¡ááŒá¶ááŒá¯áá»ááºáá»á¬ážá¡áá±á«áº á¡ááŒá±áá¶á TLS áá¯á¶ááŒá¯á¶áá±ážáááºáááºáá»á¬ážááᯠááŒááºáááºááŒááºážá
- áá¯á¶ááŸááºá¡á¬ážááŒáá·áº 1 áá¬áá®ááŒá¬ áááºááŸáºááᯠáá»á±á¬áºááẠáá±á¬ááºážááá¯ááŸá¯áá»á¬ážááᯠááœáá·áºáá«á
- áá¯á¶áá±á¬ááºážááá¯áá¬ážááá·áº ááá¯ááºááŸá áºáá¯á¡ááœáẠáááºáá±á¬ááºááŒáá·áºááŸá¯ááŸá¯ ááŸááºáááºážááá°ááŒááºážá¡ááŒáẠááá¯ááºááá¯áááœá±á·áá«á á¡ááŸá¬ážá¡ááœááºážáá»á¬áž ááŸááºáááºážáááºááŒááºážááᯠááááºáá« - favicon.ico ááŸáá·áº robots.txt
- ááŸááºáá¬ážáá±á¬ááá¯ááºáá»á¬ážááŸáá·áº á¡áá»áá¯á·ááá¯ááºáá»á¬ážááá¯á· áááºáá±á¬ááºááœáá·áºááᯠáá¬ážáá®ážáá«á .phpááá¬ážáááẠáááºáá±á¬ááºááŒááºáž ááá¯á·ááá¯áẠááááºááœááºáá² á áááºááŒááºážááᯠáá¬ážáá®ážáááº
- á¡ááŒáááºááŸáá·áº áá±á¬áá·áºááá¯ááºáá»á¬ážá¡ááœáẠáááºáá±á¬ááºááŒáá·áºááŸá¯ááŸá¯ ááŸááºáááºážááᯠááááºáá«á
- áá±á«ááºážá
á®ážáááºáááº
Access-Control-Allow-Origin áá±á¬áá·áºááá¯ááºáá»á¬ážá¡ááœáẠ- index.php ááŸáá·áº á¡ááŒá¬ážáá±á¬ statics áá»á¬ážá¡ááœáẠáááºážááŒá±á¬ááºážááá·áºááŒááºážá
áá¬ááºááœáŸááºážáá¯ááº
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOM
Let's Encrypt á០áááºááŸááºáá»á¬ážá¡ááœáẠCertbot ááᯠá áá áºááá·áºááœááºážááŒááºážááŸáá·áº áááºážááá¯á·ááᯠá¡ááá¯á¡áá»á±á¬ááºáááºáááºážááá¯ážááŒááºážá
- NGINX ááᯠáááºáááºá
- á¡ááŒá¶ááŒá¯áá¬ážáá±á¬ TLS áááºáááºáá»á¬ážááᯠáá±á«ááºážáá¯ááºáá¯ááºáá«á
- ááá¯ááºá¡ááœáẠáááºááŸááºáá»á¬áž ááá°ááẠCertbot ááᯠáá¯ááºáá±á¬ááºáááºá
- áááºááŸááºáá»á¬ážááá¯á¡áá¯á¶ážááŒá¯ááẠNGINX ááᯠááŒááºáááºá áááºáááºá
- áááºááŸááºáá»á¬ážááᯠáááºáááºážááá¯ážááẠááá¯á¡ááºááŒá±á¬ááºáž á á áºáá±ážááẠCertbot ááᯠáá±á·á áẠ3:24 AM ááœáẠá á®á ááºáááºááŸááºáá±ážááŒá®áž ááá¯á¡ááºáá«á áááºááŸááºá¡áá áºáá»á¬ážááᯠáá±á«ááºážáá¯ááºáá¯ááºááŒá®áž NGINX ááᯠááŒááºáááºá áááºáá«á
áá¬ááºááœáŸááºážáá¯ááº
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi
ááá·áºááá¯ááºá áá±á¬ááºááẠá áááºááŒáá¯ááºááŒááºáááºááŸá¯
áá»áœááºá¯ááºááá¯á·á script ááẠTLSSSL ááá¯ááœáá·áºáá¬ážááá·áº áá¯ááºáá¯ááºááŸá¯á¡ááá·áºááŸááá±á¬ááá¯ááºááᯠáááºáá±á¬ááºááŸá¯áá±ážááẠáá»áœááºá¯ááºááá¯á·á áá¬ááºááœáŸááºážááẠNGINX ááŸáá·áº NGINX Unit ááᯠáááºááá¯á· configure áá¯ááºáááºááŸáá·áº áááºáááºá á¡áááºááœáẠááœá±ážááœá±ážáá²á·áá«áááºá ááá·áºááá¯á¡ááºáá»ááºáá±á«áºáá°áááºá á¡áá¬áááºááœáẠáááºááá·áºááá¯ááºáááº-
- áá±á¬ááºáá¶ááŸá¯
Brotli HTTPS ááẠáá»á¶áááºážááŸá¯ áá»á¯á¶á·ááŸá¯ááᯠááá¯ááá¯áá±á¬ááºážááœááºá¡á±á¬áẠááŒá¯áá¯ááºáá¬ážáááºá ModSecurity áá« Ñwordpress á¡ááœáẠá ááºážáá»ááºážáá»á¬áž ááá·áºááá¯ááºáá±á«áºááœáẠá¡ááá¯á¡áá»á±á¬ááºááá¯ááºááá¯ááºááŸá¯áá»á¬ážááᯠáá¬ážáá®ážáááºBackup ááᯠááá·áºá¡ááœáẠááá·áºáá»á±á¬áºáá±á¬ WordPress á¡ááœááºáá¬ááœááºááŒááºáž ááŒááº.AppArmor ( Ubuntu ááœáẠ)- WordPress ááẠáá±ážááºááá¯á·ááá¯ááºá á±ááẠPostfix ááá¯á·ááá¯áẠmsmtp
- ááá·áºááá¯ááºááᯠá á áºáá±ážááŒááºáž áááºáá»áŸá¡ááœá¬ážá¡áá¬ááᯠááá¯ááºááœááºááá¯ááºáááºááᯠáááºáá¬ážáááºáá«áááºá
ááá¯ááá¯áá±á¬ááºážááœááºáá±á¬ site á
áœááºážáá±á¬ááºáááºá¡ááœááºá á¡ááá·áºááŒáŸáá·áºáááºááẠá¡ááŒá¶ááŒá¯á¡ááºáá«áááºá
NB á¡ááœááºáááºáá¬ážáá±á¬ ááá¯ááºá áá¶á·ááá¯ážááŸá¯á¡ááœááºá áááºááẠáá»áœááºážáá»ááºáá°áá»á¬ážáᶠáááºááœááºááá¯ááºáá«áááºá
áá±á¬ááºáá¶áá¬áž . áá»áœááºá¯ááºááá¯á·ááẠááá·áºáááºááá¯áẠááá¯á·ááá¯áẠáááºáá±á¬ááºááŸá¯ááᯠáááºááá·áºáááºáá±á¬ááºááŸá¯á¡á±á¬ááºááœááºáááᯠááŒááºáááºááŒá®áž áá¯á¶ááŒááºá áááºáá»ááá±á¬ áááºáááºááŸá¯ááᯠáá±áá»á¬á á±áá«áááºá
source: www.habr.com