Otomatis pamasangan WordPress sareng Unit NGINX sareng Ubuntu
Aya seueur bahan pikeun masang WordPress, milarian Google pikeun "Pasang WordPress" bakal muncul sakitar satengah juta hasil. Nanging, kanyataanna, aya sakedik pituduh anu saé di antarana, numutkeun anjeun tiasa masang sareng ngonpigurasikeun WordPress sareng sistem operasi anu aya dina dasarna supados aranjeunna tiasa ngadukung pikeun waktos anu lami. Panginten pangaturan anu leres gumantung pisan kana kabutuhan khusus, atanapi ieu kusabab kanyataan yén katerangan anu lengkep ngajantenkeun tulisan éta hésé dibaca.
Dina tulisan ieu, urang bakal nyobian ngagabungkeun anu pangsaéna tina dua dunya ku cara nyayogikeun skrip bash pikeun masang WordPress sacara otomatis dina Ubuntu, ogé ngalangkunganana, ngajelaskeun naon anu dilakukeun ku unggal sapotong, ogé kompromi anu urang lakukeun dina ngamekarkeunana. . Mun anjeun hiji pamaké ngalaman, anjeun tiasa skip téks artikel na ngan nyandak naskah pikeun modifikasi sareng dianggo dina lingkungan anjeun. Kaluaran naskah mangrupikeun pamasangan WordPress khusus kalayan dukungan Lets Encrypt, dijalankeun dina Unit NGINX sareng cocog pikeun panggunaan produksi.
Arsitéktur anu dikembangkeun pikeun nyebarkeun WordPress nganggo Unit NGINX dijelaskeun dina artikel heubeul, ayeuna urang ogé bakal langkung ngonpigurasikeun hal-hal anu henteu katutupan di dinya (sapertos dina seueur tutorial anu sanés):
WordPress CLI
Hayu urang Encrypt na TLSSSL Sertipikat
Pembaruan sertipikat otomatis
NGINX cache
Komprési NGINX
HTTPS jeung HTTP / 2 rojongan
Otomatisasi prosés
Tulisan bakal ngajelaskeun pamasangan dina hiji server, anu sakaligus bakal janten host pangladén pangolahan statik, pangladén pangolahan PHP, sareng pangkalan data. Pamasangan anu ngadukung sababaraha host sareng jasa virtual mangrupikeun topik poténsial pikeun masa depan. Upami anjeun hoyong urang nyerat perkawis anu henteu aya dina tulisan ieu, tulis dina koméntar.
sarat
Server wadahna (LXC atawa LXD), mesin virtual, atanapi server beusi biasa sareng sahenteuna 512MB RAM sareng Ubuntu 18.04 atanapi langkung énggal dipasang.
Port diaksés Internét 80 sareng 443
Ngaran domain pakait sareng alamat IP umum tina server ieu
Aksés akar (sudo).
Tinjauan Arsitéktur
Arsitékturna sami sareng anu dijelaskeun tadi, aplikasi wéb tilu tingkat. Éta diwangun ku skrip PHP anu dieksekusi dina mesin PHP sareng file statik anu diolah ku pangladén wéb.
prinsip umum
Seueur paréntah konfigurasi dina naskah dibungkus upami kaayaan pikeun idempotensi: naskah tiasa dijalankeun sababaraha kali tanpa résiko ngarobih setélan anu parantos aya.
Skrip nyobian masang parangkat lunak tina repositori, ku kituna anjeun tiasa nerapkeun apdet sistem dina hiji paréntah (apt upgrade pikeun Ubuntu).
Paréntah nyobian ngadeteksi yén aranjeunna ngajalankeun dina wadah supados tiasa ngarobih setélanna sasuai.
Dina raraga nyetel jumlah prosés thread dimimitian dina setélan, naskah nyoba nebak setelan otomatis pikeun digawé di peti, mesin virtual, sarta server hardware.
Nalika ngajéntrékeun setélan, urang salawasna mikir heula ngeunaan automation, nu, urang miharep, bakal jadi dadasar pikeun nyieun infrastruktur sorangan salaku kode.
Sadaya paréntah dijalankeun salaku pangguna akar, sabab ngarobah setelan sistem dasar, tapi langsung WordPress ngajalankeun salaku pamaké biasa.
Netepkeun variabel lingkungan
Setel variabel lingkungan di handap ieu sateuacan ngajalankeun skrip:
WORDPRESS_DB_PASSWORD - sandi database WordPress
WORDPRESS_ADMIN_USER - ngaran pamaké admin WordPress
WORDPRESS_ADMIN_PASSWORD - Sandi admin WordPress
WORDPRESS_ADMIN_EMAIL - Email admin WordPress
WORDPRESS_URL nyaéta URL lengkep situs WordPress, dimimitian dina https://.
LETS_ENCRYPT_STAGING - kosong sacara standar, tapi ku netepkeun nilai ka 1, anjeun bakal nganggo server pementasan Hayu Encrypt, anu dipikabutuh pikeun sering nyuhunkeun sertipikat nalika nguji setélan anjeun, upami henteu, Let's Encrypt tiasa samentawis meungpeuk alamat ip anjeun kusabab sajumlah ageung pamundut. .
Skrip mariksa yén variabel anu aya hubunganana sareng WordPress ieu diatur sareng kaluar upami henteu.
garis Aksara 572-576 pariksa nilai LETS_ENCRYPT_STAGING.
Netepkeun variabel lingkungan turunan
Skrip dina garis 55-61 netepkeun variabel lingkungan di handap ieu, boh kana sababaraha nilai hard-coded atanapi nganggo nilai anu dicandak tina variabel anu diatur dina bagian sateuacana:
DEBIAN_FRONTEND="noninteractive" - Ngabejaan aplikasi anu aranjeunna ngajalankeun dina naskah sarta yén euweuh kamungkinan interaksi pamaké.
WORDPRESS_CLI_VERSION="2.4.0" nyaeta versi aplikasi WordPress CLI.
WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c" — checksum tina file eksekusi WordPress CLI 2.4.0 (vérsina ditangtukeun dina variabel WORDPRESS_CLI_VERSION). Skrip dina garis 162 nganggo nilai ieu pikeun mariksa yén file CLI WordPress anu leres parantos diunduh.
UPLOAD_MAX_FILESIZE="16M" - ukuran file maksimal anu tiasa diunggah dina WordPress. Setelan ieu dipake di sababaraha tempat, jadi leuwih gampang pikeun nyetel eta dina hiji tempat.
TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)" - hostname sistem, dicandak tina variabel WORDPRESS_URL. Dipaké pikeun meunangkeun sertipikat TLS/SSL anu luyu ti Let's Encrypt ogé verifikasi WordPress internal.
NGINX_CONF_DIR="/etc/nginx" - jalur ka diréktori sareng setélan NGINX, kalebet file utama nginx.conf.
CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}" — jalur ka sertipikat Hayu Encrypt pikeun situs WordPress, dicandak tina variabel TLS_HOSTNAME.
Netepkeun hostname ka server WordPress
Skrip netepkeun hostname pangladén pikeun cocog sareng nami domain situs. Ieu teu diperlukeun, tapi leuwih merenah pikeun ngirim surat kaluar via SMTP lamun nyetel hiji server tunggal, sakumaha ngonpigurasi ku naskah.
kode naskah
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fi
Nambahkeun ngaran host kana /etc/hosts
Tambihan WP-Cron dipaké pikeun ngajalankeun tugas periodik, merlukeun WordPress pikeun bisa ngakses sorangan ngaliwatan HTTP. Pikeun mastikeun yén WP-Cron tiasa dianggo leres dina sadaya lingkungan, naskah nambihan garis kana file / Jsb / sarwaku kituna WordPress tiasa ngaksés nyalira ngalangkungan antarmuka loopback:
kode naskah
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi
Masang alat anu diperyogikeun pikeun léngkah-léngkah salajengna
Sésana naskah peryogi sababaraha program sareng nganggap yén repositori parantos diropéa. Urang ngamutahirkeun daptar repositories, lajeng install parabot diperlukeun:
kode naskah
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-release
Nambahkeun Unit NGINX sareng Repositori NGINX
Skrip masang Unit NGINX sareng NGINX open source ti repositori NGINX resmi pikeun mastikeun versi sareng patch kaamanan panganyarna sareng perbaikan bug dianggo.
Skrip nambihan gudang NGINX Unit teras gudang NGINX, nambihan konci repositori sareng file konfigurasi apt, nangtukeun aksés ka repositories via Internét.
Pamasangan sabenerna Unit NGINX sareng NGINX lumangsung dina bagian salajengna. Kami tos nambihan repositori supados urang henteu kedah ngapdet metadata sababaraha kali, anu ngajantenkeun pamasangan langkung gancang.
kode naskah
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi
Masang NGINX, Unit NGINX, PHP MariaDB, Certbot (Hayu Encrypt) sareng kagumantunganana
Sakali sadaya repositories ditambahkeun, update metadata tur masang aplikasi. Bungkusan anu dipasang ku naskah ogé kalebet ekstensi PHP anu disarankeun nalika ngajalankeun WordPress.org
kode naskah
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-server
Nyetél PHP kanggo dianggo sareng Unit NGINX sareng WordPress
Skrip nyiptakeun file setélan dina diréktori conf.d. Ieu netepkeun ukuran file maksimum pikeun unggah PHP, hurungkeun kaluaran kasalahan PHP ka STDERR supados bakal diserat kana log Unit NGINX, sareng ngamimitian deui Unit NGINX.
kode naskah
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart
Nangtukeun Setélan Database MariaDB pikeun WordPress
Kami parantos milih MariaDB langkung ti MySQL sabab gaduh langkung seueur kagiatan komunitas sareng kamungkinan ogé nyadiakeun kinerja hadé sacara standar (meureun, sagalana geus basajan dieu: install MySQL, anjeun kudu nambahan Repository sejen, kira-kira. penerjemah).
Skrip nyiptakeun pangkalan data anyar sareng nyiptakeun kredensial pikeun ngaksés WordPress ngalangkungan antarmuka loopback:
kode naskah
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"
Masang Program CLI WordPress
Dina léngkah ieu, skrip masang program WP-CLI. Kalayan éta, anjeun tiasa masang sareng ngatur setélan WordPress tanpa kedah ngédit file sacara manual, ngapdet pangkalan data, atanapi ngalebetkeun panel kontrol. Éta ogé tiasa dianggo pikeun masang téma sareng tambihan sareng ngapdet WordPress.
kode naskah
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fi
Masang sareng Konpigurasikeun WordPress
Skrip masang versi panganyarna tina WordPress kana diréktori /var/www/wordpresssareng ogé ngarobih setélan:
Koneksi database jalan ngaliwatan stop kontak domain unix tinimbang TCP on loopback pikeun ngurangan lalulintas TCP.
WordPress nambihan awalan https:// ka URL lamun klien nyambung ka NGINX ngaliwatan HTTPS, sarta ogé ngirimkeun hostname jauh (sakumaha disadiakeun ku NGINX) kana PHP. Kami nganggo sapotong kode pikeun nyetél ieu.
WordPress peryogi HTTPS pikeun login
Struktur URL standar dumasar kana sumberdaya
Nyetél idin anu leres dina sistem file pikeun diréktori WordPress.
kode naskah
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fi
Nyetél Unit NGINX
Skrip ngonpigurasikeun Unit NGINX pikeun ngajalankeun PHP sareng ngolah jalur WordPress, ngasingkeun rohangan ngaran prosés PHP sareng ngaoptimalkeun setélan kinerja. Aya tilu fitur anu kedah ditingali di dieu:
Rojongan pikeun namespaces ditangtukeun ku kaayaan, dumasar kana mariksa yen naskah jalan dina wadah. Ieu diperlukeun sabab lolobana setups wadahna teu ngarojong nested peluncuran wadahna.
Upami aya dukungan pikeun namespaces, nonaktipkeun namespace jaringan. Ieu pikeun ngamungkinkeun WordPress nyambung ka dua titik tungtung sareng sayogi dina wéb dina waktos anu sami.
Jumlah maksimum prosés didefinisikeun kieu: (Memori anu sayogi pikeun ngajalankeun MariaDB sareng NGINX Uniy)/(wates RAM dina PHP + 5)
Nilai ieu disetel dina setélan Unit NGINX.
Nilai ieu ogé nunjukkeun yén salawasna aya sahenteuna dua prosés PHP anu dijalankeun, anu penting sabab WordPress ngadamel seueur pamundut anu teu sinkron ka dirina, sareng tanpa prosés tambahan, jalan sapertos WP-Cron bakal rusak. Anjeun panginten hoyong ningkatkeun atanapi ngirangan wates ieu dumasar kana setélan lokal anjeun, sabab setélan anu didamel di dieu konservatif. Dina kalolobaan sistem produksi, setélanna antara 10 sareng 100.
kode naskah
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config
Nyetél NGINX
Ngonpigurasikeun Setélan Dasar NGINX
Skrip nyiptakeun diréktori pikeun cache NGINX teras nyiptakeun file konfigurasi utama nginx.conf. Nengetan jumlah prosés panangan sareng setelan ukuran file maksimal pikeun unggah. Aya ogé garis anu kalebet file setélan komprési anu ditetepkeun dina bagian salajengna, dituturkeun ku setélan cache.
Compressing eusi dina laleur saméméh ngirim ka klien mangrupakeun cara hébat pikeun ngaronjatkeun kinerja situs, tapi ngan lamun komprési ieu ngonpigurasi leres. Bagian ieu naskah dumasar kana setélan di dieu.
kode naskah
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOM
Nyetél NGINX pikeun WordPress
Salajengna, skrip nyiptakeun file konfigurasi pikeun WordPress default.conf dina katalog conf.d. Éta dikonpigurasi di dieu:
Aktipkeun sertipikat TLS anu ditampi ti Let's Encrypt via Certbot (nyetélna bakal aya dina bagian salajengna)
Ngonpigurasikeun setelan kaamanan TLS dumasar kana saran ti Hayu urang Encrypt
Aktipkeun pamenta skip cache salami 1 jam sacara standar
Pareuman aksés logging, kitu ogé kasalahan logging lamun file teu kapanggih, pikeun dua file umum dipénta: favicon.ico jeung robots.txt
Nyegah aksés kana file disumputkeun sareng sababaraha file .phppikeun nyegah aksés ilegal atawa mimiti teu dihaja
Nambahkeun routing pikeun index.php na statics séjén.
kode naskah
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOM
Nyetél Certbot pikeun sertipikat ti Let's Encrypt sareng otomatis-renewing aranjeunna
Sébot mangrupikeun alat gratis ti Electronic Frontier Foundation (EFF) anu ngamungkinkeun anjeun kéngingkeun sareng otomatis nga-renew sertipikat TLS ti Let's Encrypt. Skrip ngalakukeun ieu pikeun ngonpigurasikeun Certbot pikeun ngolah sertipikat ti Let's Encrypt di NGINX:
Ngeureunkeun NGINX
Unduh setélan TLS anu disarankeun
Jalankeun Certbot pikeun kéngingkeun sertipikat pikeun situs éta
Balikan deui NGINX pikeun nganggo sertipikat
Ngonpigurasikeun Certbot pikeun ngajalankeun poean jam 3:24 AM pikeun mariksa naha sertipikat kedah di-renew, sareng upami perlu, unduh sertipikat énggal sareng balikan deui NGINX.
kode naskah
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi
kustomisasi tambahan tina situs anjeun
Urang ngobrol di luhur ngeunaan kumaha naskah urang ngonpigurasikeun NGINX sareng Unit NGINX pikeun ngalayanan situs anu siap produksi sareng TLSSSL diaktipkeun. Anjeun ogé tiasa, gumantung kana kabutuhan anjeun, nambihan ka hareup:
rojongan Brotli, ningkat komprési on-the-fly leuwih HTTPS
Postfix atanapi msmtp supados WordPress tiasa ngirim surat
Mariksa situs anjeun sangkan anjeun ngartos sabaraha lalulintas eta tiasa ngadamel
Pikeun kinerja situs malah hadé, kami nyarankeun ningkatkeun ka NGINX Plus, produk komersil kami, kelas perusahaan dumasar kana open source NGINX. Palangganna bakal nampi modul Brotli anu dimuat sacara dinamis, ogé (pikeun biaya tambahan) NGINX ModSecurity WAF. Urang nawiskeun ogé NGINX App Protect, modul WAF pikeun NGINX Plus dumasar kana téhnologi kaamanan industri-ngarah ti F5.
NB Pikeun ngadukung halaman wéb beban tinggi, anjeun tiasa ngahubungi spesialis Southbridge. Kami bakal mastikeun operasi gancang sareng dipercaya tina situs wéb atanapi jasa anjeun dina beban naon waé.