Pane zvakawanda zvezvinhu kunze uko pakuisa WordPress; kutsvaga kweGoogle kwe "WordPress install" kunodzosa hafu yemiriyoni mhinduro. Nekudaro, pane chaizvo mashoma anobatsira madhairekitori kunze uko anogona kukubatsira iwe kuisa uye kugadzirisa WordPress uye iri pasi peiyo sisitimu yekushandisa kuitira kuti vagone kutsigirwa kwenguva yakareba. Zvichida marongero akakodzera anotsamira zvakanyanya pane zvaunoda chaizvo, kana kuti zvinogona kunge zviri nekuti tsananguro yakadzama inoita kuti chinyorwa chiome kuverenga.
Muchinyorwa chino, tichaedza kuisa pamwe chete akanakisa epasirese nekupa bash script yekuisa otomatiki WordPress paUbuntu, uye isu tichafamba mazviri, tichitsanangura zvinoitwa nechidimbu chimwe nechimwe uye tradeoffs yatakaita mukuigadzira. Kana iwe uri mushandisi ane ruzivo, unogona kusvetuka zvinyorwa zvechinyorwa uye chete kugadzirisa uye kushandiswa munzvimbo dzako. Kubuda kwechinyorwa itsika WordPress yekumisikidza ine Lets Encrypt rutsigiro, inoshanda paNGINX Unit uye yakakodzera kushandiswa kwemaindasitiri.
Iyo yakagadziridzwa dhizaini yekuisa WordPress uchishandisa NGINX Unit inotsanangurwa mukati , isu tichazowedzerawo kugadzirisa zvinhu izvo zvisina kufukidzwa ipapo (sezviri mune mamwe akawanda tutorials):
- WordPress CLI
- Ngatinyorei uye TLSSSL zvitupa
- Otomatiki chitupa kuvandudzwa
- NGINX Caching
- NGINX compression
- HTTPS uye HTTP/2 rutsigiro
- Process otomatiki
Chinyorwa chinotsanangura kuisirwa pane imwe sevha, iyo ichaita panguva imwe chete static processing server, PHP yekugadzirisa server, uye dhatabhesi. Kuisirwa nerutsigiro rweakawanda madhiri evaenzi uye masevhisi inyaya inogona kuitika mune ramangwana. Kana iwe uchida kuti tinyore pamusoro pechinhu chisiri muzvinyorwa izvi, nyora mumashoko.
zvinodiwa
- Server mudziyo ( kana ), muchina chaiwo, kana sevha yenguva dzose yehardware, ine ingangoita 512MB ye RAM uye Ubuntu 18.04 kana kuti ichangoburwa yakaiswa.
- Internet inowanikwa zviteshi 80 uye 443
- Zita renzvimbo rinodyidzana neruzhinji IP kero yeserver ino
- Svika nemidzi kodzero (sudo).
Architecture overview
Mavakirwo acho akafanana nekutsanangurwa , ane-tier-matatu web application. Iyo ine PHP zvinyorwa zvinotevedzwa pane iyo PHP injini uye static mafaera anogadziriswa newebhu server.
General mazano
- Mizhinji yemirairo yekumisikidza mune script yakaputirwa mukati kana mamiriro ekuzivikanwa: iyo script inogona kumhanyisa kakawanda pasina njodzi yekuchinja marongero atogadzirira.
- Iyo script inoedza kuisa software kubva kune repositori, saka iwe unogona kuisa masisitimu ekugadzirisa mune imwechete kuraira (
apt upgradeyeUbuntu). - Matimu anoedza kuona kuti ari kumhanya mumudziyo kuti akwanise kuchinja marongero azvo zvinoenderana.
- Kuti uise huwandu hwematambo maitiro ekutangwa muzvirongwa, iyo script inoedza kufungidzira otomatiki marongero ekushanda mumidziyo, chaiwo muchina, uye maseva ehardware.
- Kana tichitsanangura marongero, isu tinogara tichifunga pekutanga nezve otomatiki, iyo yatinotarisira kuti ichave hwaro hwekugadzira yako wega zvivakwa sekodhi.
- Mirairo yese inomhanya kubva kumushandisi mudzi, nekuti vanoshandura masisitimu ekutanga, asi WordPress pachayo inomhanya semushandisi wenguva dzose.
Kuseta mamiriro akasiyana
Seta zvinotevera zvinosiyana nharaunda usati wamhanyisa script:
WORDPRESS_DB_PASSWORD- WordPress dhatabhesi passwordWORDPRESS_ADMIN_USER- WordPress admin usernameWORDPRESS_ADMIN_PASSWORD- WordPress admin passwordWORDPRESS_ADMIN_EMAIL- WordPress admin emailWORDPRESS_URL- yakazara URL yeWordPress saiti, kutangahttps://.LETS_ENCRYPT_STAGING- isina chinhu nekumisikidza, asi nekuisa kukosha kune 1, iwe uchashandisa Let's Encrypt's staging maseva, ayo anodiwa kugara uchikumbira zvitupa paunenge uchiyedza marongero ako, zvikasadaro Let's Encrypt inogona kuvhara kero yako kwenguva pfupi yeIP nekuda kwehuwandu hwezvikumbiro.
Iyo script inotarisa kuti aya WordPress ane hukama akasiyana akaiswa uye anobuda kana asina.
Script mitsetse 572-576 tarisa kukosha LETS_ENCRYPT_STAGING.
Kugadzirisa zvakabva kumamiriro ekuchinja
Iyo script pamitsetse 55-61 inoseta anotevera nharaunda shanduko, ingave kune imwe yakaoma-coded kukosha kana kushandisa kukosha kunobva kune akasiyana akaiswa muchikamu chakapfuura:
DEBIAN_FRONTEND="noninteractive"- inoudza maapplication kuti ari kushanda mune script uye hapana mukana wekudyidzana nemushandisi.WORDPRESS_CLI_VERSION="2.4.0"- WordPress CLI vhezheni yekushandisa.WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c"- cheki cheiyo WordPress CLI 2.4.0 faira inogoneka (iyo vhezheni inoratidzwa mukusiyanaWORDPRESS_CLI_VERSION) Iyo script pamutsetse 162 inoshandisa kukosha uku kuratidza kuti chaiyo WordPress CLI faira yakatorwa.UPLOAD_MAX_FILESIZE="16M"- iyo yakakura saizi yefaira inogona kuiswa kuWordPress. Setting iyi inoshandiswa munzvimbo dzakati wandei, saka zviri nyore kuiisa panzvimbo imwechete.TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)"- system hostname, yakatorwa kubva kuWORDPRESS_URL musiyano. Inoshandiswa kuwana zvitupa zvakakodzera zveTLS/SSL kubva kuLet Encrypt, pamwe neyemukati WordPress verification.NGINX_CONF_DIR="/etc/nginx"- nzira yekuenda kune dhairekitori ine NGINX marongero, kusanganisira iyo huru fairanginx.conf.CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"- nzira yeKuti Tinyorere zvitupa zveiyo WordPress saiti, yakawanikwa kubva pane inosiyanaTLS_HOSTNAME.
Kugovera hostname kune WordPress server
Iyo script inoseta sevha zita rekutambira kuitira kuti kukosha kuenderane nezita renzvimbo yesaiti. Izvi hazvidiwi, asi zviri nyore kutumira tsamba inobuda kuburikidza neSMTP paunenge uchigadzira sevha imwe chete, sekugadziriswa nescript.
script code
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fiKuwedzera hostname ku /etc/hosts
Kuwedzera inoshandiswa kuita mabasa enguva nenguva, inoda WordPress kuti ikwanise kuzviwana pachayo kuburikidza neHTTP. Kuve nechokwadi chekuti WP-Cron inoshanda nemazvo munzvimbo dzese, script inowedzera mutsara kune faira / etc / maokokuitira kuti WordPress ikwanise kuzviwanira pachayo kuburikidza neiyo loopback interface:
script code
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fiKuisa zvishandiso zvinodiwa pamatanho anotevera
Iyo yese script inoda mamwe mapurogiramu uye inofungidzira kuti marekodhi ari kusvika parizvino. Isu tinovandudza rondedzero yezvinyorwa, uye tozoisa maturusi anodiwa:
script code
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-releaseKuwedzera iyo NGINX Unit uye NGINX repositori
Iyo script inoisa NGINX Unit uye yakavhurika sosi NGINX kubva kune yepamutemo NGINX repositories kuti ive nechokwadi chekuti mavhezheni ane ichangoburwa kuchengetedza uye kugadzirisa kwebug anoshandiswa.
Iyo script inowedzera iyo NGINX Unit repository uyezve iyo NGINX repository, ichiwedzera iyo repositories kiyi uye kuseta mafaera. apt, kutsanangura kuwana marepositories kuburikidza neInternet.
Iko kuiswa chaiko kweNGINX Unit uye NGINX kunoitika muchikamu chinotevera. Isu tinofano wedzera marepositori kuti tidzivise kuvandudza metadata kakawanda, kuita kuisirwa nekukurumidza.
script code
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fiKuisa NGINX, NGINX Unit, PHP MariaDB, Certbot (Ngatinyorei) uye zvinoenderana navo
Kana zvese zvinyorwa zvawedzerwa, tinovandudza metadata uye kuisa maapplication. Iwo mapakeji akaiswa neiyo script anosanganisirawo PHP yekuwedzera inokurudzirwa paunenge uchimhanyisa WordPress.org
script code
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-serverKumisikidza PHP yekushandisa neNGINX Unit uye WordPress
Iyo script inogadzira faira rekuisa mune dhairekitori conf.d. Izvi zvinoseta saizi yepamusoro yekurodha faira yePHP, inoita kuti zvikanganiso zvePHP zvibudiswe kuSTDERR saka ivo vanozoiswa kuNGINX Unit, uye votangazve iyo NGINX Unit.
script code
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restartKuisa MariaDB Database Settings yeWordPress
Isu takasarudza MariaDB pamusoro peMySQL nekuti ine zvimwe zviitiko zvenharaunda uye inogona zvakare (Pamwe, zvese zviri nyore pano: kuisa MySQL, unofanirwa kuwedzera imwe repository, approx. muturikiri).
Iyo script inogadzira dhatabhesi nyowani uye inogadzira WordPress yekuwana zvitupa kuburikidza neiyo loopback interface:
script code
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"Kuisa iyo WordPress CLI chirongwa
Panguva iyi script inoisa purogiramu . Nayo, iwe unogona kuisa uye kubata WordPress zvigadziriso pasina kugadzirisa nemaoko mafaera, kugadzirisa dhatabhesi, kana kupinda mupaneru yekudzora. Inogona zvakare kushandiswa kuisa misoro uye ma-add-ons uye kugadzirisa WordPress.
script code
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fiKuisa uye Kugadzirisa WordPress
Iyo script inoisa yazvino vhezheni yeWordPress mudhairekitori /var/www/wordpress, uye zvakare inoshandura marongero:
- Iyo database yekubatanidza inoshanda pamusoro peunix domain socket panzvimbo yeTCP pane loopback kuderedza TCP traffic.
- WordPress inowedzera prefix https:// kune iyo URL kana vatengi vakabatana neNGINX pamusoro peHTTPS, uye zvakare inotumira iyo kure hostname (sekupihwa neNGINX) kuPHP. Isu tinoshandisa chidimbu chekodhi kumisikidza iyi.
- WordPress inoda HTTPS kuti ipinde
- Chimiro che URL chinyararire chinobva kune zviwanikwa
- Yakarurama faira system mvumo inogadzirirwa iyo WordPress dhairekitori.
script code
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fiKumisikidza NGINX Unit
Iyo script inogadzirisa NGINX Unit kuti imhanye PHP uye ibate nzira dzeWordPress, ichitsaura iyo nzvimbo yezita yePHP maitiro uye nekugonesa maitiro ekuita. Pane zvinhu zvitatu zvakakodzera kutarisisa:
- Rutsigiro rweNamespace runotemerwa nemamiriro, zvichibva pakutarisa kuti script iri kushanda mumudziyo. Izvi zvinodikanwa nekuti mazhinji emidziyo yekuseta haitsigire nested kumhanya kwemidziyo.
- Kana paine tsigiro yemazita, nzvimbo yezita inovharwa samambure. Izvi zvinodikanwa kubvumira WordPress kuti ibatane panguva imwe chete kune ekupedzisira uye iwanikwe paInternet.
- Huwandu hwehuwandu hwemaitiro hunotarwa sezvizvi: (Inowanikwa ndangariro yekumhanyisa MariaDB uye NGINX Uniy)/(RAM muganho muPHP + 5)
Ukoshi uhwu hwakaiswa mune iyo NGINX Unit marongero.
Kukosha uku kunorevawo kuti pane nguva dzose dzinenge mbiri dzePHP dzinomhanya, izvo zvakakosha nekuti WordPress inoita zvakawanda zvikumbiro zveasynchronous pachayo, uye pasina mamwe maitiro anomhanya, semuenzaniso, WP-Cron ichatsemuka. Ungangoda kuwedzera kana kuderedza miganho iyi zvichienderana nezvirongwa zvepanzvimbo yako, nekuti marongero akagadzirwa pano anochengetedza. Pamagadzirirwo mazhinji ekugadzira marongero ari pakati pe10 ne100.
script code
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/configKugadzira NGINX
Kugadzirisa Basic NGINX Settings
Iyo script inogadzira dhairekitori yeNGINX cache uye yobva yagadzira iyo huru yekumisikidza faira nginx.conf. Teerera kune huwandu hweanobata maitiro uye iyo yakanyanya faira saizi kuseta yekurodha. Iko kunewo mutsara umo iyo compression settings file, inotsanangurwa muchikamu chinotevera, yakabatanidzwa, inoteverwa ne caching settings.
script code
# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy
echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include ${NGINX_CONF_DIR}/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size ${UPLOAD_MAX_FILESIZE};
keepalive_timeout 65;
# gzip settings
include ${NGINX_CONF_DIR}/gzip_compression.conf;
# Cache settings
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=wp_cache:10m
max_size=10g
inactive=60m
use_temp_path=off;
include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOMKugadzira NGINX compression
Kudzvanya zvirimo panhunzi usati wazvitumira kune vatengi inzira huru yekuvandudza mashandiro esaiti, asi chete kana kudzvanya kwakagadziriswa nemazvo. Ichi chikamu che script chinobva pazvirongwa .
script code
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOMKumisikidza NGINX yeWordPress
Tevere, iyo script inogadzira faira yekumisikidza yeWordPress default.conf mubhuku conf.d. Heino iyo yakagadzirirwa:
- Kumisikidza zvitupa zveTLS zvakatambirwa kubva kuRega Encrypt kuburikidza neCertbot (kuigadzirisa kuchave muchikamu chinotevera)
- Gadzirisa TLS kuchengetedza marongero zvichienderana nekurudziro kubva kuLet Encrypt
- Bvunza zvadarika chikumbiro chekuchengetedza kweawa imwe chete nekusarudzika
- Dzima kupinda matanda, pamwe nekukanganisa kutema kana faira risi kuwanikwa, kune maviri akajairika mafaira akakumbirwa: favicon.ico uye robots.txt.
- Ramba kuwana mafaera akavanzika uye mamwe mafaera .phpkudzivirira kupinda zvisiri pamutemo kana kuvhurwa nemaune
- Dzima kupinda mukati kwemafaira akamira uye mafonti
- Kuisa musoro kune mafaira emafonti
- Kuwedzera nzira ye index.php uye mamwe maitiro.
script code
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOMKugadzirisa Certbot yeRega Encrypt zvitupa uye nekuzvivandudza otomatiki
chishandiso chemahara kubva kuElectronic Frontier Foundation (EFF) iyo inokutendera iwe kuti utore uye uvandudze otomatiki zvitupa zveTLS kubva kuLet Encrypt. Iyo script inoita nhanho dzinotevera kugadzirisa Certbot kugadzirisa zvitupa kubva Let's Encrypt muNGINX:
- Inomisa NGINX
- Dhaunirodha inokurudzirwa marongero eTLS
- Inomhanya Certbot kuwana zvitupa zvesaiti
- Inotangazve NGINX kushandisa zvitupa
- Inogadzirisa Certbot kuti imhanye zuva nezuva na3:24 a.m. kutarisa kuvandudzwa kwetitifiketi uye, kana zvichidikanwa, dhawunirodha zvitupa zvitsva uye tangazve NGINX.
script code
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fiKuwedzera kugadzirisa kwesaiti yako
Takataura pamusoro pamusoro pekuti script yedu inogadzirisa sei NGINX uye NGINX Unit kuti ishumire kugadzirwa-yakagadzirira webhusaiti ine TLSSSL inogoneswa. Iwe unogona zvakare, zvichienderana nezvaunoda, kuwedzera mune ramangwana:
- Support , yakagadziridzwa pa-the-fly compression pamusoro peHTTPS
- Ρ kudzivirira otomatiki kurwisa pasaiti yako
- yeWordPress, yakakodzera iwe
- nerubatsiro (pa Ubuntu)
- Postfix kana msmtp saka WordPress inogona kutumira tsamba
- Kutarisa yako saiti kuti unzwisise kuti yakawanda sei traffic yaanogona kubata
Zvekuita zvirinani saiti, tinokurudzira kusimudzira ku , yedu bhizinesi-giredhi rekutengesa chigadzirwa chakavakirwa pane yakavhurika sosi NGINX. Vanyoreri vayo vanogashira ine simba yakarodha Brotli module, pamwe ne (yekuwedzera muripo) . Isu tinopawo , WAF module yeNGINX Plus yakavakirwa paindasitiri-inotungamira yekuchengetedza tekinoroji kubva kuF5.
NB Kuti utsigire webhusaiti yakawandisa, unogona kubata nyanzvi . Isu tichava nechokwadi chekushanda nekukurumidza uye kwakavimbika kwewebhusaiti yako kana sevhisi pasi pemutoro chero upi zvawo.
Source: www.habr.com