Pali maphunziro ambiri amomwe mungayikitsire WordPress, kusaka kwa Google kwa "WordPress install" kudzatulutsa zotsatira pafupifupi theka la miliyoni. Komabe, kwenikweni, pali maupangiri abwino ochepa kwambiri pakati pawo, malinga ndi momwe mungakhazikitsire ndikusintha WordPress ndi makina ogwiritsira ntchito kuti athe kuthandizira kwa nthawi yayitali. Mwina makonda olondola amadalira kwambiri zosowa zapadera, kapena izi ndichifukwa choti kufotokozera mwatsatanetsatane kumapangitsa kuti nkhaniyo ikhale yovuta kuwerenga.
M'nkhaniyi, tiyesa kuphatikiza zabwino kwambiri padziko lonse lapansi popereka bash script kuti mukhazikitse WordPress pa Ubuntu, komanso kudutsamo, kufotokoza zomwe chidutswa chilichonse chimachita, komanso kusagwirizana komwe tidapanga pakukulitsa. . Ngati ndinu wogwiritsa ntchito kwambiri, mutha kudumpha zolemba zankhaniyo komanso basi kusinthidwa ndikugwiritsa ntchito m'malo anu. Kutulutsa kwa script ndikokhazikika kwa WordPress kukhazikitsa ndi Lets Encrypt support, kuthamanga pa NGINX Unit komanso yoyenera kugwiritsidwa ntchito popanga.
Zomangamanga zopangira WordPress pogwiritsa ntchito NGINX Unit zikufotokozedwa mu , tsopano tikonzanso zinthu zomwe sizinafotokozedwe pamenepo (monga maphunziro ena ambiri):
- WordPress CLI
- Tiyeni Tilembetse ndi Ziphaso za TLSSSL
- Kukonzanso ziphaso zokha
- NGINX caching
- NGINX Compression
- HTTPS ndi HTTP/2 thandizo
- Process Automation
Nkhaniyi ifotokoza za kukhazikitsa pa seva imodzi, yomwe nthawi yomweyo idzakhala ndi seva yokhazikika, seva yopangira PHP, ndi database. Kuyika komwe kumathandizira ma Host angapo ndi mautumiki ndi mutu womwe ungachitike mtsogolo. Ngati mukufuna kuti tilembe zomwe sizili m'nkhanizi, lembani mu ndemanga.
amafuna
- Seva ya Container ( kapena ), makina enieni, kapena seva yachitsulo yanthawi zonse yokhala ndi 512MB ya RAM ndi Ubuntu 18.04 kapena yatsopano.
- Madoko opezeka pa intaneti 80 ndi 443
- Dzina ladomeni lolumikizidwa ndi adilesi yapagulu ya seva iyi
- Kufikira kwa mizu (sudo).
Zomangamanga mwachidule
Zomangamanga ndizofanana ndi zomwe zafotokozedwa , pulogalamu yapaintaneti ya magawo atatu. Zili ndi zolemba za PHP zomwe zimayenda pa injini ya PHP ndi mafayilo osasunthika omwe amakonzedwa ndi seva yapaintaneti.
Mfundo zambiri
- Malamulo ambiri osinthika mu script amakulungidwa ngati zikhalidwe za idempotency: script ikhoza kuyendetsedwa kangapo popanda chiopsezo chosintha makonda omwe ali kale.
- Script imayesa kukhazikitsa mapulogalamu kuchokera ku repositories, kotero mutha kugwiritsa ntchito zosintha zamakina mu lamulo limodzi (
apt upgradekwa Ubuntu). - Malamulo amayesa kuzindikira kuti akuyenda mu chidebe kuti athe kusintha makonda awo moyenera.
- Kuti muyike kuchuluka kwa ulusi kuti muyambike pazosintha, script imayesa kulingalira zosintha zokha zogwirira ntchito muzotengera, makina enieni, ndi maseva a hardware.
- Pofotokoza zoikamo, nthawi zonse timaganiza zoyambira zokha, zomwe, tikukhulupirira, zidzakhala maziko opangira ma code anu.
- Malamulo onse amayendetsedwa ngati wosuta muzu, chifukwa amasintha machitidwe oyambira, koma mwachindunji WordPress imayenda ngati wogwiritsa ntchito nthawi zonse.
Kukhazikitsa zosintha zachilengedwe
Khazikitsani zosintha zotsatirazi musanayambe kulemba:
WORDPRESS_DB_PASSWORD- Mawu achinsinsi a WordPressWORDPRESS_ADMIN_USER- Dzina la WordPress adminWORDPRESS_ADMIN_PASSWORD- WordPress admin passwordWORDPRESS_ADMIN_EMAIL- Imelo ya WordPress adminWORDPRESS_URLndiye ulalo wathunthu wa tsamba la WordPress, kuyambira pahttps://.LETS_ENCRYPT_STAGING- opanda kanthu mwachisawawa, koma poyika mtengo kukhala 1, mudzagwiritsa ntchito ma seva a Let Encrypt staging, omwe ndi ofunikira kuti mupemphe ziphaso pafupipafupi poyesa zokonda zanu, apo ayi Let's Encrypt ikhoza kuletsa adilesi yanu ya ip kwakanthawi chifukwa chazopempha zambiri. .
Script imayang'ana kuti zosintha zokhudzana ndi WordPress izi zakhazikitsidwa ndikutuluka ngati sichoncho.
Script mizere 572-576 onani mtengo LETS_ENCRYPT_STAGING.
Kukhazikitsa zosinthika zachilengedwe zachilengedwe
Zolemba pamizere 55-61 zimayika zosintha zotsatirazi, mwina pamtengo wokhazikika kapena kugwiritsa ntchito mtengo womwe umapezeka kuchokera pazosintha zomwe zakhazikitsidwa m'gawo lapitalo:
DEBIAN_FRONTEND="noninteractive"- Imauza mapulogalamu kuti akuyenda mu script ndipo palibe kuthekera kolumikizana ndi ogwiritsa ntchito.WORDPRESS_CLI_VERSION="2.4.0"ndiye mtundu wa WordPress CLI application.WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c"- checksum ya WordPress CLI 2.4.0 fayilo yomwe ingathe kuchitidwa (mtunduwo umatchulidwa muzosinthaWORDPRESS_CLI_VERSION). Zolemba pa mzere 162 zimagwiritsa ntchito mtengowu kuti muwone ngati fayilo yolondola ya WordPress CLI yatsitsidwa.UPLOAD_MAX_FILESIZE="16M"- kukula kwakukulu kwa fayilo komwe kumatha kukwezedwa mu WordPress. Zochunirazi zimagwiritsidwa ntchito m'malo angapo, kotero ndizosavuta kuziyika pamalo amodzi.TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)"- dzina lachidziwitso chadongosolo, lotengedwa kuchokera ku WORDPRESS_URL kusintha. Amagwiritsidwa ntchito kupeza ziphaso zoyenera za TLS/SSL kuchokera ku Let's Encrypt komanso kutsimikizira kwamkati kwa WordPress.NGINX_CONF_DIR="/etc/nginx"- njira yopita ku chikwatu chokhala ndi zoikamo za NGINX, kuphatikiza fayilo yayikulunginx.conf.CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"- njira yopita ku Let's Encrypt satifiketi zatsamba la WordPress, zotengedwa kuchokera pazosinthaTLS_HOSTNAME.
Kupereka dzina la alendo ku seva ya WordPress
Zolemba zimakhazikitsa dzina la seva kuti lifanane ndi dzina la tsambalo. Izi sizofunika, koma ndizosavuta kutumiza makalata otuluka kudzera pa SMTP mukakhazikitsa seva imodzi, monga momwe zimakhalira ndi script.
script kodi
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fiKuwonjezera dzina la alendo ku /etc/hosts
Zowonjezera amagwiritsidwa ntchito poyendetsa ntchito zanthawi zonse, amafuna WordPress kuti izitha kudzipeza yokha kudzera pa HTTP. Kuonetsetsa kuti WP-Cron ikugwira ntchito moyenera pamadera onse, script imawonjezera mzere ku fayilo / etc / makamukotero kuti WordPress ikhoza kudzifikira yokha kudzera pa mawonekedwe a loopback:
script kodi
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fiKuyika zida zofunika pamasitepe otsatirawa
Zolemba zonse zimafunikira mapulogalamu ena ndipo amaganiza kuti zosungirako zasinthidwa. Timasintha mndandanda wa nkhokwe, pambuyo pake timayika zida zofunika:
script kodi
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-releaseKuwonjezera NGINX Unit ndi NGINX Repositories
Zolemba zimayika NGINX Unit ndi gwero lotseguka la NGINX kuchokera ku malo ovomerezeka a NGINX kuti atsimikizire kuti matembenuzidwe omwe ali ndi zigamba zaposachedwa zachitetezo ndi kukonza zolakwika zimagwiritsidwa ntchito.
Zolembazo zimawonjezera NGINX Unit repository kenako chosungira cha NGINX, ndikuwonjezera makiyi osungira ndi mafayilo osinthira. apt, kutanthauzira mwayi wopeza nkhokwe kudzera pa intaneti.
Kuyika kwenikweni kwa NGINX Unit ndi NGINX kumachitika mu gawo lotsatira. Timayikatu zosungirako kuti tisamasinthe metadata kangapo, zomwe zimapangitsa kuyika mwachangu.
script kodi
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fiKuyika NGINX, NGINX Unit, PHP MariaDB, Certbot (Let's Encrypt) ndi kudalira kwawo
Zosungira zonse zikawonjezeredwa, sinthani metadata ndikuyika mapulogalamu. Maphukusi omwe amaikidwa ndi script amaphatikizanso zowonjezera za PHP zomwe zimalimbikitsidwa mukamagwiritsa ntchito WordPress.org
script kodi
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-serverKukhazikitsa PHP kuti mugwiritse ntchito ndi NGINX Unit ndi WordPress
Script imapanga fayilo yosintha mu chikwatu conf.d. Izi zimayika kukula kwakukulu kwa fayilo kwa kukweza kwa PHP, kuyatsa zotulukapo zolakwika za PHP ku STDERR kotero kuti zilembedwe ku chipika cha NGINX Unit, ndikuyambitsanso NGINX Unit.
script kodi
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restartKufotokozera Zokonda Zamasamba za MariaDB za WordPress
Tasankha MariaDB pa MySQL popeza ili ndi zochitika zambiri zapagulu komanso ikuyenera kutero (mwina, chilichonse ndi chosavuta apa: kukhazikitsa MySQL, muyenera kuwonjezera chosungira china, pafupifupi. womasulira).
Cholembacho chimapanga nkhokwe yatsopano ndikupanga zidziwitso kuti mupeze WordPress kudzera pa loopback mawonekedwe:
script kodi
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"Kukhazikitsa WordPress CLI Program
Pa sitepe iyi, script imayika pulogalamuyo . Ndi iyo, mutha kukhazikitsa ndikuwongolera zoikamo za WordPress popanda kusintha mafayilo, kusintha nkhokwe, kapena kulowa gulu lowongolera. Itha kugwiritsidwanso ntchito kukhazikitsa mitu ndi zowonjezera ndikusintha WordPress.
script kodi
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fiKukhazikitsa ndi kukonza WordPress
Script imayika mtundu waposachedwa wa WordPress mu bukhu /var/www/wordpressndikusinthanso zoikamo:
- Kulumikizana kwa database kumagwira ntchito pa socket ya unix m'malo mwa TCP pa loopback kuti muchepetse kuchuluka kwa TCP.
- WordPress imawonjezera choyambirira https:// ku URL ngati makasitomala akugwirizanitsa ndi NGINX pa HTTPS, komanso amatumiza dzina lakutali (monga laperekedwa ndi NGINX) ku PHP. Timagwiritsa ntchito chidutswa cha code kuti tiyike izi.
- WordPress ikufunika HTTPS kuti mulowe
- Mapangidwe a URL osasinthika amatengera zinthu
- Imakhazikitsa zilolezo zolondola pamafayilo a WordPress directory.
script kodi
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fiKukhazikitsa NGINX Unit
Zolembazo zimapanga NGINX Unit kuti iyendetse PHP ndikukonzekera njira za WordPress, kupatula malo a PHP process namespace ndikukonza zoikamo. Pali zinthu zitatu zofunika kuziwona apa:
- Thandizo la malo a mayina limatsimikiziridwa ndi chikhalidwe, kutengera kuwona kuti script ikuyenda mu chidebe. Izi ndizofunikira chifukwa makonzedwe ambiri a chidebe samathandizira kukhazikitsidwa kwa zisa.
- Ngati pali thandizo lamalo, zimitsani dzinalo zopezera. Izi ndikulola WordPress kuti ilumikizane ndi mathero onse ndikupezeka pa intaneti nthawi imodzi.
- Kuchuluka kwa njira kumatanthauzidwa motere: (Kukumbukira komwe kulipo pakuyendetsa MariaDB ndi NGINX Uniy)/(malire a RAM mu PHP + 5)
Mtengo uwu wakhazikitsidwa muzokonda za NGINX Unit.
Mtengowu umatanthauzanso kuti nthawi zonse pali njira ziwiri za PHP zomwe zikuyenda, zomwe ndizofunikira chifukwa WordPress imapanga zopempha zambiri zokhazokha, ndipo popanda njira zowonjezera, kuthamanga mwachitsanzo WP-Cron idzasweka. Mungafune kuwonjezera kapena kuchepetsa malirewa potengera zokonda kwanuko, chifukwa zokonda zomwe zapangidwa apa ndizosamalitsa. Pazinthu zambiri zopangira, zokonda zili pakati pa 10 ndi 100.
script kodi
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/configKukhazikitsa NGINX
Kukonza Zokonda Zoyambira za NGINX
Zolemba zimapanga chikwatu cha cache ya NGINX ndikupanga fayilo yayikulu yosinthira nginx.conf. Samalani ku kuchuluka kwa njira zogwirira ntchito komanso makonzedwe a kukula kwa fayilo kuti muyike. Palinso mzere womwe umaphatikizapo fayilo ya zoikamo za compression yomwe ikufotokozedwa mu gawo lotsatira, ndikutsatiridwa ndi makonda a caching.
script kodi
# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy
echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include ${NGINX_CONF_DIR}/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size ${UPLOAD_MAX_FILESIZE};
keepalive_timeout 65;
# gzip settings
include ${NGINX_CONF_DIR}/gzip_compression.conf;
# Cache settings
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=wp_cache:10m
max_size=10g
inactive=60m
use_temp_path=off;
include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOMKukhazikitsa NGINX compression
Kupondereza zomwe zili pa ntchentche musanazitumize kwa makasitomala ndi njira yabwino yopititsira patsogolo ntchito za tsamba, koma pokhapokha ngati kuponderezedwa kumakonzedwa bwino. Gawo ili la script limachokera pa zoikamo .
script kodi
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOMKukhazikitsa NGINX kwa WordPress
Kenako, script imapanga fayilo yosinthira ya WordPress default.conf mu katalogu conf.d. Idakonzedwa apa:
- Kutsegula ziphaso za TLS zolandiridwa kuchokera kwa Let's Encrypt kudzera Certbot (kukhazikitsa kudzakhala gawo lotsatira)
- Kukonza makonda achitetezo a TLS kutengera malingaliro a Let's Encrypt
- Yambitsani zopempha zodumpha posungira kwa ola limodzi mwachisawawa
- Zimitsani kulowetsa mitengo, komanso kulowetsa zolakwika ngati fayilo sinapezeke, pamafayilo awiri omwe amafunsidwa: favicon.ico ndi robots.txt
- Pewani kupeza mafayilo obisika ndi mafayilo ena .phpkuletsa kulowa kosaloledwa kapena kuyambitsa kosayenera
- Letsani kulowa mitengo yamafayilo osasunthika ndi mafonti
- Zokonda pamutu kwa mafayilo amtundu
- Kuonjezera mayendedwe a index.php ndi ma statics ena.
script kodi
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOMKukhazikitsa Certbot ya satifiketi kuchokera ku Let's Encrypt ndikuzikonzanso zokha
ndi chida chaulere chochokera ku Electronic Frontier Foundation (EFF) chomwe chimakupatsani mwayi wopeza ndikukonzanso ziphaso za TLS kuchokera ku Let's Encrypt. Cholembacho chimachita izi kuti akonze Certbot kuti akonze ziphaso kuchokera ku Let's Encrypt mu NGINX:
- Imayimitsa NGINX
- Kutsitsa kovomerezeka kwa TLS
- Imayendetsa Certbot kuti mupeze satifiketi zatsambalo
- Iyambitsanso NGINX kugwiritsa ntchito satifiketi
- Imakonza Certbot kuti iziyenda tsiku lililonse pa 3:24 AM kuti muwone ngati satifiketi ikufunika kukonzedwanso, ndipo ngati kuli kofunikira, tsitsani ziphaso zatsopano ndikuyambitsanso NGINX.
script kodi
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fiZowonjezera makonda atsamba lanu
Tidakambirana pamwambapa momwe script yathu imasinthira NGINX ndi NGINX Unit kuti igwiritse ntchito malo okonzekera kupanga ndi TLSSSL. Mukhozanso, kutengera zosowa zanu, kuwonjezera mtsogolo:
- thandizo , kukhathamiritsa kwapa-ndege pa HTTPS
- Ρ kuti mupewe kuwononga makina anu patsamba lanu
- kwa WordPress zomwe zikuyenera inu
- ndi thandizo (pa Ubuntu)
- Postfix kapena msmtp kotero WordPress ikhoza kutumiza makalata
- Kuyang'ana tsamba lanu kuti mumvetsetse kuchuluka kwa magalimoto omwe angagwire
Kuti tsamba liziyenda bwino, timalimbikitsa kukweza , malonda athu, malonda-grade-grade zochokera gwero lotseguka NGINX. Olembetsa ake adzalandira gawo la Brotli lodzaza kwambiri, komanso (pandalama zina) . Timaperekanso , gawo la WAF la NGINX Plus yochokera kuukadaulo wotsogola wachitetezo chamakampani kuchokera ku F5.
NB Kuti muthandizidwe ndi tsamba lodzaza kwambiri, mutha kulumikizana ndi akatswiri . Tidzaonetsetsa kuti tsamba lanu kapena ntchito yanu ikuyenda mwachangu komanso modalirika pansi pa katundu uliwonse.
Source: www.habr.com