ProHoster > Blog > Pulega > Otometi faʻapipiʻi WordPress ma NGINX Unit ma Ubuntu
Otometi faʻapipiʻi WordPress ma NGINX Unit ma Ubuntu
E tele aʻoaʻoga ile faʻapipiʻiina o WordPress, ole suʻesuʻega a Google mo le "WordPress install" o le a faʻaalia pe tusa ma le afa miliona iʻuga. Ae ui i lea, o le mea moni, e itiiti lava taʻiala lelei i totonu ia i latou, e tusa ai ma mea e mafai ona e faʻapipiʻi ma faʻapipiʻi le WordPress ma le faʻaogaina o le faiga faʻavae ina ia mafai ai ona latou lagolagoina mo se taimi umi. Masalo o faʻatulagaga saʻo e faʻalagolago tele i manaʻoga faʻapitoa, pe mafua ona o le faʻamatalaga auiliili e faigata ai ona faitau le tusiga.
I totonu o lenei tusiga, o le a matou taumafai e tuʻufaʻatasia le sili o lalolagi uma e ala i le tuʻuina atu o se bash script e faʻapipiʻi otometi le WordPress i luga o le Ubuntu, faʻapea foʻi ma le savali i ai, faʻamatala mea e fai e vaega taʻitasi, faʻapea foʻi ma fetuunaiga na matou faia i le atinaʻeina. . Afai o oe o se tagata faʻaoga maualuga, e mafai ona e faaseʻeina le tusitusiga o le tusiga ma naʻo ave le tusitusiga mo suiga ma fa'aoga i au si'osi'omaga. O le gaioiga o le tusitusiga o se faʻapipiʻi masani WordPress ma Lets Encrypt lagolago, faʻatautaia i luga ole NGINX Unit ma talafeagai mo le faʻaogaina o le gaosiga.
O le atinaʻe fausaga mo le faʻaogaina o le WordPress e faʻaaoga ai le NGINX Unit o loʻo faʻamatalaina i tala tuai, i le taimi nei o le a matou faʻaopoopoina mea e leʻi aofia ai iina (pei o le tele o isi aʻoaʻoga):
WordPress CLI
Tatou Fa'ailoga ma Tusipasi TLSSSL
Fa'afouga otometi o tusi pasi
NGINX faila
NGINX Compression
HTTPS ma HTTP/2 lagolago
Fa'agasologa otometi
O le tusiga o le a faʻamatalaina le faʻapipiʻiina i luga o le tasi 'auʻaunaga, lea o le a faʻafeiloaʻi i le taimi lava e tasi se faʻapipiʻi faʻapipiʻiina, se PHP faʻapipiʻi server, ma se faʻamaumauga. O se faʻapipiʻi e lagolagoina le tele o 'auʻaunaga ma auaunaga o se autu talafeagai mo le lumanaʻi. Afai e te manaʻo matou te tusi e uiga i se mea e le o iai i nei tusiga, tusi i faʻamatalaga.
manaoga
Koneteina server (LXC poʻo LXD), o se masini komepiuta, po'o se 'au'aumea masani ma le itiiti ifo i le 512MB o le RAM ma le Ubuntu 18.04 pe fou fa'apipi'i.
Taulaga 80 ma le 443 e mafai ona maua i luga ole Initaneti
Igoa ole igoa e feso'ota'i ma le tuatusi IP lautele o lenei 'au'aunaga
Avanoa a'a (sudo).
Va'aiga fa'ata'atia
O le fausaga e tutusa e pei ona faamatalaina muamua, o se upega tafa'ilagi e tolu-vaega. E aofia ai faʻamaumauga PHP o loʻo taʻavale i luga ole masini PHP ma faila faʻapipiʻi e faʻatautaia e le upega tafaʻilagi.
Taiala lautele
Le tele o fa'atonuga o fa'atonuga i totonu o se tusitusiga e afifi i totonu pe afai o tulaga mo le fa'aletonu: e mafai ona fa'agasolo le fa'asologa i le tele o taimi e aunoa ma le lamatiaga o le suia o tulaga ua uma ona fa'atulaga.
O loʻo taumafai le tusitusiga e faʻapipiʻi polokalama mai fale teu oloa, ina ia mafai ona e faʻaogaina faʻafouga faʻaleleia i le tasi poloaiga (apt upgrade mo Ubuntu).
E taumafai Poloaiga e iloa o lo'o tamomoe i totonu o se atigipusa ina ia mafai ona latou suia a latou faatulagaga e tusa ai.
Ina ia mafai ona seti le numera o filo faʻagasologa e amata i totonu o faʻatulagaga, e taumafai le tusitusiga e mate le faʻatulagaina otometi mo le galue i totonu o koneteina, masini masini, ma masini masini.
Pe a faʻamatalaina tulaga, matou te mafaufau muamua i mea uma e uiga i le masini, lea, matou te faʻamoemoe, o le a avea ma faʻavae mo le fatuina o au lava atinaʻe e fai ma tulafono.
O fa'atonuga uma o lo'o fa'atinoina e avea ma tagata fa'aoga aʻa, aua latou te suia le faʻaogaina o faiga faʻavae, ae faʻatautaia saʻo le WordPress o se tagata faʻaoga masani.
Fa'atulagaina o fesuiaiga o le siosiomaga
Seti suiga ole si'osi'omaga nei a'o le'i fa'agasolo le fa'amaumauga:
WORDPRESS_URL o le URL atoa o le WordPress site, amata ile https://.
LETS_ENCRYPT_STAGING - gaogao e ala i le le mafai, ae o le setiina o le tau i le 1, o le a e faʻaogaina le Let's Encrypt staging servers, lea e manaʻomia mo le masani ona talosagaina tusi pasi pe a suʻeina au faʻatulagaga, a le o le Let's Encrypt e mafai ona poloka le tumau lau tuatusi IP ona o le tele o talosaga. .
E siaki e le tusitusiga o nei fesuiaiga e fesoʻotaʻi ma WordPress e seti ma alu ese pe a leai.
Fa'amaumauga laina 572-576 siaki le tau LETS_ENCRYPT_STAGING.
Fa'atulagaina suiga ole siosiomaga maua mai
O le tusitusiga i luga o laina 55-61 o loʻo faʻatulagaina ai suiga o le siosiomaga nei, a le o se tau faʻamaonia faigata poʻo le faʻaaogaina o se tau e maua mai fesuiaiga o loʻo seti i le vaega muamua:
DEBIAN_FRONTEND="noninteractive" - Ta'u atu i talosaga o lo'o fa'agasolo i totonu o se tusitusiga ma e leai se avanoa e fegalegaleai ai tagata fa'aoga.
WORDPRESS_CLI_VERSION="2.4.0" o le lomiga o le WordPress CLI talosaga.
WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c" - siaki tupe a le WordPress CLI 2.4.0 faila faila (o le faʻasologa o loʻo faʻamaonia i le fesuiaiga WORDPRESS_CLI_VERSION). O le tusitusiga i luga ole laina 162 faʻaaogaina lenei tau e siaki ai le saʻo o le faila CLI WordPress ua uma ona sii mai.
UPLOAD_MAX_FILESIZE="16M" - le maualuga o le faila faila e mafai ona faʻapipiʻiina i le WordPress. O lenei fa'atulagaga e fa'aoga i le tele o nofoaga, o lea e faigofie ai ona tu'u i se nofoaga e tasi.
TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)" - igoa talimalo o le faiga, maua mai le WORDPRESS_URL fesuiaiga. Fa'aaoga e maua mai ai tusipasi TLS/SSL talafeagai mai Let's Encrypt fa'apea fo'i ma fa'amaoniga a le WordPress i totonu.
NGINX_CONF_DIR="/etc/nginx" - auala i le faʻatonuga faʻatasi ai ma faʻatulagaga NGINX, e aofia ai le faila autu nginx.conf.
CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}" - le ala i le Let's Encrypt tusipasi mo le WordPress site, maua mai le fesuiaiga TLS_HOSTNAME.
Tuuina atu o se igoa talimalo i se WordPress server
O le tusitusiga e setiina ai le igoa talimalo a le server e fetaui ma le igoa ole igoa ole saite. E le manaʻomia lenei mea, ae sili atu ona faigofie le lafoina o meli i fafo e ala i le SMTP pe a faʻatulagaina se tasi server, e pei ona faʻatulagaina e le tusitusiga.
fa'ailoga tusi
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fi
Faʻaopoopo le igoa ole igoa ile /etc/hosts
Faʻaopoopo WP-Cron fa'aaoga e fa'atino galuega fa'avaitaimi, mana'omia le WordPress ina ia mafai ona fa'aoga ia lava e ala i le HTTP. Ina ia mautinoa e galue lelei WP-Cron i luga o siosiomaga uma, o le tusitusiga e faʻaopoopoina se laina i le faila / Isi / 'auina ia mafai e le WordPress ona faʻaogaina ia lava e ala i le loopback interface:
fa'ailoga tusi
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi
Fa'apipi'i meafaigaluega e mana'omia mo isi laasaga
O isi tusitusiga e manaʻomia ni polokalame ma faʻapea o fale teu oloa o loʻo faʻafouina. Matou te faʻafouina le lisi o faleoloa, a maeʻa ona matou faʻapipiʻi meafaigaluega talafeagai:
fa'ailoga tusi
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-release
Faʻaopoopoina NGINX Unit ma NGINX Repositories
O loʻo faʻapipiʻi e le faʻamaumauga le NGINX Unit ma le NGINX faʻapipiʻi tatala mai fale teu oloa NGINX ina ia mautinoa o loʻo faʻaogaina faʻasologa o loʻo i ai faʻamatalaga saogalemu lata mai ma faʻaleleia pusa.
O le tusitusiga e faʻaopoopoina le NGINX Unit repository ona sosoo ai lea ma le NGINX repository, faʻaopoopo le fale teu oloa ma faila faila. apt, fa'amalamalamaina le avanoa i faleoloa e ala i le Initaneti.
O le faʻapipiʻiina o NGINX Unit ma NGINX e tupu i le isi vaega. Matou te muaʻi faʻapipiʻi faleteuoloa ina ia matou le toe faʻafouina le metadata i le tele o taimi, lea e faʻavave ai le faʻapipiʻiina.
fa'ailoga tusi
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi
Faʻapipiʻi NGINX, NGINX Unit, PHP MariaDB, Certbot (Let's Encrypt) ma latou faʻalagolago
O le taimi lava e faʻaopoopo uma ai faleoloa, faʻafou le metadata ma faʻapipiʻi talosaga. O pusa faʻapipiʻi e le tusitusiga e aofia ai foʻi faʻaopoopoga PHP fautuaina pe a faʻatautaia WordPress.org
fa'ailoga tusi
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-server
Faʻatulagaina le PHP mo le faʻaogaina ma le NGINX Unit ma le WordPress
O le tusitusiga e fatuina ai se faila faʻatulagaina i totonu o le lisi conf.d. O le mea lea e fa'atulaga ai le tele o faila faila mo le fa'auluina o le PHP, fa'aola le PHP mea sese i le STDERR ina ia tusia i le NGINX Unit log, ma toe amata le NGINX Unit.
fa'ailoga tusi
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart
Fa'ailoaina o Fa'amaumauga Fa'amaumauga a MariaDB mo le WordPress
Ua matou filifilia MariaDB i luga ole MySQL ona o loʻo i ai le tele o gaioiga faʻalapotopotoga ma e foliga mai foi e maua ai le fa'atinoga sili atu ona o le fa'aletonu (masalo, e faigofie mea uma iinei: e faʻapipiʻi MySQL, e tatau ona e faʻaopoopo se isi fale teu oloa, tusa. faaliliu).
O le tusitusiga e fausia ai se faʻamaumauga fou ma fatuina faʻamaoniga e faʻaoga ai le WordPress e ala i le loopback interface:
fa'ailoga tusi
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"
Faʻapipiʻiina le Polokalama CLI WordPress
I lenei laʻasaga, e faʻapipiʻi e le tusitusiga le polokalama WP-CLI. Faatasi ai ma ia, e mafai ona e faʻapipiʻi ma faʻatautaia le faʻatulagaina o WordPress e aunoa ma le faʻasaʻoina lima o faila, faʻafou le database, pe ulufale i le vaega e pulea. E mafai foi ona faʻaogaina e faʻapipiʻi ai autu ma faʻaopoopoga ma faʻafouina le WordPress.
fa'ailoga tusi
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fi
Faʻapipiʻi ma faʻapipiʻi le WordPress
O loʻo faʻapipiʻi e le tusitusiga le lomiga lata mai o le WordPress i totonu o se lisi /var/www/wordpressma suia foi tulaga:
Ole feso'ota'iga fa'amaumauga e galue ile socket unix domain nai lo le TCP ile loopback e tipi i lalo ole TCP traffic.
Ua faaopoopo e WordPress se prefix https:// i le URL pe afai e fesoʻotaʻi tagata faʻatau ile NGINX i luga ole HTTPS, ma tuʻuina atu foʻi le igoa talimalo mamao (e pei ona tuʻuina mai e NGINX) ile PHP. Matou te faʻaogaina se fasi code e faʻapipiʻi ai lenei mea.
E manaʻomia e WordPress le HTTPS mo le saini
Ole fa'asologa ole URL e fa'avae ile punaoa
Seti fa'atagaga sa'o ile faiga faila mo le fa'atonuga o WordPress.
fa'ailoga tusi
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fi
Faʻatulagaina le NGINX Unit
O le tusitusiga e faʻapipiʻi le NGINX Unit e faʻatautaia PHP ma faʻagasolo auala WordPress, faʻamavaeina le PHP process namespace ma faʻaleleia tulaga faʻatinoga. E tolu fa'ailoga e va'ai iai iinei:
Lagolago mo namespaces e fuafua i tulaga, e faʻatatau i le siakiina o loʻo faʻaogaina le tusitusiga i totonu o se pusa. E mana'omia lenei mea ona o le tele o seti atigipusa e le lagolagoina le fa'amomoliina o atigipusa.
Afai e iai le lagolago mo igoa avanoa, tape le igoa avanoa fesootaiga. Ole mea lea e fa'ataga ai le WordPress e fa'afeso'ota'i i fa'ai'uga uma e lua ma avanoa i luga ole laiga i le taimi e tasi.
O le numera aupito maualuga o faiga e fa'amatalaina e faapea: (Maua avanoa mo le faʻatautaia o MariaDB ma NGINX Uniy)/(RAM faʻatapulaʻa ile PHP + 5)
O lenei tau o loʻo faʻatulagaina i totonu ole NGINX Unit settings.
O lenei tau o loʻo faʻaalia ai foi o loʻo i ai i taimi uma a itiiti ifo ma le lua faʻagasologa PHP o loʻo faʻagaoioia, e taua aua o le WordPress e faia le tele o talosaga asynchronous ia te ia lava, ma e aunoa ma ni faʻaopoopoga, faʻataʻitaʻiga e.g WP-Cron o le a malepe. Atonu e te mana'o e fa'aopoopo pe fa'aititia nei tapula'a e fa'atatau i au fa'alapotopotoga fa'apitonu'u, aua o fa'atulagaga na faia iinei e fa'asao. I le tele o faiga o gaosiga, o faʻatulagaga o loʻo i le va o le 10 ma le 100.
fa'ailoga tusi
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config
Faʻatulagaina NGINX
Fa'atonu Fa'atonu NGINX Fa'avae
O le tusitusiga e fausia ai se lisi mo le NGINX cache ona fai ai lea o le faila faila autu nginx.conf. Fa'alogo lelei i le numera o fa'agaio'iga e fa'atino ma le fa'atulagaina o le tele o faila faila mo le fa'aulu. O loʻo i ai foi se laina e aofia ai le faila faʻapipiʻi faʻapipiʻiina o loʻo faʻamatalaina i le isi vaega, sosoo ai ma le faʻaogaina o le caching.
O le fa'apipi'iina o mea i luga o le lele a'o le'i tu'uina atu i tagata fa'atau o se auala sili lea e fa'aleleia atili ai le fa'atinoga o nofoaga, ae na'o pe a sa'o le fa'apipi'iina. O lenei vaega o le tusitusiga e faʻavae i luga o faʻatulagaga mai iinei.
fa'ailoga tusi
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOM
Faʻatulagaina NGINX mo WordPress
Le isi, o le tusitusiga e fatuina se faila faʻapipiʻi mo WordPress default.conf i le lisi conf.d. O lo'o fa'atulagaina iinei:
Fa'agaoioia TLS tusipasi maua mai Let's Encrypt e ala i Certbot (fa'atulagaina o le a faia i le isi vaega)
Fa'atulagaina o tulaga saogalemu TLS e fa'atatau i fautuaga mai le Let's Encrypt
Fa'amalo talosaga fa'ase'e mo le 1 itula ona o le fa'aletonu
Fa'agata le fa'aogaina o fa'amaumauga, fa'apea fo'i ma le fa'ailoga sese pe a le maua le faila, mo faila masani e lua e mana'omia: favicon.ico ma robots.txt
Taofi le avanoa i faila natia ma nisi faila .phpe puipuia ai le ulufale fa'asolitulafono po'o le amataga e le'i fuafuaina
Fa'agata le fa'aogaina o fa'amaumauga mo faila fa'amau ma faila
Fa'aopoopoina le ta'avale mo index.php ma isi fa'amaumauga.
fa'ailoga tusi
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOM
Fa'atūina le Certbot mo tusi pasi mai Let's Encrypt ma fa'afou-autometi
Tusipasi ose meafaigaluega e leai se totogi mai le Electronic Frontier Foundation (EFF) e mafai ai ona e mauaina ma fa'afou otometi tusi TLS mai Let's Encrypt. O loʻo faia e le tusitusiga mea nei e faʻapipiʻi ai Certbot e faʻagasolo tusi pasi mai Let's Encrypt i NGINX:
Taofi le NGINX
La'uina mai fa'atonuga TLS
Fa'agaoioi Certbot e maua tusipasi mo le saite
Toe amata NGINX e faʻaaoga tusi faamaonia
Fa'atonu le Certbot e tamo'e i aso uma i le 3:24 AM e siaki pe mana'omia le fa'afouina o tusi pasi, ma pe a mana'omia, la'u tusi pasi fou ma toe amata le NGINX.
fa'ailoga tusi
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi
Fa'aopoopo aganu'u o lau saite
Na matou talanoa i luga e uiga i le auala e faʻapipiʻi ai e le matou tusitusiga le NGINX ma le NGINX Unit e tuʻuina atu ai se nofoaga e saunia ai le gaosiga ma le TLSSSL. E mafai fo'i, fa'atatau i ou mana'oga, fa'aopoopo i le lumana'i:
lagolago Brotli, faʻaleleia le faʻapipiʻiina o le lele ile HTTPS
Puipuiga faatasi ai ma le fesoasoani AppArmor (i luga ole Ubuntu)
Postfix poʻo le msmtp ina ia mafai e WordPress ona lafo meli
Siaki lau 'upega tafaʻilagi ina ia e malamalama i le tele o fefaʻatauaiga e mafai ona taulimaina
Mo sili atu le fa'atinoga o le saite, matou te fautuaina le fa'aleleia i NGINX Plus, a tatou oloa fa'apisinisi, atina'e-va'aiga fa'avae ile open source NGINX. O le a maua e le au fai saofaga se module Brotli faʻamalosia, faʻapea foʻi ma (mo se totogi faaopoopo) NGINX ModSecurity WAF. Matou te ofoina atu foi NGINX App Puipui, o se WAF module mo NGINX Plus e faʻavae i luga o tekinolosi faʻapolofesa faʻatautaia pisinisi mai le F5.
NB Mo le lagolago o se nofoaga e maualuga le utaina, e mafai ona e faʻafesoʻotaʻi tagata tomai faapitoa Southbridge. Matou te faʻamautinoa le faʻaogaina vave ma le faʻatuatuaina o lau 'upega tafaʻilagi poʻo le tautua i lalo o soʻo se avega.