ProHoster > Blog > Ma'muriyat > NGINX Unit va Ubuntu bilan WordPress o'rnatishni avtomatlashtirish
NGINX Unit va Ubuntu bilan WordPress o'rnatishni avtomatlashtirish
WordPressni qanday o'rnatish bo'yicha ko'plab qo'llanmalar mavjud, "WordPress o'rnatish" uchun Google qidiruvi yarim millionga yaqin natijalarni beradi. Biroq, aslida, ular orasida juda kam yaxshi qo'llanmalar mavjud, ularga ko'ra siz WordPress va asosiy operatsion tizimni uzoq vaqt davomida qo'llab-quvvatlashga qodir bo'lishi uchun o'rnatishingiz va sozlashingiz mumkin. Ehtimol, to'g'ri sozlamalar muayyan ehtiyojlarga juda bog'liq yoki bu batafsil tushuntirish maqolani o'qishni qiyinlashtiradiganligi bilan bog'liq.
Ushbu maqolada biz WordPress-ni Ubuntu-ga avtomatik ravishda o'rnatish uchun bash skriptini taqdim etish orqali ikkala dunyoning eng yaxshisini birlashtirishga harakat qilamiz, shuningdek, har bir qism nima qilishini tushuntirib, uni ishlab chiqishda qilgan murosalarimizni tushuntiramiz. . Agar siz ilg'or foydalanuvchi bo'lsangiz, maqola matnini o'tkazib yuborishingiz mumkin va shunchaki skriptni oling o'zgartirish va muhitingizda foydalanish uchun. Skriptning chiqishi NGINX birligida ishlaydigan va ishlab chiqarish uchun mos bo'lgan Lets Encrypt-ni qo'llab-quvvatlaydigan maxsus WordPress o'rnatishidir.
NGINX birligidan foydalangan holda WordPress-ni joylashtirish uchun ishlab chiqilgan arxitektura quyidagi maqolada tasvirlangan eski maqola, endi biz u erda yoritilmagan narsalarni qo'shimcha ravishda sozlaymiz (ko'plab boshqa qo'llanmalarda bo'lgani kabi):
WordPress CLI
Keling, shifrlaymiz va TLSSSL sertifikatlari
Sertifikatlarni avtomatik yangilash
NGINX keshlash
NGINX siqish
HTTPS va HTTP/2-ni qo'llab-quvvatlash
Jarayonlarni avtomatlashtirish
Maqolada bir vaqtning o'zida statik ishlov berish serveri, PHP ishlov berish serveri va ma'lumotlar bazasi joylashgan bitta serverga o'rnatish tasvirlanadi. Bir nechta virtual xostlar va xizmatlarni qo'llab-quvvatlaydigan o'rnatish kelajak uchun potentsial mavzudir. Agar siz ushbu maqolalarda mavjud bo'lmagan narsalar haqida yozishimizni istasangiz, sharhlarda yozing.
talablar
Konteyner serveri (LXC yoki LXD), virtual mashina yoki kamida 512 MB RAM va Ubuntu 18.04 yoki undan yangiroq oʻrnatilgan oddiy temir server.
Internetga kirish mumkin portlar 80 va 443
Ushbu serverning umumiy IP manzili bilan bog'langan domen nomi
Ildizga kirish (sudo).
Arxitekturaga umumiy nuqtai
Arxitektura tasvirlanganidek bir xil oldinroq, uch bosqichli veb-ilova. U PHP dvigatelida ishlaydigan PHP skriptlaridan va veb-server tomonidan qayta ishlanadigan statik fayllardan iborat.
Umumiy tamoyillar
Skriptdagi ko'plab konfiguratsiya buyruqlari, agar idempotentlik shartlari bo'lsa, o'ralgan: skript allaqachon mavjud sozlamalarni o'zgartirish xavfisiz bir necha marta ishga tushirilishi mumkin.
Skript dasturiy ta'minotni omborlardan o'rnatishga harakat qiladi, shuning uchun siz tizim yangilanishlarini bitta buyruqda qo'llashingiz mumkin (apt upgrade Ubuntu uchun).
Buyruqlar o'z sozlamalarini mos ravishda o'zgartirishi uchun konteynerda ishlayotganligini aniqlashga harakat qiladi.
Sozlamalarda boshlanadigan ip jarayonlari sonini belgilash uchun skript konteynerlar, virtual mashinalar va apparat serverlarida ishlash uchun avtomatik sozlamalarni taxmin qilishga harakat qiladi.
Sozlamalarni tavsiflashda biz har doim birinchi navbatda avtomatlashtirish haqida o'ylaymiz, umid qilamizki, bu o'z infratuzilmangizni kod sifatida yaratish uchun asos bo'ladi.
Barcha buyruqlar foydalanuvchi sifatida ishga tushiriladi ildiz, chunki ular asosiy tizim sozlamalarini o'zgartiradilar, lekin to'g'ridan-to'g'ri WordPress oddiy foydalanuvchi sifatida ishlaydi.
Atrof-muhit o'zgaruvchilarini sozlash
Skriptni ishga tushirishdan oldin quyidagi muhit o'zgaruvchilarini o'rnating:
WORDPRESS_DB_PASSWORD - WordPress ma'lumotlar bazasi paroli
WORDPRESS_ADMIN_USER - WordPress administrator nomi
WORDPRESS_ADMIN_EMAIL - WordPress administrator elektron pochtasi
WORDPRESS_URL dan boshlab WordPress saytining toʻliq URL manzilidir https://.
LETS_ENCRYPT_STAGING - sukut bo'yicha bo'sh, lekin qiymatni 1 ga o'rnatish orqali siz sozlamalaringizni sinab ko'rishda sertifikatlarni tez-tez so'rash uchun zarur bo'lgan "Let's Encrypt" bosqichli serverlaridan foydalanasiz, aks holda Let's Encrypt ko'p sonli so'rovlar tufayli IP manzilingizni vaqtincha bloklashi mumkin. .
Skript ushbu WordPress bilan bog'liq o'zgaruvchilar o'rnatilganligini tekshiradi va agar bo'lmasa, chiqadi.
572-576 skript satrlari qiymatni tekshiring LETS_ENCRYPT_STAGING.
Olingan muhit o'zgaruvchilarini sozlash
55-61-qatorlardagi skript quyidagi muhit o'zgaruvchilarini qattiq kodlangan qiymatga yoki oldingi bo'limda o'rnatilgan o'zgaruvchilardan olingan qiymatdan foydalanib o'rnatadi:
DEBIAN_FRONTEND="noninteractive" - Ilovalarga ular skriptda ishlayotganligini va foydalanuvchi bilan o'zaro aloqa qilish imkoniyati yo'qligini aytadi.
WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c" — WordPress CLI 2.4.0 bajariladigan faylining nazorat summasi (versiya o‘zgaruvchida ko‘rsatilgan WORDPRESS_CLI_VERSION). 162-qatordagi skript to'g'ri WordPress CLI fayli yuklab olinganligini tekshirish uchun ushbu qiymatdan foydalanadi.
UPLOAD_MAX_FILESIZE="16M" - WordPress-ga yuklanishi mumkin bo'lgan maksimal fayl hajmi. Bu sozlama bir necha joyda qoʻllaniladi, shuning uchun uni bir joyda oʻrnatish osonroq.
TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)" - WORDPRESS_URL o'zgaruvchisidan olingan tizimning xost nomi. Let's Encrypt-dan tegishli TLS/SSL sertifikatlarini, shuningdek WordPress ichki tekshiruvini olish uchun foydalaniladi.
NGINX_CONF_DIR="/etc/nginx" - NGINX sozlamalari bilan katalogga yo'l, shu jumladan asosiy fayl nginx.conf.
CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}" — oʻzgaruvchidan olingan WordPress sayti uchun Let’s Encrypt sertifikatlariga yoʻl TLS_HOSTNAME.
WordPress serveriga xost nomini belgilash
Skript serverning xost nomini saytning domen nomiga mos ravishda o'rnatadi. Bu shart emas, lekin skript tomonidan sozlanganidek, bitta serverni o'rnatishda chiquvchi xatni SMTP orqali yuborish qulayroqdir.
skript kodi
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fi
/etc/hosts-ga xost nomi qo'shilmoqda
Qo'shimcha WP-Cron davriy vazifalarni bajarish uchun ishlatiladi, WordPress HTTP orqali o'ziga kirish imkoniyatini talab qiladi. WP-Cron barcha muhitlarda to'g'ri ishlashiga ishonch hosil qilish uchun skript faylga qator qo'shadi / etc / hostsShunday qilib, WordPress o'z-o'zidan loopback interfeysi orqali kirishi mumkin:
skript kodi
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi
Keyingi qadamlar uchun zarur vositalarni o'rnatish
Skriptning qolgan qismi ba'zi dasturlarga muhtoj va omborlar yangilangan deb hisoblaydi. Biz omborlar ro'yxatini yangilaymiz, shundan so'ng biz kerakli vositalarni o'rnatamiz:
skript kodi
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-release
NGINX birligi va NGINX omborlarini qo'shish
Skript NGINX Unit va ochiq manbali NGINX ni rasmiy NGINX omborlaridan oʻrnatadi va soʻnggi xavfsizlik yamoqlari va xatoliklar tuzatilgan versiyalardan foydalanilganligiga ishonch hosil qiladi.
Skript NGINX Unit omborini va keyin NGINX omborini qo'shib, ombor kaliti va konfiguratsiya fayllarini qo'shadi. apt, Internet orqali omborlarga kirishni aniqlash.
NGINX Unit va NGINX ning haqiqiy o'rnatilishi keyingi bo'limda sodir bo'ladi. Biz omborlarni oldindan qo'shamiz, shuning uchun biz metama'lumotlarni bir necha marta yangilashimiz shart emas, bu esa o'rnatishni tezlashtiradi.
skript kodi
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi
NGINX, NGINX Unit, PHP MariaDB, Certbot (Let's Encrypt) va ularning bog'liqliklarini o'rnatish
Barcha omborlar qo'shilgach, metama'lumotlarni yangilang va ilovalarni o'rnating. Skript tomonidan o'rnatilgan paketlar WordPress.org ni ishga tushirishda tavsiya etilgan PHP kengaytmalarini ham o'z ichiga oladi
skript kodi
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-server
NGINX Unit va WordPress bilan foydalanish uchun PHP ni sozlash
Skript katalogda sozlamalar faylini yaratadi konf.d. Bu PHP yuklash uchun maksimal fayl hajmini oʻrnatadi, PHP xatosi chiqishini STDERR ga yoqadi, shunda ular NGINX birligi jurnaliga yoziladi va NGINX birligini qayta ishga tushiradi.
skript kodi
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart
WordPress uchun MariaDB ma'lumotlar bazasi sozlamalarini belgilash
Biz MySQL o'rniga MariaDB ni tanladik, chunki u ko'proq jamoat faolligiga ega va ehtimol shunday sukut bo'yicha yaxshiroq ishlashni ta'minlaydi (Ehtimol, bu erda hamma narsa oddiyroq: MySQL-ni o'rnatish uchun siz boshqa omborni qo'shishingiz kerak, taxminan. tarjimon).
Skript yangi ma'lumotlar bazasini yaratadi va orqaga qaytish interfeysi orqali WordPress-ga kirish uchun hisob ma'lumotlarini yaratadi:
skript kodi
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"
WordPress CLI dasturini o'rnatish
Ushbu bosqichda skript dasturni o'rnatadi WP-CLI. Uning yordamida siz fayllarni qo'lda tahrirlamasdan, ma'lumotlar bazasini yangilamasdan yoki boshqaruv paneliga kirmasdan WordPress sozlamalarini o'rnatishingiz va boshqarishingiz mumkin. Bundan tashqari, mavzular va qo'shimchalarni o'rnatish va WordPress-ni yangilash uchun ham foydalanish mumkin.
skript kodi
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fi
WordPressni o'rnatish va sozlash
Skript WordPress-ning so'nggi versiyasini katalogga o'rnatadi /var/www/wordpressshuningdek sozlamalarni o'zgartiradi:
Ma'lumotlar bazasi ulanishi TCP trafigini qisqartirish uchun TCP o'rniga unix domen soketi orqali ishlaydi.
WordPress prefiks qo'shadi https:// Agar mijozlar HTTPS orqali NGINX ga ulansa, shuningdek, masofaviy host nomini (NGINX tomonidan taqdim etilganidek) PHP ga yuborsa, URL manziliga. Buni o'rnatish uchun biz koddan foydalanamiz.
WordPress tizimiga kirish uchun HTTPS kerak
Standart URL tuzilishi resurslarga asoslangan
WordPress katalogi uchun fayl tizimida to'g'ri ruxsatlarni o'rnatadi.
skript kodi
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fi
NGINX birligi sozlanmoqda
Skript NGINX birligini PHP-ni ishga tushirish va WordPress yo'llarini qayta ishlash uchun sozlaydi, PHP jarayon nomlar maydonini ajratadi va ishlash parametrlarini optimallashtiradi. Bu erda uchta xususiyatga e'tibor berish kerak:
Nomlar bo'shliqlarini qo'llab-quvvatlash skriptning konteynerda ishlayotganligini tekshirish asosida shart bilan belgilanadi. Bu zarur, chunki ko'pchilik konteyner sozlamalari konteynerlarni o'rnatilgan ishga tushirishni qo'llab-quvvatlamaydi.
Agar nomlar bo'shliqlari qo'llab-quvvatlansa, nomlar maydonini o'chiring tarmoq. Bu WordPress-ga ikkala so'nggi nuqtaga ulanish va bir vaqtning o'zida Internetda mavjud bo'lish imkonini beradi.
Jarayonlarning maksimal soni quyidagicha aniqlanadi: (MariaDB va NGINX Uniy bilan ishlash uchun mavjud xotira)/(PHP + 5 da operativ xotira chegarasi)
Ushbu qiymat NGINX birligi sozlamalarida o'rnatiladi.
Bu qiymat, shuningdek, har doim kamida ikkita PHP jarayoni ishlayotganligini anglatadi, bu muhim, chunki WordPress o'ziga juda ko'p asinxron so'rovlar qiladi va qo'shimcha jarayonlarsiz, masalan, WP-Cron ishlamay qoladi. Mahalliy sozlamalaringiz asosida ushbu chegaralarni oshirish yoki kamaytirishni xohlashingiz mumkin, chunki bu erda yaratilgan sozlamalar konservativdir. Ko'pgina ishlab chiqarish tizimlarida sozlamalar 10 dan 100 gacha.
skript kodi
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config
NGINX sozlanmoqda
Asosiy NGINX sozlamalarini sozlash
Skript NGINX keshi uchun katalog yaratadi va keyin asosiy konfiguratsiya faylini yaratadi nginx.conf. Ishlovchi jarayonlar soniga va yuklash uchun maksimal fayl hajmini belgilashga e'tibor bering. Bundan tashqari, keyingi bo'limda belgilangan siqish sozlamalari faylini, keyin esa keshlash sozlamalarini o'z ichiga olgan qator mavjud.
Mijozlarga yuborishdan oldin kontentni tezda siqish sayt ish faoliyatini yaxshilashning ajoyib usuli hisoblanadi, lekin faqat siqish to'g'ri sozlangan bo'lsa. Skriptning ushbu bo'limi sozlamalarga asoslangan shu yerda.
skript kodi
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOM
WordPress uchun NGINX sozlanmoqda
Keyinchalik, skript WordPress uchun konfiguratsiya faylini yaratadi default.conf katalogda konf.d. Bu erda sozlangan:
Let's Encrypt-dan Certbot orqali olingan TLS sertifikatlarini faollashtirish (uni sozlash keyingi bo'limda bo'ladi)
Let's Encrypt tavsiyalari asosida TLS xavfsizlik sozlamalarini sozlash
Sukut boʻyicha 1 soat davomida oʻtkazib yuborish soʻrovlarini keshlashni yoqing
Ikkita keng tarqalgan so'raladigan fayl uchun kirish jurnalini, shuningdek, fayl topilmasa, xatolar jurnalini o'chirib qo'ying: favicon.ico va robots.txt
Yashirin fayllar va ba'zi fayllarga kirishni oldini olish e'lon qilingan mahsulot .PHPnoqonuniy kirish yoki noto'g'ri ishga tushirishni oldini olish uchun
Statik va shrift fayllari uchun kirish jurnalini o'chirib qo'ying
index.php va boshqa statiklar uchun marshrutlashni qo'shish.
skript kodi
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOM
Let's Encrypt sertifikatlari uchun Certbot-ni sozlash va ularni avtomatik yangilash
Certbot Bu Let's Encrypt-dan TLS sertifikatlarini olish va avtomatik ravishda yangilash imkonini beruvchi Electronic Frontier Foundation (EFF) dan bepul vositadir. Skript Certbot-ni NGINX-da Let's Encrypt-dan sertifikatlarni qayta ishlash uchun sozlash uchun quyidagilarni bajaradi:
NGINX ni to'xtatadi
Tavsiya etilgan TLS sozlamalarini yuklab oladi
Sayt uchun sertifikatlar olish uchun Certbot-ni ishga tushiradi
Sertifikatlardan foydalanish uchun NGINXni qayta ishga tushiradi
Sertifikatlarni yangilash zarurligini tekshirish va agar kerak bo'lsa, yangi sertifikatlarni yuklab olish va NGINX-ni qayta ishga tushirish uchun Certbot-ni har kuni soat 3:24 da ishlashga sozlaydi.
skript kodi
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi
Saytingizni qo'shimcha sozlash
Biz yuqorida skriptimiz NGINX va NGINX birliklarini TLSSSL yoqilgan ishlab chiqarishga tayyor saytga xizmat qilish uchun qanday sozlashi haqida gapirgan edik. Bundan tashqari, ehtiyojlaringizga qarab, kelajakda quyidagilarni qo'shishingiz mumkin:
qo'llab-quvvatlash Brotli, HTTPS orqali tezkor siqishni yaxshilandi
Postfix yoki msmtp WordPress pochta jo'natishi uchun
Saytingizni tekshirib ko'ring, shunda u qanchalik ko'p trafikni boshqarishi mumkinligini tushunasiz
Saytning yanada yaxshi ishlashi uchun uni yangilashni tavsiya etamiz NGINX Plus, ochiq manbali NGINX asosidagi tijorat, korxona darajasidagi mahsulotimiz. Uning abonentlari dinamik ravishda yuklangan Brotli modulini, shuningdek (qo'shimcha haq evaziga) oladilar. NGINX ModSecurity WAF. Biz ham taklif qilamiz NGINX App Protect, NGINX Plus uchun WAF moduli F5 dan sanoatning yetakchi xavfsizlik texnologiyasiga asoslangan.
NB Yuqori yuklangan saytni qo'llab-quvvatlash uchun siz mutaxassislarga murojaat qilishingiz mumkin Sautbrij. Biz sizning veb-saytingiz yoki xizmatingizning har qanday yuk ostida tez va ishonchli ishlashini ta'minlaymiz.