Ku rakibida WordPress oo leh NGINX Unit iyo Ubuntu
Waxaa jira casharro badan oo ku saabsan sida loo rakibo WordPress, raadinta Google ee "WordPress install" waxay soo saari doontaa natiijooyin nus milyan ah. Si kastaba ha noqotee, dhab ahaantii, waxaa jira hagitaanno wanaagsan oo aad u yar oo iyaga ka mid ah, marka loo eego taas oo aad ku rakibi karto oo aad habayn karto WordPress iyo nidaamka hawlgalka hoose si ay awood ugu yeeshaan inay taageeraan wakhti dheer. Waxaa laga yaabaa in goobaha saxda ah ay aad ugu tiirsan yihiin baahiyo gaar ah, ama tani waxay sabab u tahay xaqiiqda ah in sharaxaad faahfaahsan ay maqaalka ka dhigto mid adag in la akhriyo.
Maqaalkan, waxaan isku dayi doonaa inaan isku darno kuwa ugu wanaagsan labada adduun anagoo siinaya qoraal bash ah si si toos ah loogu rakibo WordPress on Ubuntu, iyo sidoo kale inaan dhex marno, annagoo sharraxayna waxa qayb kastaa sameeyo, iyo sidoo kale tanaasulkii aan samaynay horumarinta. . Haddii aad tahay isticmaale horumarsan, waxaad ka boodi kartaa qoraalka maqaalka oo kaliya qaado qoraalka wax ka beddelka iyo isticmaalka deegaankaaga. Soo saarista qoraalku waa rakibaad gaar ah oo WordPress ah oo leh Lets Encrypt support, oo ku shaqeeya Cutubka NGINX oo ku habboon isticmaalka wax soo saarka.
Nashqada la horumariyay ee lagu geynayo WordPress iyadoo la adeegsanayo Cutubka NGINX ayaa lagu sifeeyay article ka weyn, hadda waxaan sidoo kale sii habeyn doonaa waxyaabaha aan meeshaas lagu daboolin (sida casharro kale oo badan):
WordPress CLI
Aynu sirno oo TLSSSL-ka-Shahaadaha
Dib u cusboonaysiinta tooska ah ee shahaadooyinka
NGINX kaydinta
Cadaadiska NGINX
HTTPS iyo HTTP/2 taageero
Habka otomaatiga
Maqaalku wuxuu sharxi doonaa rakibaadda hal server, kaas oo isla mar ahaantaana martigelin doona server ka baaraandeg ah, server processing PHP, iyo database. Ku rakibida taageerada martigaliyayaasha iyo adeegyada badan ee farsamada waa mawduuc mustaqbalka ah. Haddii aad rabto in aan wax ka qorno wax aan ku jirin maqaalladan, ku qor faallooyinka.
shuruudaha
Koonteenarada serverka (LXC ama LXD), mashiinka farsamada, ama server-ka birta caadiga ah oo leh ugu yaraan 512MB ee RAM iyo Ubuntu 18.04 ama ka cusub.
Dekadaha laga heli karo internetka 80 iyo 443
Magaca domainka ee la xidhiidha ciwaanka ip-ga guud ee serfarkan
Helitaanka xididka (sudo).
Dulmarka dhismaha
Nashqadadu waxay la mid tahay sida lagu tilmaamay hore, codsi shabakad saddex-heer ah. Waxay ka kooban tahay qoraallada PHP ee ku shaqeeya mishiinka PHP iyo faylal aan caadi ahayn oo uu farsameeyo server-ka shabakadda.
Mabaadi'da Guud
Qaar badan oo ka mid ah amarrada qaabeynta ee qoraalka ayaa lagu duuduubay haddii shuruudaha idempotency: qoraalka waxaa la ordi karaa dhowr jeer iyada oo aan khatarta ah in la beddelo goobaha horay u jiray.
Qoraalku wuxuu isku dayaa inuu ku rakibo software ka soo kaydinta, si aad u codsan karto cusbooneysiinta nidaamka hal amar (apt upgrade loogu talagalay Ubuntu).
Amaradu waxay isku dayaan inay ogaadaan inay ku dhex ordayaan weel si ay u beddelaan habayntooda si habboon.
Si loo dejiyo tirada hababka dunta si looga bilaabo goobaha, qoraalku wuxuu isku dayaa inuu qiyaaso goobaha otomaatiga ah ee ka shaqeeya weelasha, mishiinada farsamada, iyo server-yada hardware.
Markaan sharaxeyno goobaha, waxaan had iyo jeer ka fikirnaa wax ku saabsan otomaatiga, taas oo, waxaan rajeyneynaa, inay noqon doonto aasaaska abuurista kaabayaashaaga kood ahaan.
Dhammaan amarrada waxaa loo maamulaa isticmaale ahaan xidid, sababtoo ah waxay beddelaan nidaamka aasaasiga ah ee nidaamka, laakiin si toos ah WordPress wuxuu u shaqeeyaa sida isticmaalaha caadiga ah.
Dejinta doorsoomayaasha deegaanka
Deji doorsoomayaasha deegaanka ee soo socda ka hor inta aanad bilaabin qoraalka:
WORDPRESS_URL waa URL buuxa ee goobta WordPress, laga bilaabo https://.
LETS_ENCRYPT_STAGING - madhan sida caadiga ah, laakiin adoo dejinaya qiimaha 1, waxaad isticmaali doontaa Let's Encrypt staging servers, kuwaas oo lagama maarmaan u ah codsashada shahaadooyinka si joogta ah marka la tijaabinayo goobahaaga, haddii kale Aynu Encrypt si ku meel gaar ah u xannibo ciwaanka ip kaaga sababo badan oo codsiyo ah. .
Qoraalku wuxuu hubinayaa in doorsoomayaashan WordPress-ku-xiran ay dejisan yihiin oo ay ka baxaan haddii aysan ahayn.
Xariiqda qoraalka 572-576 hubi qiimaha LETS_ENCRYPT_STAGING.
Dejinta doorsoomayaasha deegaanka ka soo jeeda
Qoraalka ku yaal xariiqyada 55-61 wuxuu dejiyaa doorsoomayaasha deegaanka ee soo socda, ha ahaato xoogaa kood adag ama iyadoo la isticmaalayo qiime laga helay doorsoomayaasha lagu dejiyay qaybta hore:
DEBIAN_FRONTEND="noninteractive" - Waxay u sheegtaa codsiyada in ay ku socdaan qoraal iyo in aysan jirin suurtogalnimada isdhexgalka isticmaalaha.
WORDPRESS_CLI_VERSION="2.4.0" waa nooca codsiga CLI ee WordPress.
WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c" - checksum of the WordPress CLI 2.4.0 file la fulin karo (nooca waxaa lagu qeexay doorsoomiyaha WORDPRESS_CLI_VERSION). Qoraalka khadka 162 wuxuu isticmaalaa qiimahan si uu u hubiyo in faylka saxda ah ee WordPress CLI la soo dejiyay.
UPLOAD_MAX_FILESIZE="16M" - cabbirka faylka ugu badan ee lagu dhejin karo WordPress. Dejintan waxa laga isticmaalaa meelo badan, markaa way fududahay in hal meel la dhigo.
TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)" - magaca martida loo yahay ee nidaamka, oo laga soo saaray doorsoomiyaha WORDPRESS_URL. Loo isticmaalay in lagu helo shahaadooyinka TLS/SSL ee ku habboon Aynu Encryption iyo sidoo kale xaqiijinta gudaha WordPress.
NGINX_CONF_DIR="/etc/nginx" - wadada loo maro tusaha leh NGINX settings, oo ay ku jiraan faylka ugu weyn nginx.conf.
CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}" - dariiqa loo marayo Aan sirno shahaadooyinka goobta WordPress, laga helay doorsoomayaasha TLS_HOSTNAME.
Ku-beerista magaca martida loo yahay server-ka WordPress
Qoraalku wuxuu dejiyaa magaca martida loo yahay ee server-ka si uu u dhigmo magaca bogga ee goobta. Tan looma baahna, laakiin way ku habboon tahay in lagu diro mail bixisa SMTP marka la dejinayo hal server, sida loo habeeyey qoraalka.
code qoraalka
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fi
Ku darida magaca martida loo yahay /etc/hosts
Isku dar WP-Cron loo isticmaalo in lagu socodsiiyo hawlo xilliyeedka ah, waxay u baahan tahay WordPress si uu isula galo HTTP. Si loo hubiyo in WP-Cron ay si sax ah ugu shaqeyso dhammaan agagaaraha, qoraalku wuxuu ku darayaa xariiq faylka / iwmsi WordPress uu naftiisa ugu galo loopback interface:
code qoraalka
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi
Ku rakibida qalabka loo baahan yahay tallaabooyinka xiga
Qoraalka intiisa kale wuxuu u baahan yahay barnaamijyo qaar wuxuuna u malaynayaa in bakhaarradu ay yihiin kuwo casri ah. Waxaan cusbooneysiineynaa liiska kaydinta, ka dib markaa waxaan rakibnaa qalabka lagama maarmaanka ah:
code qoraalka
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-release
Ku darida NGINX Unit iyo NGINX Repositories
Qoraalku wuxuu ku rakibaa NGINX Unit iyo il furan oo NGINX ah oo laga helo meelaha NGINX ee rasmiga ah si loo hubiyo in noocyada leh xirmooyinka amniga ugu dambeeyay iyo hagaajinta cayayaanka la isticmaalay.
Qoraalku wuxuu ku darayaa kaydka NGINX Unit ka dibna kaydka NGINX, isagoo ku daraya furaha kaydinta iyo faylasha qaabaynta apt, oo qeexaya gelitaanka meelaha kaydka ah ee internetka.
Ku rakibida dhabta ah ee NGINX Unit iyo NGINX waxay ku dhacdaa qaybta xigta. Horey ayaanu ugu darnaa kaydadka si aynaan u cusboonaysiin xogaha badan ee badan, taas oo ka dhigaysa mid degdeg ah.
code qoraalka
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi
Ku rakibida NGINX, Unugga NGINX, PHP MariaDB, Certbot (Aan sirinno) iyo ku tiirsanaanta
Marka dhammaan kaydadka lagu daro, cusboonaysii xogta badan oo rakib codsiyada Xirmooyinka lagu rakibay qoraalku sidoo kale waxaa ku jira kordhinta PHP ee lagu taliyay marka la wado WordPress.org
code qoraalka
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-server
Dejinta PHP si loogu isticmaalo NGINX Unit iyo WordPress
Qoraalku wuxuu ku dhex abuuraa faylka habaynta ee hagaha conf.d.. Tani waxay dejinaysaa cabbirka faylka ugu badan ee gelinta PHP, waxay u shidaysaa wax-soo-saarka qaladka PHP STDERR si loogu qori doono NGINX Unit log, oo dib u bilaabo Unugga NGINX.
code qoraalka
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart
Cadaynta MariaDB Database Settings ee WordPress
Waxaan MariaDB ka doorannay MySQL maadaama ay leedahay hawlo badan oo bulshada ah oo ay sidoo kale u badan tahay waxay bixisaa waxqabad ka fiican by default (malaha, wax walba way ka fudud yihiin halkan: si aad u rakibto MySQL, waxaad u baahan tahay inaad ku darto kayd kale, qiyaastii turjumaan).
Qoraalku wuxuu abuuraa xog-ururin cusub wuxuuna abuuraa aqoonsiyo lagu galo WordPress iyada oo loo marayo interface loopback:
code qoraalka
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"
Ku rakibida barnaamijka CLI ee WordPress
Tallaabadan, qoraalka ayaa rakibaya barnaamijka WP-CLI. Iyada, waxaad ku rakibi kartaa oo aad maamuli kartaa goobaha WordPress adigoon u baahnayn inaad gacanta ku saxdo faylasha, cusbooneysiiso xogta, ama geliso guddiga xakamaynta. Waxa kale oo loo isticmaali karaa in lagu rakibo mawduucyada iyo wax-ku-darka iyo cusbooneysiinta WordPress.
code qoraalka
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fi
Rakibaadda iyo habaynta WordPress
Qoraalku wuxuu ku rakibayaa nuqulkii ugu dambeeyay ee WordPress ee hagaha /var/www/wordpressiyo sidoo kale beddelo dejinta:
Xidhiidhka kaydka xogta waxa uu ka shaqeeyaa godka unix domainka halkii uu ka ahaan lahaa TCP loopback si loo yareeyo taraafikada TCP.
WordPress wuxuu ku darayaa horgale https:// URL-ka haddii macaamiishu ay ku xidhmaan NGINX HTTPS, oo ay sidoo kale u diraan magaca martida fog (sida ay bixiso NGINX) PHP. Waxaan isticmaalnaa gabal kood si aan tan u dejino.
WordPress wuxuu u baahan yahay HTTPS si loo galo
Qaab dhismeedka URL-ka caadiga ah wuxuu ku salaysan yahay ilaha
Dejiya ogolaanshaha saxda ah ee nidaamka faylka ee hagaha WordPress.
code qoraalka
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fi
Dejinta Unugga NGINX
Qoraalku wuxuu habeeyaa Unugga NGINX si uu u socodsiiyo PHP una socodsiiyo dariiqooyinka WordPress, isagoo go'doominaya habka magaca PHP iyo hagaajinta habaynta waxqabadka. Waxaa jira saddex sifo oo aad halkan ku arki karto:
Taageerada meelaha magacyada waxaa lagu go'aamiyaa shuruud, iyadoo lagu saleynayo hubinta in qoraalku ku dhex socdo weel. Tani waa lagama maarmaan sababtoo ah inta badan dejinta weelasha ma taageeraan soo saarida buulkooda weelasha.
Haddii ay jirto taageero meelaha magacyada, dami meesha magaca network. Tani waa si loogu oggolaado WordPress in ay ku xidhmaan labada dhibcood ee dhamaadka oo ay diyaar ku noqdaan shabakada isku mar.
Tirada ugu badan ee hababka waxaa lagu qeexaa sida soo socota: (Xusuusta loo heli karo socodsiinta MariaDB iyo NGINX Uniy)/(xadka RAM ee PHP + 5)
Qiimahan waxa lagu dejiyay NGINX Unit settings.
Qiimahani wuxuu sidoo kale tilmaamayaa in had iyo jeer ay jiraan ugu yaraan laba hab oo PHP ah oo socda, taas oo muhiim ah sababtoo ah WordPress wuxuu sameeyaa codsiyo badan oo isku mid ah laftiisa, iyo iyada oo aan la helin habab dheeraad ah, socodsiinta tusaale ahaan WP-Cron wuu jebin doonaa. Waxaa laga yaabaa inaad rabto inaad kordhiso ama yarayso xadkan iyadoo lagu salaynayo goobaha deegaankaaga, sababtoo ah goobaha halkan lagu sameeyay waa muxaafid. Inta badan nidaamyada wax soo saarka, dejintu waxay u dhaxaysaa 10 iyo 100.
code qoraalka
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config
Dejinta NGINX
Habaynta Saldhigyada NGINX ee aasaasiga ah
Qoraalku wuxuu abuuraa tusaha kaydka NGINX ka dibna wuxuu abuuraa faylka qaabeynta ugu weyn nginx.conf. Fiiro gaar ah u yeelo tirada hababka gacanta ku haya iyo dejinta cabbirka faylka ugu badan ee la soo geliyo. Waxa kale oo jira khad ay ku jiraan faylka dejinta isku-buufinta ee lagu qeexay qaybta xigta, oo ay ku xigto goobaha kaydinta.
Cadaadiska nuxurka duulista ka hor inta aan loo dirin macaamiisha waa hab fiican oo lagu wanaajiyo waxqabadka goobta, laakiin kaliya haddii si sax ah loo habeeyey. Qaybtan qoraalku waxay ku salaysan tahay dejinta halkan.
code qoraalka
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOM
Dejinta NGINX ee WordPress
Marka xigta, qoraalku wuxuu abuuraa faylka qaabeynta ee WordPress default.conf buugga ku yaal conf.d.. Waxaa lagu habeeyey halkan:
Shaqaysiinta shahaadooyinka TLS ee laga helay Aynu Encryption iyada oo loo sii marayo Certbot (dejintu waxay ahaan doontaa qaybta xigta)
Dejinta dejinta amniga TLS ee ku salaysan talooyinka ka yimid Aynu Sirinno
U oggolow kaydinta codsiyada boodboodka 1 saac si caadi ah
Dami gelida gelitaanka, iyo sidoo kale gelida khaladka haddii aan faylka la helin, ee laba fayl oo la codsado: favicon.ico iyo robots.txt
Kahortagga gelitaanka faylasha qarsoon iyo faylalka qaarkood .phpsi looga hortago gelitaanka sharci darrada ah ama bilawga aan la qorshayn
Dami gelitaanka gelitaanka faylalka xarfaha iyo kuwa taagan
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOM
Dejinta Certbot ee shahaadooyinka Aynu Sirinno oo otomaatig u cusbooneysiinno
Certbot waa qalab bilaash ah oo ka socda Aasaaska Elektarooniga ah ee Frontier (EFF) kaas oo kuu ogolaanaya inaad si toos ah u cusbooneysiiso shahaadooyinka TLS ee Aynu Sirinno. Qoraalku wuxuu sameeyaa kuwa soo socda si uu u habeeyo Certbot si uu uga shaqeeyo shahaadooyinka Aynu ku sirno gudaha NGINX:
Joojiya NGINX
Soodejintu waxay ku taliyeen dejinta TLS
Wuxuu wadaa Certbot si uu u helo shahaadooyin goobta
Dib u bilaaba NGINX si uu u isticmaalo shahaadooyinka
Wuxuu dejiyaa Certbot inuu shaqeeyo maalin kasta 3:24 AM si loo hubiyo haddii shahaadooyin loo baahan yahay in la cusboonaysiiyo, iyo haddii loo baahdo, soo dejiso shahaadooyin cusub oo dib u bilow NGINX.
code qoraalka
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi
Habaynta dheeraadka ah ee goobtaada
Waxaan kor uga hadalnay sida qoraalkayagu u habeeyo NGINX iyo NGINX Unit si ay ugu adeegaan goob diyaarsan oo wax soo saar leh oo TLSSSL karti u leh. Waxaad sidoo kale, iyadoo ku xiran baahiyahaaga, ku dari kartaa mustaqbalka:
taageero Brotli, cadaadiska duulimaadka oo la hagaajiyay ee HTTPS
Postfix ama msmtp si WordPress u soo diri karto boostada
Hubinta goobtaada si aad u fahanto inta taraafikada ay xamili karto
Si loo helo waxqabadka goobta xitaa ka sii wanaagsan, waxaan kugula talineynaa in loo cusboonaysiiyo NGINX Plus, badeecadeena ganacsi, heer ganacsi oo ku salaysan il furan NGINX. Macaamiisheeda ayaa heli doona moduleka Brotli si firfircoon u raran, iyo sidoo kale (lacag dheeri ah) NGINX ModSecurity WAF. Waxaan sidoo kale bixinnaa Ilaalinta App-ka NGINX, module WAF ee NGINX Plus oo ku salaysan tignoolajiyada amniga hogaaminaya ee ka socda F5.
NB Taageerada goobta aadka loo raray, waxaad la xiriiri kartaa khabiirada Southbridge. Waxaan hubin doonnaa in si degdeg ah oo la isku halleyn karo u shaqeeyo degelkaaga ama adeeggaaga culeys kasta.