Kukho izinto ezininzi ezilapha ekufakeni i-WordPress; Ukukhangela kukaGoogle "ukufakwa kwe-WordPress" kuya kubuya malunga nesiqingatha sesigidi seziphumo. Nangona kunjalo, zimbalwa kakhulu izikhokelo eziluncedo ngaphandle apho ezinokukunceda ukufaka kunye nokuqwalasela i-WordPress kunye nenkqubo yokusebenza ephantsi ukuze bakwazi ukuxhaswa ngexesha elide. Mhlawumbi useto oluchanekileyo luxhomekeke kakhulu kwiimfuno zakho ezithile, okanye kungenxa yokuba ingcaciso eneenkcukacha yenza ukuba inqaku libe nzima ukulifunda.
Kweli nqaku, siza kuzama ukuhlanganisa ezona zinto zibalaseleyo zehlabathi ngokubonelela ngeskripthi se-bash ukufaka ngokuzenzekelayo i-WordPress ku-Ubuntu, kwaye siya kuhamba ngayo, sichaza ukuba iqhekeza ngalinye lenzani kunye norhwebo-offs esilwenzileyo ukuyila. yona. Ukuba ungumsebenzisi onamava, ungatsiba umbhalo wenqaku kwaye nje ukuguqula kunye nokusetyenziswa kwindawo yakho. Ukukhutshwa kweskripthi kufakelo lwe-WordPress yesiko kunye ne-Lets Encrypt inkxaso, esebenza kwi-NGINX Unit kwaye ifanelekile ukusetyenziswa kwezoshishino.
Uyilo oluphuhlisiweyo lokusebenzisa i-WordPress usebenzisa i-NGINX Unit ichazwe kuyo , ngoku siza kuphinda siqwalasele izinto ebezingagqunywanga apho (njengakwezinye izifundo ezininzi):
- WordPress CLI
- Masi Fihla kunye nezatifikethi zeTLSSSL
- Uhlaziyo lwesatifikethi oluzenzekelayo
- I-NGINX Caching
- Uxinzelelo lwe-NGINX
- I-HTTPS kunye ne-HTTP/2 inkxaso
- Inkqubo ezenzekelayo
Inqaku liza kuchaza ukufakwa kwiseva enye, eya kubamba ngaxeshanye iseva ye-static processing, iseva ye-PHP, kunye ne-database. Ufakelo ngenkxaso yeenginginya ezininzi kunye neenkonzo sisihloko esinokubakho kwixesha elizayo. Ukuba ufuna ukuba sibhale ngento engekho kula manqaku, bhala kwizimvo.
iimfuno
- Isikhongozeli seseva ( okanye ), umatshini wenyani, okanye umncedisi we-hardware oqhelekileyo, ubuncinane kunye ne-512MB ye-RAM kunye ne-Ubuntu 18.04 okanye efakwe kutshanje.
- Izibuko ezifikelelekayo kwi-Intanethi 80 kunye ne-443
- Igama lommandla elinxulunyaniswa nedilesi kawonke-wonke ye-IP yalo mncedisi
- Ukufikelela ngamalungelo engcambu (sudo).
Isishwankathelo sezokwakha
I-architecture iyafana nechazwe , usetyenziso lwewebhu olunamanqanaba amathathu. Iqulethe izikripthi ze-PHP ezenziwe kwi-injini ye-PHP kunye neefayile ezimileyo eziqhutywe ngumncedisi wewebhu.
Imigaqo jikelele
- Imiyalelo emininzi yoqwalaselo kwiskripthi isongelwe ukuba iimeko zokungabi namandla: iskripthi sinokuqhutywa ngamaxesha amaninzi ngaphandle komngcipheko wokutshintsha izicwangciso esele zilungile.
- Iscript sizama ukufaka isoftware evela koovimba, ukuze ukwazi ukusebenzisa uhlaziyo lwesixokelelwano ngomyalelo omnye (
apt upgradekuBuntu). - Amaqela azama ukufumanisa ukuba aqhuba kwisikhongozeli ukuze akwazi ukutshintsha iisetingi zawo ngokufanelekileyo.
- Ukuseta inani leenkqubo zemisonto eziza kusungulwa kwizicwangciso, iscript sizama ukuqikelela izicwangciso ezizenzekelayo zokusebenza kwizikhongozeli, oomatshini benyani, kunye neeseva zehardware.
- Xa sichaza useto, sihlala sicinga kuqala malunga ne-automation, esithemba ukuba iya kuba sisiseko sokwenza isiseko sakho njengekhowudi.
- Yonke imiyalelo iqhutywa kumsebenzisi Ingcambu, kuba batshintsha izicwangciso zenkqubo esisiseko, kodwa i-WordPress ngokwayo isebenza njengomsebenzisi oqhelekileyo.
Ukuseta iinguqu zemo engqongileyo
Cwangcisa iimeko-bume eziguquguqukayo zilandelayo phambi kokuba usebenzise okushicilelweyo:
WORDPRESS_DB_PASSWORD-Igama lokugqitha le-WordPressWORDPRESS_ADMIN_USER-Igama lomsebenzisi lomlawuli weWordPressWORDPRESS_ADMIN_PASSWORD-Igama lokugqitha le-WordPress adminWORDPRESS_ADMIN_EMAIL-I-imeyile yolawulo lweWordPressWORDPRESS_URL-I-URL epheleleyo yesayithi ye-WordPress, ukuqalahttps://.LETS_ENCRYPT_STAGING- engenanto ngokungagqibekanga, kodwa ngokucwangcisa ixabiso kwi-1, uya kusebenzisa i-Let Encrypt's staging servers, eziyimfuneko ukuba rhoqo ucele izatifikethi xa uvavanya izicwangciso zakho, ngaphandle koko Masibhalele sinokuvala okwethutyana idilesi yakho ye-IP ngenxa yenani elikhulu lezicelo.
Iskripthi sijonga ukuba ezi ziguquguqukayo ezinxulumene ne-WordPress zisetiwe kwaye ziphuma ukuba azikho.
Script imigca 572-576 khangela ixabiso LETS_ENCRYPT_STAGING.
Ukuseta izinto eziguquguqukayo zokusingqongileyo
Isikripthi kwimigca 55-61 siseta oku kuguquguquka kwemeko-bume kulandelayo, nokuba kukwixabiso elithile elinekhowudi enzima okanye kusetyenziswa ixabiso eliphuma kwizinto eziguquguqukayo ezibekwe kwicandelo langaphambili:
DEBIAN_FRONTEND="noninteractive"β uxelela usetyenziso ukuba lusebenza kwiskripthi kwaye akukho nxibelelwano lunokwenzeka lomsebenzisi.WORDPRESS_CLI_VERSION="2.4.0"-Inguqulelo ye-WordPress CLI yesicelo.WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c"- i-checksum ye-WordPress CLI 2.4.0 ifayile ephunyeziweyo (uguqulelo luboniswe kuguqukoWORDPRESS_CLI_VERSION). Iskripthi kumgca we-162 sisebenzisa eli xabiso ukuqinisekisa ukuba ifayile ye-WordPress CLI echanekileyo ikhutshelwe.UPLOAD_MAX_FILESIZE="16M"- ubungakanani befayile enkulu enokuthi ifakwe kwi-WordPress. Olu seto lusetyenziswa kwiindawo ezininzi, ngoko ke kulula ukuseta kwindawo enye.TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)"β igama lomamkeli wenkqubo, lithathwe kumohluko we-WORDPRESS_URL. Isetyenziselwa ukufumana izatifikethi ezifanelekileyo ze-TLS/SSL ukusuka kwi-Let Encrypt, kunye nokuqinisekiswa kwe-WordPress yangaphakathi.NGINX_CONF_DIR="/etc/nginx"β indlela eya kuluhlu olunezicwangciso ze-NGINX, kuquka nefayile engundoqonginx.conf.CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"β indlela eya kuMasibethele izatifikethi zesiza seWordPress, ezifunyenwe kuguqukoTLS_HOSTNAME.
Ukwabela igama lomninimzi kwiseva yeWordPress
Ushicilelo lucwangcisa igama lenginginya yomncedisi ukuze ixabiso lihambelane negama lendawo yendawo. Oku akuyomfuneko, kodwa kulunge ngakumbi ukuthumela imeyile ephumayo nge SMTP xa ucwangcisa umncedisi omnye, njengoko kuqwalaselwe siscript.
ikhowudi yeskripthi
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fiUkongeza igama lenginginya kwi/etc/hosts
Yongeza esetyenziselwa ukuqhuba imisebenzi yexesha, ifuna i-WordPress ukuba ikwazi ukufikelela ngokwayo nge-HTTP. Ukuqinisekisa ukuba iWP-Cron isebenza ngokuchanekileyo kuzo zonke iindawo, iskripthi songeza umgca kwifayile / njl / imikhosiukuze i-WordPress ikwazi ukufikelela ngokwayo nge-loopback interface:
ikhowudi yeskripthi
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fiUkufakela izixhobo ezifunekayo kumanyathelo alandelayo
Eminye iscript ifuna iinkqubo ezithile kwaye ithatha ukuba iindawo zokugcina zihlaziyiwe. Sihlaziya uluhlu lweendawo zokugcina, kwaye emva koko sifake izixhobo eziyimfuneko:
ikhowudi yeskripthi
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-releaseUkongeza iYunithi ye-NGINX kunye ne-NGINX yokugcina
Iskripthi sifaka iNyunithi ye-NGINX kunye nomthombo ovulekileyo we-NGINX ukusuka kwiindawo zokugcina ze-NGINX ezisemthethweni ukuqinisekisa ukuba iinguqulelo ezinokuhlaziywa kokhuseleko lwamva nje kunye nokulungiswa kwe-bug zisetyenziswa.
Umbhalo wongeza i-NGINX yogcino lweYunithi kwaye emva koko indawo yokugcina ye-NGINX, yongeza isitshixo sogcino kunye neefayile zezicwangciso. apt, ichaza ukufikelela kwiindawo zokugcina nge-Intanethi.
Ukufakwa kwangempela kweYunithi ye-NGINX kunye ne-NGINX kwenzeka kwicandelo elilandelayo. Songeza kwangaphambili iindawo zokugcina ukunqanda ukuhlaziya imethadatha amaxesha amaninzi, ukwenza ukufakela ngokukhawuleza.
ikhowudi yeskripthi
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fiUkufakela i-NGINX, i-NGINX Unit, i-PHP MariaDB, i-Certbot (Masibethele) kunye nokuxhomekeka kwabo
Nje ukuba zonke iindawo zokugcina zongezwe, sihlaziya imetadata kwaye sifake izicelo. Iiphakheji ezifakwe sisikripthi zikwabandakanya izandiso ze-PHP ezicetyiswayo xa usebenzisa i-WordPress.org
ikhowudi yeskripthi
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-serverUkumisela i-PHP ukuze isetyenziswe kunye neYunithi ye-NGINX kunye ne-WordPress
Iscript yenza ifayile yemimiselo kulawulo conf.d. Oku kucwangcisa ubukhulu befayile yokulayisha ifayile ye-PHP, yenza ukuba iimpazamo ze-PHP zikhutshwe kwi-STDERR ngoko ziya kufakwa kwiYunithi ye-NGINX, kwaye iphinde iqalise iYunithi ye-NGINX.
ikhowudi yeskripthi
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restartUkuseta i-MariaDB Database Useto lwe-WordPress
Sikhethe uMariaDB ngaphezulu kweMySQL kuba inomsebenzi omninzi wabahlali kwaye inakho (Mhlawumbi, yonke into ilula apha: ukufaka i-MySQL, kufuneka ungeze enye indawo yokugcina, malunga. umguquleli).
Iskripthi senza isiseko sedatha entsha kwaye senza iziqinisekiso zokufikelela kwi-WordPress ngokusebenzisa i-loopback interface:
ikhowudi yeskripthi
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"Ukufakela inkqubo ye-WordPress CLI
Kweli nyathelo iscript sihlohla inkqubo . Ngayo, ungafaka kwaye ulawule izicwangciso ze-WordPress ngaphandle kokuhlela iifayile ngesandla, ukuhlaziya i-database, okanye ungene kwiphaneli yokulawula. Ingasetyenziselwa ukufaka imixholo kunye nezongezo kunye nokuhlaziya i-WordPress.
ikhowudi yeskripthi
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fiUkufakela kunye nokuqwalasela i-WordPress
Iskripthi sifaka inguqulelo yamva nje ye-WordPress kuluhlu /var/www/wordpress, kwaye ikwatshintsha izicwangciso:
- Uqhagamshelwano lwesiseko sedatha lusebenza kwi-unix yesizinda socket endaweni ye-TCP kwi-loopback ukunciphisa i-TCP traffic.
- I-WordPress yongeza isimaphambili https:// kwi-URL ukuba abathengi baqhagamshela kwi-NGINX ngaphezulu kwe-HTTPS, kwaye ithumela kwakhona igama lenginginya elikude (njengoko kunikezelwe ngu NGINX) kwi-PHP. Sisebenzisa isiqwenga sekhowudi ukuseta oku.
- I-WordPress idinga i-HTTPS ukungena ngemvume
- Ulwakhiwo lwe-URL lusekwe kwisixhobo esithe cwaka
- Iimvume ezichanekileyo zesistim yefayile zimiselwe isilawuli seWordPress.
ikhowudi yeskripthi
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fiUkumisela iYunithi ye-NGINX
Iskripthi siqulunqa iYunithi ye-NGINX ukuqhuba i-PHP kunye nokusingatha iindlela ze-WordPress, ukwahlula indawo yegama leenkqubo ze-PHP kunye nokuphucula izicwangciso zokusebenza. Kukho izinto ezintathu ezifanele ukuhoywa:
- Inkxaso yendawo yegama imiselwa yimeko, ngokusekelwe ekukhangeleni ukuba iscript siyasebenza kwisikhongozeli. Oku kuyimfuneko ngenxa yokuba uninzi lwezicwangciso zesikhongozeli azikuxhasi ukwenziwa kwendlwane yezikhongozeli.
- Ukuba kukho inkxaso yezithuba zamagama, isithuba segama sivaliwe womnatha. Oku kuyimfuneko ukuvumela i-WordPress ukuba idibanise ngexesha elifanayo kwii-endpoints kwaye ifikeleleke kwi-Intanethi.
- Elona nani liphezulu leenkqubo limiselwa ngolu hlobo lulandelayo: (Inkumbulo ekhoyo yokusebenzisa i-MariaDB kunye ne-NGINX Uniy)/ (umda we-RAM kwi-PHP + 5)
Eli xabiso limiselwe kwizicwangciso zeYunithi ye-NGINX.
Eli xabiso likwathetha ukuba kukho rhoqo ubuncinane iinkqubo ezimbini ze-PHP ezisebenzayo, ezibalulekileyo kuba i-WordPress yenza izicelo ezininzi ze-asynchronous ngokwayo, kwaye ngaphandle kweenkqubo ezongezelelweyo ezisebenzayo, umzekelo, iWP-Cron iya kuphuka. Ungafuna ukwandisa okanye ukunciphisa le mida ngokusekwe kwizicwangciso zakho zobulali, kuba iisetingi ezidalwe apha zinokugcinwa. Kwiinkqubo ezininzi zemveliso iisetingi ziphakathi kwe-10 kunye ne-100.
ikhowudi yeskripthi
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/configUkumisela i-NGINX
Ukuqwalasela imimiselo ye-NGINX esisiseko
Iscript yenza uvimba weefayili we-NGINX cache kwaye emva koko wenze ifayile yoqwalaselo engundoqo nginx.conf. Nika ingqalelo kwinani leenkqubo zomphathi kunye nowona mlinganiselo wesayizi wefayile uphezulu wokukhuphela. Kukho nomgca apho ifayile yokucwangcisa i-compress, echazwe kwicandelo elilandelayo, ixhunyiwe, ilandelwa yimimiselo ye-caching.
ikhowudi yeskripthi
# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy
echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include ${NGINX_CONF_DIR}/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size ${UPLOAD_MAX_FILESIZE};
keepalive_timeout 65;
# gzip settings
include ${NGINX_CONF_DIR}/gzip_compression.conf;
# Cache settings
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=wp_cache:10m
max_size=10g
inactive=60m
use_temp_path=off;
include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOMUkumisela i-NGINX yoxinzelelo
Ukucinezela umxholo kwi-fly ngaphambi kokuyithumela kubaxhasi yindlela efanelekileyo yokuphucula ukusebenza kwendawo, kodwa kuphela ukuba ukunyanzeliswa kuqwalaselwe ngokuchanekileyo. Eli candelo lescript lisekelwe kwizicwangciso .
ikhowudi yeskripthi
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOMUkumisela i-NGINX ye-WordPress
Emva koko, iskripthi senza ifayile yoqwalaselo yeWordPress okumiselweyo.conf kwikhathalogu conf.d. Nantsi iqwalaselwe:
- Yenza iziqinisekiso ze-TLS zisebenze ezifunyenwe kuMasithi Sifihlwe ngeCertbot (ukuyiqwalasela kuya kuba kwicandelo elilandelayo)
- Qwalasela useto lokhuseleko lwe-TLS olusekwe kwiingcebiso ezivela kwi-Let Encrypt
- Yenza ukuba isicelo sitsibe kwindawo yokugcina indawo yeyure enye ngokwendalo
- Khubaza ufikelelo lokungena, kunye nokuloga ngempazamo ukuba ifayile ayifunyenwanga, kwiifayile ezimbini eziceliweyo eziqhelekileyo: favicon.ico kunye robots.txt
- Yala ukufikelela kwiifayile ezifihliweyo kunye neefayile ezithile .phpukuthintela ukufikelela ngokungekho mthethweni okanye ukuphehlelelwa ngabom
- Khubaza ufikelelo lokungena kwiifayile ezimileyo kunye nefonti
- Ukumisela isihloko kwiifayile zefonti
- Ukongeza indlela ye-index.php kunye nezinye i-statics.
ikhowudi yeskripthi
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOMUkuqwalasela i-Certbot ye-Let Encrypter isatifikethi kwaye sizihlaziye ngokuzenzekelayo
sisixhobo sasimahla esivela kwi-Electronic Frontier Foundation (EFF) ekuvumela ukuba ufumane kwaye uhlaziye ngokuzenzekelayo izatifikethi ze-TLS ezivela kwi-Let Encrypt. Iskripthi senza la manyathelo alandelayo ukuqwalasela i-Certbot ukuqhubekekisa izatifikethi ukusuka kwi-Let Encrypting kwi-NGINX:
- Ukumisa i-NGINX
- Ukukhuphela okucetyiswayo kwisethingi ye-TLS
- Iqhuba iCertbot ukufumana izatifikethi zesiza
- Iphinda iqalise i-NGINX ukusebenzisa izatifikethi
- Ilungiselela i-Certbot ukuba iqhube yonke imihla kwi-3: i-24 ekuseni ukujonga ukuhlaziywa kwesatifikethi kwaye, ukuba kuyimfuneko, khuphela izatifikethi ezitsha kwaye uqale kabusha i-NGINX.
ikhowudi yeskripthi
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fiUkwenza ngokwezifiso okongeziweyo kwendawo yakho
Sathetha ngasentla malunga nendlela iskripthi sethu esiqulunqa ngayo i-NGINX kunye ne-NGINX Unit ukuze sikhonze iwebhusayithi elungele ukuveliswa kunye ne-TLSSSL enikwe amandla. Unako kwakhona, ngokuxhomekeke kwiimfuno zakho, ukongeza kwixesha elizayo:
- Inkxaso , uphuculo lokunyanzeliswa kwe-fly phezu kwe-HTTPS
- Ρ ukuthintela uhlaselo oluzenzekelayo kwindawo yakho
- yeWordPress, ilungele wena
- ngoncedo (ku Ubuntu)
- I-Postfix okanye i-msmtp ukuze i-WordPress ikwazi ukuthumela i-imeyile
- Ukujonga indawo yakho ukuze uqonde ukuba ingakanani itrafikhi enokusingatha
Kumsebenzi ongcono wesiza, sicebisa ukuba uphucule ukuya , imveliso yethu yorhwebo lweshishini esekelwe kumthombo ovulekileyo we-NGINX. Ababhalisi bayo baya kufumana imodyuli yeBrotli elayishwe ngamandla, kunye (ngomrhumo owongezelelweyo) . Sikwanikezela , imodyuli ye-WAF ye-NGINX Plus esekelwe kwi-teknoloji yokhuseleko ehamba phambili kwi-industry evela kwi-F5.
NB Ukufumana inkxaso yewebhusayithi yomthwalo ophezulu, ungaqhagamshelana neengcali . Siya kuqinisekisa ukusebenza ngokukhawuleza nokuthembekileyo kwewebhusayithi yakho okanye inkonzo phantsi kwawo nawuphi na umthwalo.
umthombo: www.habr.com