Ọpọlọpọ awọn ohun elo wa nibẹ lori fifi sori Wodupiresi; wiwa Google kan fun “Fi sori ẹrọ WordPress” yoo da awọn abajade idaji miliọnu pada. Sibẹsibẹ, awọn itọsọna to wulo diẹ ni o wa nibẹ ti o le ṣe iranlọwọ fun ọ lati fi sori ẹrọ ati tunto Wodupiresi ati ẹrọ ṣiṣe ti o wa ni abẹlẹ ki wọn le ṣe atilẹyin fun igba pipẹ. Boya awọn eto ti o pe dale lori awọn iwulo pato rẹ, tabi o le jẹ nitori alaye alaye jẹ ki nkan naa nira lati ka.
Ninu nkan yii, a yoo gbiyanju lati ṣajọpọ ohun ti o dara julọ ti awọn agbaye mejeeji nipa fifun iwe afọwọkọ bash lati fi sori ẹrọ ni wodupiresi laifọwọyi lori Ubuntu, ati pe a yoo rin nipasẹ rẹ, n ṣalaye kini nkan kọọkan ṣe ati awọn iṣowo-pipa ti a ṣe ni apẹrẹ o. Ti o ba jẹ olumulo ti o ni iriri, o le foju ọrọ ti nkan naa ati pe o kan gba akosile fun iyipada ati lilo ninu awọn agbegbe rẹ. Ijade ti iwe afọwọkọ jẹ fifi sori ẹrọ wodupiresi aṣa pẹlu Lets Encrypt support, nṣiṣẹ lori NGINX Unit ati pe o dara fun lilo ile-iṣẹ.
Awọn faaji ti o ni idagbasoke fun sisọ Wodupiresi nipa lilo Ẹka NGINX jẹ apejuwe ninu agbalagba article, a yoo tun tunto siwaju awọn nkan ti a ko bo nibẹ (bii ninu ọpọlọpọ awọn ikẹkọ miiran):
Wodupiresi CLI
Jẹ ki a Encrypt ati awọn iwe-ẹri TLSSSL
Isọdọtun ijẹrisi laifọwọyi
NGINX Caching
NGINX funmorawon
HTTPS ati HTTP/2 atilẹyin
Adaṣiṣẹ ilana
Nkan naa yoo ṣapejuwe fifi sori ẹrọ lori olupin kan, eyiti yoo gbalejo olupin processing aimi nigbakanna, olupin processing PHP kan, ati data data kan. Fifi sori ẹrọ pẹlu atilẹyin fun ọpọ awọn ogun foju ati awọn iṣẹ jẹ koko ti o pọju fun ọjọ iwaju. Ti o ba fẹ ki a kọ nipa nkan ti ko si ninu awọn nkan wọnyi, kọ sinu awọn asọye.
awọn ibeere
Epo olupin (LXC tabi LXD), ẹrọ foju kan, tabi olupin ohun elo deede, pẹlu o kere ju 512MB ti Ramu ati Ubuntu 18.04 tabi diẹ sii ti fi sori ẹrọ laipẹ.
Awọn ibudo wiwọle Ayelujara 80 ati 443
Orukọ ìkápá ti o ni nkan ṣe pẹlu adiresi IP ti gbogbo eniyan ti olupin yii
Wiwọle pẹlu awọn ẹtọ gbongbo (sudo).
Architecture Akopọ
Awọn faaji jẹ kanna bi ṣàpèjúwe sẹyìn, ohun elo ayelujara ti ipele mẹta. O ni awọn iwe afọwọkọ PHP ti a ṣe lori ẹrọ PHP ati awọn faili aimi ti a ṣe nipasẹ olupin wẹẹbu.
Gbogbogbo agbekale
Ọpọlọpọ awọn aṣẹ iṣeto ni iwe afọwọkọ ti wa ni ti a we ti awọn ipo fun idempotency: iwe afọwọkọ le ṣee ṣiṣẹ ni ọpọlọpọ igba laisi eewu ti awọn eto iyipada ti o ti ṣetan tẹlẹ.
Iwe afọwọkọ n gbiyanju lati fi sọfitiwia sori ẹrọ lati awọn ibi ipamọ, nitorinaa o le lo awọn imudojuiwọn eto ni aṣẹ kan (apt upgrade fun Ubuntu).
Awọn ẹgbẹ gbiyanju lati rii pe wọn nṣiṣẹ ninu apoti kan ki wọn le yi awọn eto wọn pada ni ibamu.
Lati ṣeto nọmba awọn ilana okun lati ṣe ifilọlẹ ni awọn eto, iwe afọwọkọ n gbiyanju lati gboju awọn eto adaṣe fun ṣiṣẹ ninu awọn apoti, awọn ẹrọ foju, ati awọn olupin ohun elo.
Nigbati o ba n ṣalaye awọn eto, a nigbagbogbo ronu akọkọ nipa adaṣe, eyiti a nireti pe yoo di ipilẹ fun ṣiṣẹda awọn amayederun tirẹ bi koodu.
Gbogbo awọn aṣẹ ni ṣiṣe lati ọdọ olumulo root, nitori wọn yi awọn eto eto ipilẹ pada, ṣugbọn Wodupiresi funrararẹ nṣiṣẹ bi olumulo deede.
Ṣiṣeto awọn oniyipada ayika
Ṣeto awọn oniyipada ayika wọnyi ṣaaju ṣiṣe iwe afọwọkọ naa:
WORDPRESS_DB_PASSWORD - ọrọ igbaniwọle data WordPress
WORDPRESS_URL – URL ni kikun ti oju opo wẹẹbu Wodupiresi, ti o bẹrẹ pẹlu https://.
LETS_ENCRYPT_STAGING - ofo nipasẹ aiyipada, ṣugbọn nipa tito iye si 1, iwọ yoo lo Let's Encrypt's staging servers, eyiti o jẹ dandan lati beere awọn iwe-ẹri nigbagbogbo nigbati o ba ṣe idanwo awọn eto rẹ, bibẹẹkọ Jẹ ki Encrypt le dènà adiresi IP rẹ fun igba diẹ nitori nọmba nla ti awọn ibeere.
Iwe afọwọkọ sọwedowo pe awọn oniyipada ti o ni ibatan ti Wodupiresi ti ṣeto ati jade ti wọn ko ba ṣe bẹ.
Awọn ila iwe afọwọkọ 572-576 ṣayẹwo iye naa LETS_ENCRYPT_STAGING.
Ṣiṣeto awọn oniyipada ayika ti ari
Iwe afọwọkọ ti o wa lori awọn laini 55-61 ṣeto awọn oniyipada ayika atẹle, boya si diẹ ninu iye koodu lile tabi lilo iye ti o wa lati awọn oniyipada ti a ṣeto ni apakan ti tẹlẹ:
DEBIAN_FRONTEND="noninteractive" - sọ fun awọn ohun elo pe wọn nṣiṣẹ ni iwe afọwọkọ kan ati pe ko si iṣeeṣe ibaraenisepo olumulo.
WORDPRESS_CLI_VERSION="2.4.0" - ẹya wodupiresi CLI ti ohun elo naa.
WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c" - checksum ti wodupiresi CLI 2.4.0 faili ṣiṣe (ẹya naa jẹ itọkasi ni oniyipada WORDPRESS_CLI_VERSION). Iwe afọwọkọ lori laini 162 nlo iye yii lati rii daju pe faili CLI ti o pe ni wodupiresi ti gba lati ayelujara.
UPLOAD_MAX_FILESIZE="16M" - iwọn faili ti o pọju ti o le gbe si Wodupiresi. Eto yii jẹ lilo ni awọn aaye pupọ, nitorinaa o rọrun lati ṣeto si aaye kan.
TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)" - Orukọ ogun eto, ti a yọ jade lati oniyipada WORDPRESS_URL. Ti a lo lati gba awọn iwe-ẹri TLS/SSL ti o yẹ lati Jẹ ki Encrypt, ati fun ijẹrisi Wodupiresi inu.
NGINX_CONF_DIR="/etc/nginx" - ọna si itọsọna pẹlu awọn eto NGINX, pẹlu faili akọkọ nginx.conf.
CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}" - ọna si Jẹ ki a Encrypt awọn iwe-ẹri fun aaye Wodupiresi, ti a gba lati oniyipada TLS_HOSTNAME.
Fi orukọ olupin si olupin Wodupiresi
Iwe afọwọkọ naa ṣeto orukọ olupin olupin naa ki iye naa baamu orukọ ìkápá aaye naa. Eyi kii ṣe dandan, ṣugbọn o rọrun diẹ sii lati firanṣẹ meeli ti njade nipasẹ SMTP nigbati o ba ṣeto olupin kan, bi a ti tunto nipasẹ iwe afọwọkọ.
koodu akosile
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fi
Ṣafikun orukọ olupin si /etc/hosts
Afikun WP-Cron ti a lo lati ṣiṣe awọn iṣẹ-ṣiṣe igbakọọkan, nilo Wodupiresi lati ni anfani lati wọle si ararẹ nipasẹ HTTP. Lati rii daju pe WP-Cron ṣiṣẹ ni deede ni gbogbo awọn agbegbe, iwe afọwọkọ naa ṣafikun laini kan si faili naa / Ati be be / ogunki Wodupiresi le wọle si ararẹ nipasẹ wiwo loopback:
koodu akosile
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fi
Fifi awọn irinṣẹ ti a beere fun awọn igbesẹ ti o tẹle
Iyoku ti iwe afọwọkọ nilo diẹ ninu awọn eto ati ro pe awọn ibi ipamọ ti wa ni imudojuiwọn. A ṣe imudojuiwọn atokọ ti awọn ibi ipamọ, lẹhinna fi awọn irinṣẹ pataki sii:
koodu akosile
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-release
Ṣafikun Ẹka NGINX ati awọn ibi ipamọ NGINX
Iwe afọwọkọ naa fi NGINX Unit sori ẹrọ ati orisun ṣiṣi NGINX lati awọn ibi ipamọ NGINX osise lati rii daju pe awọn ẹya pẹlu awọn imudojuiwọn aabo tuntun ati awọn atunṣe kokoro ni a lo.
Iwe afọwọkọ naa ṣafikun ibi ipamọ Unit NGINX ati lẹhinna ibi ipamọ NGINX, fifi bọtini ibi ipamọ ati awọn faili eto kun apt, asọye wiwọle si awọn ibi ipamọ nipasẹ Intanẹẹti.
Fifi sori ẹrọ gangan ti NGINX Unit ati NGINX waye ni apakan atẹle. A ṣafikun awọn ibi ipamọ tẹlẹ lati yago fun imudojuiwọn metadata ni ọpọlọpọ igba, ṣiṣe fifi sori yiyara.
koodu akosile
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fi
Fifi NGINX, Ẹka NGINX, PHP MariaDB, Certbot (Jẹ ki a Encrypt) ati awọn igbẹkẹle wọn
Ni kete ti gbogbo awọn ibi ipamọ ti wa ni afikun, a ṣe imudojuiwọn metadata ati fi awọn ohun elo sii. Awọn idii ti a fi sori ẹrọ nipasẹ iwe afọwọkọ naa tun pẹlu awọn amugbooro PHP ti a ṣeduro nigba ṣiṣe WordPress.org
koodu akosile
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-server
Ṣiṣeto PHP fun lilo pẹlu Ẹka NGINX ati Wodupiresi
Awọn iwe afọwọkọ ṣẹda a eto faili ninu awọn liana conf.d. Eyi ṣeto iwọn ikojọpọ faili ti o pọju fun PHP, ngbanilaaye awọn aṣiṣe PHP lati jẹjade si STDERR ki wọn yoo wọle si Ẹka NGINX, ati tun bẹrẹ Ẹka NGINX.
koodu akosile
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restart
Eto MariaDB Database Eto fun Wodupiresi
A yan MariaDB lori MySQL nitori pe o ni iṣẹ agbegbe diẹ sii ati pe o tun le pese dara išẹ nipa aiyipada (Boya, ohun gbogbo rọrun nibi: lati fi MySQL sori ẹrọ, o nilo lati ṣafikun ibi ipamọ miiran, isunmọ. onitumọ).
Iwe afọwọkọ naa ṣẹda aaye data tuntun ati ṣẹda awọn iwe-ẹri iraye si Wodupiresi nipasẹ wiwo loopback:
koodu akosile
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"
Fifi sori ẹrọ ti wodupiresi CLI eto
Ni ipele yii iwe afọwọkọ fi eto naa sori ẹrọ WP-CLI. Pẹlu rẹ, o le fi sori ẹrọ ati ṣakoso awọn eto Wodupiresi laisi nini lati satunkọ awọn faili pẹlu ọwọ, imudojuiwọn data data, tabi wọle sinu igbimọ iṣakoso. O tun le ṣee lo lati fi sori ẹrọ awọn akori ati awọn afikun-afikun ati imudojuiwọn Wodupiresi.
koodu akosile
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fi
Fifi sori ẹrọ ati Ṣiṣeto Wodupiresi
Iwe afọwọkọ naa nfi ẹya tuntun ti Wodupiresi sinu itọsọna naa /var/www/wordpress, ati tun yi awọn eto pada:
Isopọ data data n ṣiṣẹ lori iho agbegbe unix dipo TCP lori loopback lati dinku ijabọ TCP.
Wodupiresi ṣe afikun ìpele kan https:// si URL ti awọn alabara ba sopọ si NGINX lori HTTPS, ati tun firanṣẹ orukọ olupin latọna jijin (gẹgẹbi a ti pese nipasẹ NGINX) si PHP. A lo nkan ti koodu lati ṣeto eyi.
Wodupiresi nilo HTTPS lati buwolu wọle
Ilana URL jẹ ipilẹ awọn orisun ipalọlọ
Awọn igbanilaaye eto faili ti o tọ ti ṣeto fun ilana ilana Wodupiresi.
koodu akosile
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fi
Ṣiṣeto Ẹgbẹ NGINX
Iwe afọwọkọ naa tunto Ẹka NGINX lati ṣiṣẹ PHP ati mu awọn ọna Wodupiresi, yiya sọtọ aaye orukọ ilana PHP ati jijẹ awọn eto iṣẹ ṣiṣe. Awọn ẹya mẹta wa ti o tọ lati san ifojusi si:
Atilẹyin aaye orukọ jẹ ipinnu nipasẹ ipo, da lori ṣiṣe ayẹwo pe iwe afọwọkọ nṣiṣẹ ninu apo eiyan naa. Eyi jẹ pataki nitori ọpọlọpọ awọn iṣeto eiyan ko ṣe atilẹyin ṣiṣe itẹwọgba ti awọn apoti.
Ti atilẹyin ba wa fun awọn aaye orukọ, aaye orukọ naa jẹ alaabo nẹtiwọki. Eyi jẹ pataki lati gba Wodupiresi laaye lati sopọ nigbakanna si awọn aaye ipari ati wa lori Intanẹẹti.
Nọmba ti o pọju ti awọn ilana jẹ ipinnu bi atẹle: (Iranti ti o wa fun ṣiṣe MariaDB ati NGINX Uniy)/(Iwọn Ramu ni PHP + 5)
Iye yii ti ṣeto ni awọn eto Unit NGINX.
Iwọn yii tun tumọ si pe o kere ju awọn ilana PHP meji ti nṣiṣẹ nigbagbogbo, eyiti o ṣe pataki nitori Wodupiresi ṣe ọpọlọpọ awọn ibeere asynchronous si ararẹ, ati laisi awọn ilana afikun ti nṣiṣẹ, fun apẹẹrẹ, WP-Cron yoo fọ. O le fẹ lati pọsi tabi dinku awọn opin wọnyi ti o da lori awọn eto agbegbe rẹ, nitori awọn eto ti a ṣẹda nibi jẹ Konsafetifu. Lori ọpọlọpọ awọn eto iṣelọpọ awọn eto wa laarin 10 ati 100.
koodu akosile
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/config
Ṣiṣeto NGINX
Ṣiṣeto Awọn Eto NGINX Ipilẹ
Iwe afọwọkọ naa ṣẹda itọsọna kan fun kaṣe NGINX ati lẹhinna ṣẹda faili iṣeto akọkọ nginx.conf. San ifojusi si nọmba awọn ilana imudani ati eto iwọn faili ti o pọju fun igbasilẹ. Laini tun wa lori eyiti faili awọn eto funmorawon, ti ṣalaye ni apakan atẹle, ti sopọ, atẹle nipasẹ awọn eto caching.
Fifun akoonu lori fifo ṣaaju fifiranṣẹ si awọn alabara jẹ ọna nla lati mu ilọsiwaju iṣẹ aaye sii, ṣugbọn nikan ti o ba tunto funmorawon ni deede. Yi apakan ti awọn akosile ti wa ni da lori awọn eto lati ibi.
koodu akosile
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOM
Ṣiṣeto NGINX fun Wodupiresi
Nigbamii ti, iwe afọwọkọ ṣẹda faili iṣeto fun Wodupiresi aiyipada.conf ninu awọn katalogi conf.d. Nibi o ti tunto:
Muu ṣiṣẹ awọn iwe-ẹri TLS ti o gba lati Jẹ ki a Encrypt nipasẹ Certbot (titunto yoo wa ni apakan atẹle)
Ṣe atunto awọn eto aabo TLS ti o da lori awọn iṣeduro lati Jẹ ki a Encrypt
Mu caching ìbéèrè foo fun wakati 1 nipasẹ aiyipada
Pa wiwọle wiwọle, bi daradara bi iwọle aṣiṣe ti faili naa ko ba ri, fun awọn faili ti o wọpọ meji: favicon.ico ati robots.txt
Kọ wiwọle si awọn faili ti o farapamọ ati diẹ ninu awọn faili .phplati se arufin wiwọle tabi aimọkan ifilole
Ṣafikun ipa-ọna fun index.php ati awọn iṣiro miiran.
koodu akosile
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOM
Ṣiṣeto Certbot fun Jẹ ki a Encrypt awọn iwe-ẹri ati isọdọtun wọn laifọwọyi
Certbot jẹ ohun elo ọfẹ lati Ile-iṣẹ Furontia Itanna (EFF) ti o fun ọ laaye lati gba ati tunse awọn iwe-ẹri TLS laifọwọyi lati Jẹ ki a Encrypt. Iwe afọwọkọ naa ṣe awọn igbesẹ wọnyi lati tunto Certbot lati ṣe ilana awọn iwe-ẹri lati Jẹ ki a Encrypt ni NGINX:
Duro NGINX
Awọn igbasilẹ awọn eto TLS niyanju
Ṣiṣe Certbot lati gba awọn iwe-ẹri fun aaye naa
Tun NGINX bẹrẹ lati lo awọn iwe-ẹri
Ṣe atunto Certbot lati ṣiṣẹ lojoojumọ ni 3:24 a.m. lati ṣayẹwo fun awọn isọdọtun ijẹrisi ati, ti o ba jẹ dandan, ṣe igbasilẹ awọn iwe-ẹri tuntun ki o tun bẹrẹ NGINX.
koodu akosile
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fi
Afikun isọdi ti aaye rẹ
A ti sọrọ loke nipa bawo ni iwe afọwọkọ wa ṣe tunto NGINX ati NGINX Unit lati ṣe iranṣẹ oju opo wẹẹbu ti o ṣetan pẹlu TLSSSL ṣiṣẹ. O tun le, da lori awọn iwulo rẹ, ṣafikun ni ọjọ iwaju:
Atilẹyin Brotli, imudara lori-ni-fly funmorawon lori HTTPS
Postfix tabi msmtp ki Wodupiresi le fi meeli ranṣẹ
Ṣiṣayẹwo aaye rẹ ki o loye iye ijabọ ti o le mu
Fun iṣẹ ṣiṣe aaye ti o dara julọ, a ṣeduro iṣagbega si NGINX Plus, ọja iṣowo ti ile-iṣẹ wa ti o da lori orisun ṣiṣi NGINX. Awọn alabapin rẹ yoo gba module Brotli ti o ni agbara ti kojọpọ, bakanna (fun owo afikun) NGINX ModSecurity WAF. A tun nse Idaabobo Ohun elo NGINX, module WAF kan fun NGINX Plus ti o da lori imọ-ẹrọ aabo ti ile-iṣẹ lati F5.
NB Fun atilẹyin oju opo wẹẹbu fifuye giga, o le kan si awọn alamọja Southbridge. A yoo rii daju iyara ati iṣẹ igbẹkẹle ti oju opo wẹẹbu rẹ tabi iṣẹ labẹ eyikeyi ẹru.