ProHoster > blog > Utawala > Ufungaji wa WordPress otomatiki na Kitengo cha NGINX na Ubuntu
Ufungaji wa WordPress otomatiki na Kitengo cha NGINX na Ubuntu
Kuna mafunzo mengi ya jinsi ya kusakinisha WordPress, utafutaji wa Google wa "WordPress install" utapata matokeo takriban nusu milioni. Hata hivyo, kwa kweli, kuna viongozi wachache sana kati yao, kulingana na ambayo unaweza kufunga na kusanidi WordPress na mfumo wa uendeshaji wa msingi ili waweze kuunga mkono kwa muda mrefu. Labda mipangilio sahihi inategemea sana mahitaji maalum, au hii ni kutokana na ukweli kwamba maelezo ya kina hufanya makala kuwa ngumu kusoma.
Katika nakala hii, tutajaribu kuchanganya ulimwengu bora zaidi kwa kutoa hati ya bash ya kusakinisha kiotomatiki WordPress kwenye Ubuntu, na pia kuipitia, tukielezea kile kila kipande hufanya, na pia maelewano tuliyofanya katika kuikuza. . Ikiwa wewe ni mtumiaji wa hali ya juu, unaweza kuruka maandishi ya kifungu na tu kuchukua hati kwa marekebisho na matumizi katika mazingira yako. Matokeo ya hati ni usakinishaji maalum wa WordPress na usaidizi wa Lets Encrypt, unaoendeshwa kwenye Kitengo cha NGINX na unafaa kwa matumizi ya uzalishaji.
Usanifu ulioendelezwa wa kupeleka WordPress kwa kutumia Kitengo cha NGINX umeelezewa ndani makala ya zamani, sasa pia tutasanidi zaidi vitu ambavyo havijashughulikiwa hapo (kama kwenye mafunzo mengine mengi):
WordPress CLI
Hebu Tusimbe kwa Njia Fiche na Vyeti vya TLSSSL
Usasishaji otomatiki wa vyeti
NGINX caching
Ukandamizaji wa NGINX
Usaidizi wa HTTPS na HTTP/2
Mchakato otomatiki
Nakala itaelezea usakinishaji kwenye seva moja, ambayo itakuwa mwenyeji wa seva ya usindikaji tuli, seva ya usindikaji ya PHP na hifadhidata. Usakinishaji ambao unaauni seva pangishi na huduma pepe nyingi ni mada inayowezekana kwa siku zijazo. Ikiwa unataka tuandike juu ya kitu ambacho sio katika makala hizi, andika kwenye maoni.
Mahitaji
Seva ya chombo (LXC au Lxd), mashine pepe, au seva ya chuma ya kawaida iliyo na angalau 512MB ya RAM na Ubuntu 18.04 au mpya zaidi iliyosakinishwa.
Bandari zinazopatikana kwa mtandao 80 na 443
Jina la kikoa linalohusishwa na anwani ya ip ya umma ya seva hii
Ufikiaji wa mizizi (sudo).
Muhtasari wa usanifu
Usanifu ni sawa na ilivyoelezwa mapema, programu ya wavuti ya viwango vitatu. Inajumuisha hati za PHP zinazoendeshwa kwenye injini ya PHP na faili tuli ambazo huchakatwa na seva ya wavuti.
Kanuni kuu
Amri nyingi za usanidi katika hati zimefungwa ikiwa hali ya kutokuwa na uwezo: hati inaweza kuendeshwa mara nyingi bila hatari ya kubadilisha mipangilio ambayo tayari iko.
Hati inajaribu kusakinisha programu kutoka kwa hazina, kwa hivyo unaweza kutumia sasisho za mfumo kwa amri moja (apt upgrade kwa Ubuntu).
Amri hujaribu kugundua kuwa zinaendeshwa kwenye kontena ili waweze kubadilisha mipangilio yao ipasavyo.
Ili kuweka idadi ya michakato ya nyuzi kuanza katika mipangilio, hati hujaribu kukisia mipangilio ya kiotomatiki ya kufanya kazi katika vyombo, mashine pepe na seva za maunzi.
Wakati wa kuelezea mipangilio, sisi hufikiria kwanza kabisa juu ya otomatiki, ambayo, tunatumai, itakuwa msingi wa kuunda miundombinu yako mwenyewe kama nambari.
Amri zote zinaendeshwa kama mtumiaji mizizi, kwa sababu hubadilisha mipangilio ya msingi ya mfumo, lakini moja kwa moja WordPress huendesha kama mtumiaji wa kawaida.
Kuweka vigezo vya mazingira
Weka vigezo vifuatavyo vya mazingira kabla ya kuendesha hati:
WORDPRESS_DB_PASSWORD - Nenosiri la hifadhidata ya WordPress
WORDPRESS_ADMIN_USER - Jina la msimamizi wa WordPress
WORDPRESS_ADMIN_PASSWORD - Nenosiri la msimamizi wa WordPress
WORDPRESS_ADMIN_EMAIL - Barua pepe ya msimamizi wa WordPress
WORDPRESS_URL ni URL kamili ya tovuti ya WordPress, kuanzia saa https://.
LETS_ENCRYPT_STAGING - tupu kwa chaguo-msingi, lakini kwa kuweka thamani kwa 1, utatumia seva za uwekaji wa Hebu Tufiche, ambazo ni muhimu kwa kuomba vyeti mara kwa mara wakati wa kupima mipangilio yako, vinginevyo Hebu Tusimbe inaweza kuzuia kwa muda anwani yako ya ip kwa sababu ya idadi kubwa ya maombi. .
Hati hukagua kuwa vigeu hivi vinavyohusiana na WordPress vimewekwa na kuondoka ikiwa sivyo.
Hati 572-576 angalia thamani LETS_ENCRYPT_STAGING.
Kuweka vigezo vya mazingira vinavyotokana
Maandishi kwenye mistari 55-61 huweka vigezo vya mazingira vifuatavyo, ama kwa thamani fulani yenye msimbo ngumu au kutumia thamani iliyopatikana kutoka kwa vigeu vilivyowekwa katika sehemu iliyotangulia:
DEBIAN_FRONTEND="noninteractive" - Hueleza programu kwamba zinaendeshwa katika hati na kwamba hakuna uwezekano wa mwingiliano wa mtumiaji.
WORDPRESS_CLI_VERSION="2.4.0" ni toleo la programu ya WordPress CLI.
WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c" - hundi ya faili ya WordPress CLI 2.4.0 inayoweza kutekelezwa (toleo limeainishwa katika kutofautisha WORDPRESS_CLI_VERSION) Hati kwenye mstari wa 162 hutumia thamani hii ili kuangalia kuwa faili sahihi ya WordPress CLI imepakuliwa.
UPLOAD_MAX_FILESIZE="16M" - ukubwa wa juu wa faili ambao unaweza kupakiwa katika WordPress. Mpangilio huu hutumiwa katika maeneo kadhaa, kwa hivyo ni rahisi kuiweka katika sehemu moja.
TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)" - jina la mpangishaji wa mfumo, lililotolewa kutoka kwa tofauti ya WORDPRESS_URL. Hutumika kupata vyeti vinavyofaa vya TLS/SSL kutoka kwa Let's Encrypt na pia uthibitishaji wa ndani wa WordPress.
NGINX_CONF_DIR="/etc/nginx" - njia ya saraka na mipangilio ya NGINX, pamoja na faili kuu nginx.conf.
CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}" - njia ya vyeti vya Hebu Tusimba kwa njia fiche kwa tovuti ya WordPress, iliyopatikana kutoka kwa kutofautisha TLS_HOSTNAME.
Kukabidhi jina la mwenyeji kwa seva ya WordPress
Hati huweka jina la mpangishi wa seva ili lilingane na jina la kikoa cha tovuti. Hii haihitajiki, lakini ni rahisi zaidi kutuma barua zinazotoka kupitia SMTP wakati wa kusanidi seva moja, kama ilivyosanidiwa na hati.
msimbo wa hati
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fi
Kuongeza jina la mwenyeji kwa /etc/hosts
Supplement WP-Cron inayotumika kutekeleza majukumu ya mara kwa mara, inahitaji WordPress kuweza kujifikia yenyewe kupitia HTTP. Ili kuhakikisha WP-Cron inafanya kazi kwa usahihi kwenye mazingira yote, hati inaongeza mstari kwenye faili / Nk / majeshiili WordPress iweze kujifikia yenyewe kupitia kiolesura cha kitanzi:
msimbo wa hati
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi
Kuweka zana zinazohitajika kwa hatua zinazofuata
Hati iliyobaki inahitaji programu kadhaa na inadhani hazina zimesasishwa. Tunasasisha orodha ya hazina, baada ya hapo tunasanikisha zana muhimu:
msimbo wa hati
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-release
Kuongeza Kitengo cha NGINX na hazina za NGINX
Hati husakinisha Kitengo cha NGINX na chanzo huria NGINX kutoka hazina rasmi za NGINX ili kuhakikisha kuwa matoleo yaliyo na viraka vya hivi punde zaidi vya usalama na urekebishaji wa hitilafu yanatumika.
Hati inaongeza hazina ya Kitengo cha NGINX na kisha hazina ya NGINX, na kuongeza ufunguo wa hazina na faili za usanidi. apt, ikifafanua ufikiaji wa hazina kupitia mtandao.
Usanikishaji halisi wa Kitengo cha NGINX na NGINX hufanyika katika sehemu inayofuata. Tunaongeza mapema hazina ili tusiwe na budi kusasisha metadata mara nyingi, ambayo hufanya usakinishaji kwa haraka.
msimbo wa hati
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi
Kufunga NGINX, NGINX Unit, PHP MariaDB, Certbot (Hebu Tusimbe) na utegemezi wao
Mara tu hazina zote zimeongezwa, sasisha metadata na usakinishe programu. Vifurushi vilivyosakinishwa na hati pia ni pamoja na viendelezi vya PHP vinavyopendekezwa wakati wa kuendesha WordPress.org
msimbo wa hati
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-server
Kuweka PHP kwa matumizi na Kitengo cha NGINX na WordPress
Nakala huunda faili ya mipangilio kwenye saraka conf.d. Hii huweka ukubwa wa juu zaidi wa faili kwa upakiaji wa PHP, huwasha matokeo ya hitilafu ya PHP hadi STDERR ili yaandikwe kwenye kumbukumbu ya Kitengo cha NGINX, na kuanzisha upya Kitengo cha NGINX.
msimbo wa hati
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart
Inabainisha Mipangilio ya Hifadhidata ya MariaDB ya WordPress
Tumechagua MariaDB badala ya MySQL kwa kuwa ina shughuli nyingi za jumuiya na pia kuna uwezekano wa kufanya hivyo hutoa utendaji bora kwa chaguo-msingi (pengine, kila kitu ni rahisi hapa: kusakinisha MySQL, unahitaji kuongeza hazina nyingine, takriban. mtafsiri).
Hati huunda hifadhidata mpya na huunda kitambulisho kufikia WordPress kupitia kiolesura cha kitanzi:
msimbo wa hati
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"
Kufunga Mpango wa WordPress CLI
Katika hatua hii, hati husakinisha programu WP-CLI. Kwa hiyo, unaweza kusakinisha na kudhibiti mipangilio ya WordPress bila kulazimika kuhariri faili wewe mwenyewe, kusasisha hifadhidata, au kuingiza paneli dhibiti. Inaweza pia kutumika kusakinisha mada na viongezi na kusasisha WordPress.
msimbo wa hati
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fi
Kufunga na kusanidi WordPress
Hati husakinisha toleo jipya zaidi la WordPress kwenye saraka /var/www/wordpressna pia kubadilisha mipangilio:
Muunganisho wa hifadhidata hufanya kazi kwenye soketi ya kikoa kisicho na kikomo badala ya TCP kwenye loopback ili kupunguza trafiki ya TCP.
WordPress inaongeza kiambishi awali https:// kwa URL ikiwa wateja wataunganishwa kwa NGINX kupitia HTTPS, na pia kutuma jina la mpangishi wa mbali (kama ilivyotolewa na NGINX) kwa PHP. Tunatumia kipande cha msimbo kuweka hii.
WordPress inahitaji HTTPS ili kuingia
Muundo chaguo-msingi wa URL unatokana na nyenzo
Huweka ruhusa sahihi kwenye mfumo wa faili kwa saraka ya WordPress.
msimbo wa hati
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fi
Kuanzisha Kitengo cha NGINX
Hati husanidi Kitengo cha NGINX ili kuendesha PHP na kuchakata njia za WordPress, ikitenga nafasi ya jina ya mchakato wa PHP na kuboresha mipangilio ya utendaji. Kuna vipengele vitatu vya kuangalia hapa:
Usaidizi wa nafasi za majina huamuliwa na hali, kulingana na kuangalia kuwa hati inaendeshwa kwenye chombo. Hii ni muhimu kwa sababu usanidi mwingi wa kontena hauauni uzinduzi wa viota vya vyombo.
Ikiwa kuna usaidizi wa nafasi za majina, zima nafasi ya majina mtandao. Hii ni kuruhusu WordPress kuunganishwa kwa ncha zote mbili na kupatikana kwenye wavuti kwa wakati mmoja.
Idadi ya juu ya michakato inafafanuliwa kama ifuatavyo: (Kumbukumbu inayopatikana ya kuendesha MariaDB na NGINX Uniy)/(kikomo cha RAM katika PHP + 5)
Thamani hii imewekwa katika mipangilio ya Kitengo cha NGINX.
Thamani hii pia inamaanisha kuwa kuna angalau michakato miwili ya PHP inayoendeshwa, ambayo ni muhimu kwa sababu WordPress hufanya maombi mengi ya asynchronous yenyewe, na bila michakato ya ziada, inayoendesha k.m. WP-Cron itavunjika. Unaweza kutaka kuongeza au kupunguza vikomo hivi kulingana na mipangilio ya eneo lako, kwa sababu mipangilio iliyoundwa hapa ni ya kihafidhina. Kwenye mifumo mingi ya uzalishaji, mipangilio ni kati ya 10 na 100.
msimbo wa hati
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config
Inaweka NGINX
Inasanidi Mipangilio ya Msingi ya NGINX
Hati huunda saraka kwa kashe ya NGINX na kisha huunda faili kuu ya usanidi nginx.conf. Zingatia idadi ya michakato ya kidhibiti na mpangilio wa ukubwa wa juu zaidi wa faili wa kupakiwa. Pia kuna mstari unaojumuisha faili ya mipangilio ya ukandamizaji iliyofafanuliwa katika sehemu inayofuata, ikifuatiwa na mipangilio ya caching.
Kufinya yaliyomo kwenye mkondo kabla ya kuyatuma kwa wateja ni njia nzuri ya kuboresha utendakazi wa tovuti, lakini tu ikiwa mbano imesanidiwa ipasavyo. Sehemu hii ya hati inategemea mipangilio hivyo.
msimbo wa hati
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOM
Kuanzisha NGINX kwa WordPress
Ifuatayo, hati huunda faili ya usanidi kwa WordPress chaguo-msingi.conf katika orodha conf.d. Imeundwa hapa:
Kuwasha vyeti vya TLS vilivyopokelewa kutoka kwa Let's Encrypt kupitia Certbot (kukiweka kutakuwa katika sehemu inayofuata)
Inasanidi mipangilio ya usalama ya TLS kulingana na mapendekezo kutoka kwa Let's Encrypt
Washa maombi ya kuruka katika akiba kwa saa 1 kwa chaguomsingi
Zima kumbukumbu za ufikiaji, pamoja na uwekaji makosa ikiwa faili haijapatikana, kwa faili mbili zilizoombwa za kawaida: favicon.ico na robots.txt.
Zuia ufikiaji wa faili zilizofichwa na baadhi ya faili phpili kuzuia ufikiaji haramu au kuanza bila kutarajiwa
Zima ufikiaji wa kumbukumbu kwa faili tuli na fonti
Inaongeza uelekezaji kwa index.php na takwimu zingine.
msimbo wa hati
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOM
Kuweka Certbot kwa vyeti kutoka kwa Hebu Tusimbe kwa Njia Fiche na kuzisasisha kiotomatiki
Certbot ni zana isiyolipishwa kutoka kwa Electronic Frontier Foundation (EFF) inayokuruhusu kupata na kusasisha kiotomatiki vyeti vya TLS kutoka Let's Encrypt. Hati hufanya yafuatayo kusanidi Certbot kuchakata vyeti kutoka kwa Hebu Tusimba katika NGINX:
Inasimamisha NGINX
Vipakuliwa vinavyopendekezwa kwenye mipangilio ya TLS
Huendesha Certbot ili kupata vyeti vya tovuti
Huwasha upya NGINX ili kutumia vyeti
Husanidi Certbot ifanye kazi kila siku saa 3:24 AM ili kuangalia kama vyeti vinahitaji kusasishwa, na ikihitajika, pakua vyeti vipya na uwashe NGINX upya.
msimbo wa hati
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi
Ubinafsishaji wa ziada wa tovuti yako
Tulizungumza hapo juu kuhusu jinsi hati yetu inavyosanidi NGINX na Kitengo cha NGINX ili kutumikia tovuti iliyo tayari kwa uzalishaji na TLSSSL imewezeshwa. Unaweza pia, kulingana na mahitaji yako, kuongeza katika siku zijazo:
msaada Brotli, kuboreshwa kwa mbano unaporuka juu ya HTTPS
Kuangalia tovuti yako ili uelewe ni kiasi gani cha trafiki kinaweza kushughulikia
Kwa utendakazi bora zaidi wa tovuti, tunapendekeza usasishe hadi NGINX Plus, bidhaa zetu za kibiashara, za kiwango cha biashara kulingana na chanzo huria cha NGINX. Wateja wake watapokea moduli ya Brotli iliyopakiwa kwa nguvu, na pia (kwa ada ya ziada) NGINX ModSecurity WAF. Pia tunatoa NGINX App Protect, moduli ya WAF ya NGINX Plus kulingana na teknolojia ya usalama inayoongoza katika sekta kutoka F5.
NB Kwa usaidizi wa tovuti iliyopakiwa sana, unaweza kuwasiliana na wataalamu Southbridge. Tutahakikisha uendeshaji wa haraka na wa kuaminika wa tovuti au huduma yako chini ya mzigo wowote.