Kunezifundo eziningi zokuthi ungayifaka kanjani i-WordPress, usesho lwe-Google lwe-"WordPress install" luzoveza imiphumela engaba ingxenye yesigidi. Kodwa-ke, empeleni, kuneziqondiso ezimbalwa ezinhle kakhulu phakathi kwazo, ngokusho ongafaka futhi ulungiselele i-WordPress kanye nesistimu yokusebenza engaphansi ukuze bakwazi ukusekela isikhathi eside. Mhlawumbe izilungiselelo ezifanele zincike kakhulu ezidingweni ezithile, noma lokhu kungenxa yokuthi incazelo enemininingwane yenza i-athikili ifundeke kanzima.
Kulesi sihloko, sizozama ukuhlanganisa okuhle kakhulu kwemihlaba yomibili ngokunikeza iskripthi se-bash ukuze sifake i-WordPress ku-Ubuntu, futhi sihambe ngayo, sichaze ukuthi ucezu ngalunye lwenzani, kanye nokuyekethisa esikwenzile ekuyithuthukiseni. Uma ungumsebenzisi othuthukile, ungeqa umbhalo we-athikili futhi nje ukuze ulungiswe futhi usebenzise ezindaweni zakho. Ukukhishwa kweskripthi ukufakwa kwe-WordPress ngokwezifiso ngokusekelwa kwe-Lets Encrypt, esebenza ku-NGINX Unit futhi ifanele ukusetshenziswa kokukhiqiza.
Izakhiwo ezithuthukisiwe zokuthumela i-WordPress usebenzisa i-NGINX Unit ichazwe ku , manje sizophinde silungise izinto ebezingahlanganiswa lapho (njengakwezinye izifundo eziningi):
- I-WordPress CLI
- Masibhale Ngemfihlo kanye Nezitifiketi Ze-TLSSSL
- Ukuvuselela okuzenzakalelayo kwezitifiketi
- I-NGINX caching
- Ukucindezela kwe-NGINX
- Ukusekelwa kwe-HTTPS ne-HTTP/2
- Inqubo ye-Automation
I-athikili izochaza ukufakwa kuseva eyodwa, okuzobamba kanyekanye iseva yokucubungula emile, iseva yokucubungula ye-PHP, kanye nesizindalwazi. Ukufakwa okusekela abasingathi abaningi be-virtual namasevisi kuyisihloko esingaba khona sesikhathi esizayo. Uma ufuna ukuthi sibhale ngento engekho kulezi zihloko, bhala kumazwana.
izidingo
- Iseva yesitsha ( noma ), umshini obonakalayo, noma iseva yensimbi evamile okungenani eno-512MB we-RAM kanye ne-Ubuntu 18.04 noma entsha efakiwe.
- Izimbobo ezifinyeleleka ku-inthanethi 80 kanye ne-443
- Igama lesizinda elihlotshaniswa nekheli lasesizindeni se-inthanethi lomphakathi lale seva
- Ukufinyelela kwezimpande (sudo).
Uhlolojikelele lwezakhiwo
I-architecture iyafana njengoba kuchaziwe , uhlelo lokusebenza lwewebhu olunezigaba ezintathu. Iqukethe imibhalo ye-PHP esebenza enjinini ye-PHP namafayela amile acutshungulwa yiseva yewebhu.
Izimiso ezijwayelekile
- Imiyalo eminingi yokumisa embhalweni isongwe uma izimo zokungabi namandla: iskripthi singasebenza izikhathi eziningi ngaphandle kwengozi yokuguqula izilungiselelo esezivele zikhona.
- Umbhalo uzama ukufaka isoftware kumakhosombe, ukuze ukwazi ukusebenzisa izibuyekezo zesistimu ngomyalo owodwa (
apt upgradeUbuntu). - Imiyalo izama ukuthola ukuthi isebenza esitsheni ukuze ikwazi ukushintsha izilungiselelo zayo ngokufanele.
- Ukuze usethe inani lezinqubo zentambo ezizoqala kuzilungiselelo, iskripthi sizama ukuqagela izilungiselelo ezizenzakalelayo zokusebenza ezitsheni, imishini ebonakalayo, namaseva wehadiwe.
- Uma sichaza izilungiselelo, sihlala sicabanga kuqala ngokuzenzakalelayo, esithemba ukuthi kuzoba yisisekelo sokudala ingqalasizinda yakho njengekhodi.
- Yonke imiyalo isetshenziswa njengomsebenzisi izimpande, ngoba bashintsha izilungiselelo eziyisisekelo zesistimu, kodwa ngokuqondile i-WordPress isebenza njengomsebenzisi ojwayelekile.
Ukusetha okuguquguqukayo kwendawo
Setha okuguquguqukayo kwemvelo okulandelayo ngaphambi kokusebenzisa iskripthi:
WORDPRESS_DB_PASSWORD- Iphasiwedi ye-WordPress databaseWORDPRESS_ADMIN_USER- Igama lomqondisi we-WordPressWORDPRESS_ADMIN_PASSWORD- Iphasiwedi ye-WordPress adminWORDPRESS_ADMIN_EMAIL- I-imeyili yomqondisi we-WordPressWORDPRESS_URLiyi-URL egcwele yesayithi le-WordPress, eqala ngohttps://.LETS_ENCRYPT_STAGING- ayinalutho ngokuzenzakalelayo, kodwa ngokubeka inani ku-1, uzosebenzisa amaseva wesiteji esithi Masibethele, adingekayo ukuze uvame ukucela izitifiketi lapho uhlola izilungiselelo zakho, ngaphandle kwalokho, Masibhale Ngemfihlo singavimba okwesikhashana ikheli lakho le-ip ngenxa yenani elikhulu lezicelo.
Umbhalo uhlola ukuthi lezi ziguquguqukayo ezihlobene ne-WordPress zisethiwe futhi ziyaphuma uma kungenjalo.
Imigqa yesikripthi 572-576 hlola inani LETS_ENCRYPT_STAGING.
Ukusetha okuguquguqukayo kwemvelo okutholiwe
Iskripthi emigqeni 55-61 sisetha okuguquguqukayo kwemvelo okulandelayo, kungaba inani elinekhodi eliqinile noma kusetshenziswa inani elitholwe kokuguquguqukayo okusethwe esigabeni sangaphambilini:
DEBIAN_FRONTEND="noninteractive"- Itshela izinhlelo zokusebenza ukuthi zisebenza kuskripthi futhi akukho okungenzeka kokusebenzelana komsebenzisi.WORDPRESS_CLI_VERSION="2.4.0"inguqulo yohlelo lokusebenza lwe-WordPress CLI.WORDPRESS_CLI_MD5= "dedd5a662b80cda66e9e25d44c23b25c"- isheke lefayela le-WordPress CLI 2.4.0 elisebenzisekayo (inguqulo icaciswe kokuguquguqukayoWORDPRESS_CLI_VERSION). Iskripthi esikulayini 162 sisebenzisa leli nani ukuhlola ukuthi ifayela elilungile le-WordPress CLI lilandiwe.UPLOAD_MAX_FILESIZE="16M"- usayizi wefayela omkhulu ongalayishwa ku-WordPress. Lesi silungiselelo sisetshenziswa ezindaweni ezimbalwa, ngakho-ke kulula ukusethwa endaweni eyodwa.TLS_HOSTNAME= "$(echo ${WORDPRESS_URL} | cut -d'/' -f3)"- Igama lomethuleli wesistimu, libuyisiwe kokuhluka kwe-WORDPRESS_URL. Isetshenziselwa ukuthola izitifiketi ezifanele ze-TLS/SSL kokuthi Masibethele kanye nokuqinisekiswa kwe-WordPress kwangaphakathi.NGINX_CONF_DIR="/etc/nginx"- indlela eya kumkhombandlela enezilungiselelo ze-NGINX, kufaka phakathi ifayela eliyinhlokonginx.conf.CERT_DIR="/etc/letsencrypt/live/${TLS_HOSTNAME}"β indlela eya ezitifiketini Zokuthi Masibethele zesayithi le-WordPress, etholwe kokuguquguqukayoTLS_HOSTNAME.
Ukunikeza igama lomethuleli kuseva ye-WordPress
Umbhalo usetha igama lomethuleli weseva ukuthi lifane negama lesizinda sesayithi. Lokhu akudingekile, kodwa kulula kakhulu ukuthumela imeyili ephumayo nge-SMTP lapho usetha iseva eyodwa, njengoba kumiswe umbhalo.
ikhodi yombhalo
# Change the hostname to be the same as the WordPress hostname
if [ ! "$(hostname)" == "${TLS_HOSTNAME}" ]; then
echo " Changing hostname to ${TLS_HOSTNAME}"
hostnamectl set-hostname "${TLS_HOSTNAME}"
fiYengeza igama lomethuleli ku-/etc/hosts
Ukwengeza esetshenziswa ukwenza imisebenzi yezikhathi ezithile, idinga i-WordPress ukuthi ikwazi ukuzifinyelela yona nge-HTTP. Ukuqinisekisa ukuthi i-WP-Cron isebenza kahle kuzo zonke izindawo, umbhalo wengeza umugqa efayeleni / njll / amabambaukuze i-WordPress izifinyelele ngokwayo nge-loopback interface:
ikhodi yombhalo
# Add the hostname to /etc/hosts
if [ "$(grep -m1 "${TLS_HOSTNAME}" /etc/hosts)" = "" ]; then
echo " Adding hostname ${TLS_HOSTNAME} to /etc/hosts so that WordPress can ping itself"
printf "::1 %sn127.0.0.1 %sn" "${TLS_HOSTNAME}" "${TLS_HOSTNAME}" >> /etc/hosts
fiUkufaka amathuluzi adingekayo ezinyathelweni ezilandelayo
Esinye isikripthi sidinga ezinye izinhlelo futhi sicabanga ukuthi amakhosombe asesikhathini samanje. Sibuyekeza uhlu lwamakhosombe, emva kwalokho sifaka amathuluzi adingekayo:
ikhodi yombhalo
# Make sure tools needed for install are present
echo " Installing prerequisite tools"
apt-get -qq update
apt-get -qq install -y
bc
ca-certificates
coreutils
curl
gnupg2
lsb-releaseUkwengeza Iyunithi ye-NGINX kanye namakhosombe we-NGINX
Umbhalo ufaka Iyunithi ye-NGINX kanye nomthombo ovulekile we-NGINX osuka kumakhosombe asemthethweni e-NGINX ukuze uqiniseke ukuthi izinguqulo ezinamapeshi akamuva okuvikela nokulungiswa kweziphazamisi ziyasetshenziswa.
Umbhalo wengeza inqolobane ye-NGINX Unit bese kuba indawo yokugcina ye-NGINX, wengeza ukhiye wamakhosombe kanye namafayela okumisa. apt, echaza ukufinyelela kumakhosombe nge-inthanethi.
Ukufakwa kwangempela kwe-NGINX Unit kanye ne-NGINX kwenzeka esigabeni esilandelayo. Sengeza kuqala amakhosombe ukuze kungadingeki sibuyekeze imethadatha izikhathi eziningi, okwenza ukufakwa kusheshe.
ikhodi yombhalo
# Install the NGINX Unit repository
if [ ! -f /etc/apt/sources.list.d/unit.list ]; then
echo " Installing NGINX Unit repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://packages.nginx.org/unit/ubuntu/ $(lsb_release -cs) unit" > /etc/apt/sources.list.d/unit.list
fi
# Install the NGINX repository
if [ ! -f /etc/apt/sources.list.d/nginx.list ]; then
echo " Installing NGINX repository"
curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -
echo "deb https://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
fiUkufaka i-NGINX, i-NGINX Unit, i-PHP MariaDB, i-Certbot (Asibethele) kanye nokuncika kwayo
Uma wonke amakhosombe esengeziwe, buyekeza imethadatha futhi ufake izinhlelo zokusebenza. Amaphakheji afakwe yiskripthi ahlanganisa nezandiso ze-PHP ezinconyiwe uma usebenzisa i-WordPress.org
ikhodi yombhalo
echo " Updating repository metadata"
apt-get -qq update
# Install PHP with dependencies and NGINX Unit
echo " Installing PHP, NGINX Unit, NGINX, Certbot, and MariaDB"
apt-get -qq install -y --no-install-recommends
certbot
python3-certbot-nginx
php-cli
php-common
php-bcmath
php-curl
php-gd
php-imagick
php-mbstring
php-mysql
php-opcache
php-xml
php-zip
ghostscript
nginx
unit
unit-php
mariadb-serverUkusetha i-PHP ukuze isetshenziswe nge-NGINX Unit kanye ne-WordPress
Umbhalo udala ifayela lezilungiselelo ohlwini lwemibhalo conf.d. Lokhu kusetha usayizi omkhulu wokulayishwa kwe-PHP, kuvula okukhiphayo kwephutha le-PHP ku-STDERR ngakho azobhalwa kulogi yeyunithi ye-NGINX, futhi iqale kabusha Iyunithi ye-NGINX.
ikhodi yombhalo
# Find the major and minor PHP version so that we can write to its conf.d directory
PHP_MAJOR_MINOR_VERSION="$(php -v | head -n1 | cut -d' ' -f2 | cut -d'.' -f1,2)"
if [ ! -f "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" ]; then
echo " Configuring PHP for use with NGINX Unit and WordPress"
# Add PHP configuration overrides
cat > "/etc/php/${PHP_MAJOR_MINOR_VERSION}/embed/conf.d/30-wordpress-overrides.ini" << EOM
; Set a larger maximum upload size so that WordPress can handle
; bigger media files.
upload_max_filesize=${UPLOAD_MAX_FILESIZE}
post_max_size=${UPLOAD_MAX_FILESIZE}
; Write error log to STDERR so that error messages show up in the NGINX Unit log
error_log=/dev/stderr
EOM
fi
# Restart NGINX Unit because we have reconfigured PHP
echo " Restarting NGINX Unit"
service unit restartIcacisa Izilungiselelo Zedathabhe ye-MariaDB ye-WordPress
Sikhethe i-MariaDB kune-MySQL njengoba inomsebenzi omningi womphakathi futhi kungenzeka futhi (mhlawumbe, yonke into ilula lapha: ukufaka i-MySQL, udinga ukwengeza enye inqolobane, cishe. umhumushi).
Umbhalo udala isizindalwazi esisha futhi udale imininingwane yokufinyelela i-WordPress nge-loopback interface:
ikhodi yombhalo
# Set up the WordPress database
echo " Configuring MariaDB for WordPress"
mysqladmin create wordpress || echo "Ignoring above error because database may already exist"
mysql -e "GRANT ALL PRIVILEGES ON wordpress.* TO "wordpress"@"localhost" IDENTIFIED BY "$WORDPRESS_DB_PASSWORD"; FLUSH PRIVILEGES;"Ukufaka Uhlelo lwe-WordPress CLI
Kulesi sinyathelo, umbhalo ufaka uhlelo . Ngayo, ungakwazi ukufaka nokuphatha izilungiselelo ze-WordPress ngaphandle kokuthi uhlele amafayela ngesandla, ubuyekeze isizindalwazi, noma ufake iphaneli yokulawula. Ingase futhi isetshenziselwe ukufaka izingqikithi nezengezo kanye nokuvuselela i-WordPress.
ikhodi yombhalo
if [ ! -f /usr/local/bin/wp ]; then
# Install the WordPress CLI
echo " Installing the WordPress CLI tool"
curl --retry 6 -Ls "https://github.com/wp-cli/wp-cli/releases/download/v${WORDPRESS_CLI_VERSION}/wp-cli-${WORDPRESS_CLI_VERSION}.phar" > /usr/local/bin/wp
echo "$WORDPRESS_CLI_MD5 /usr/local/bin/wp" | md5sum -c -
chmod +x /usr/local/bin/wp
fiUkufaka nokumisa i-WordPress
Umbhalo ufaka inguqulo yakamuva ye-WordPress kumkhombandlela /var/www/wordpressfuthi ishintsha izilungiselelo:
- Uxhumano lwesizindalwazi lusebenza phezu kwesokhethi yesizinda se-unix esikhundleni se-TCP ku-loopback ukuze kwehliswe ithrafikhi ye-TCP.
- I-WordPress ingeza isiqalo https:// ku-URL uma amakhasimende exhumeka ku-NGINX nge-HTTPS, aphinde athumele igama lomethuleli wesilawuli kude (njengoba kuhlinzekwe i-NGINX) ku-PHP. Sisebenzisa ucezu lwekhodi ukuze simise lokhu.
- I-WordPress idinga i-HTTPS ukuze ungene ngemvume
- Isakhiwo se-URL esimisiwe sisekelwe kuzinsiza
- Isetha izimvume ezifanele ohlelweni lwefayela lwenkomba ye-WordPress.
ikhodi yombhalo
if [ ! -d /var/www/wordpress ]; then
# Create WordPress directories
mkdir -p /var/www/wordpress
chown -R www-data:www-data /var/www
# Download WordPress using the WordPress CLI
echo " Installing WordPress"
su -s /bin/sh -c 'wp --path=/var/www/wordpress core download' www-data
WP_CONFIG_CREATE_CMD="wp --path=/var/www/wordpress config create --extra-php --dbname=wordpress --dbuser=wordpress --dbhost="localhost:/var/run/mysqld/mysqld.sock" --dbpass="${WORDPRESS_DB_PASSWORD}""
# This snippet is injected into the wp-config.php file when it is created;
# it informs WordPress that we are behind a reverse proxy and as such
# allows it to generate links using HTTPS
cat > /tmp/wp_forwarded_for.php << 'EOM'
/* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';
}
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
EOM
# Create WordPress configuration
su -s /bin/sh -p -c "cat /tmp/wp_forwarded_for.php | ${WP_CONFIG_CREATE_CMD}" www-data
rm /tmp/wp_forwarded_for.php
su -s /bin/sh -p -c "wp --path=/var/www/wordpress config set 'FORCE_SSL_ADMIN' 'true'" www-data
# Install WordPress
WP_SITE_INSTALL_CMD="wp --path=/var/www/wordpress core install --url="${WORDPRESS_URL}" --title="${WORDPRESS_SITE_TITLE}" --admin_user="${WORDPRESS_ADMIN_USER}" --admin_password="${WORDPRESS_ADMIN_PASSWORD}" --admin_email="${WORDPRESS_ADMIN_EMAIL}" --skip-email"
su -s /bin/sh -p -c "${WP_SITE_INSTALL_CMD}" www-data
# Set permalink structure to a sensible default that isn't in the UI
su -s /bin/sh -p -c "wp --path=/var/www/wordpress option update permalink_structure '/%year%/%monthnum%/%postname%/'" www-data
# Remove sample file because it is cruft and could be a security problem
rm /var/www/wordpress/wp-config-sample.php
# Ensure that WordPress permissions are correct
find /var/www/wordpress -type d -exec chmod g+s {} ;
chmod g+w /var/www/wordpress/wp-content
chmod -R g+w /var/www/wordpress/wp-content/themes
chmod -R g+w /var/www/wordpress/wp-content/plugins
fiIsetha Iyunithi ye-NGINX
Umbhalo ulungiselela Iyunithi ye-NGINX ukuze iqhube i-PHP futhi icubungule izindlela ze-WordPress, ihlukanise indawo yegama lenqubo ye-PHP futhi ithuthukise izilungiselelo zokusebenza. Kunezici ezintathu okufanele uzibheke lapha:
- Ukusekelwa kwezikhala zamagama kunqunywa yisimo, ngokusekelwe ekuhloleni ukuthi umbhalo uyasebenza esitsheni. Lokhu kuyadingeka ngoba ukusetha okuningi kweziqukathi akusekeli ukwethulwa kwesidleke kweziqukathi.
- Uma kunosekelo lwezikhala zamagama, khubaza indawo yamagama Inethiwekhi. Lokhu ukuvumela i-WordPress ukuthi ixhume kuzo zombili iziphetho futhi itholakale kuwebhu ngesikhathi esisodwa.
- Inombolo enkulu yezinqubo ichazwa kanje: (Inkumbulo etholakalayo yokusebenzisa i-MariaDB ne-NGINX Uniy)/(umkhawulo we-RAM ku-PHP + 5)
Leli nani lisethwe kuzilungiselelo zeyunithi ye-NGINX.
Leli nani liphinde lisho ukuthi kukhona okungenani izinqubo ezimbili ze-PHP ezisebenzayo, okubalulekile ngoba i-WordPress yenza izicelo eziningi ezivumelanayo kuyona ngokwayo, futhi ngaphandle kwezinqubo ezengeziwe, egijima isb. WP-Cron izophuka. Ungase ufune ukwandisa noma ukunciphisa le mikhawulo ngokusekelwe kuzilungiselelo zakho zasendaweni, ngenxa yokuthi izilungiselelo ezidalwe lapha ziyalondoloza. Ezinhlelweni eziningi zokukhiqiza, izilungiselelo ziphakathi kuka-10 no-100.
ikhodi yombhalo
if [ "${container:-unknown}" != "lxc" ] && [ "$(grep -m1 -a container=lxc /proc/1/environ | tr -d '')" == "" ]; then
NAMESPACES='"namespaces": {
"cgroup": true,
"credential": true,
"mount": true,
"network": false,
"pid": true,
"uname": true
}'
else
NAMESPACES='"namespaces": {}'
fi
PHP_MEM_LIMIT="$(grep 'memory_limit' /etc/php/7.4/embed/php.ini | tr -d ' ' | cut -f2 -d= | numfmt --from=iec)"
AVAIL_MEM="$(grep MemAvailable /proc/meminfo | tr -d ' kB' | cut -f2 -d: | numfmt --from-unit=K)"
MAX_PHP_PROCESSES="$(echo "${AVAIL_MEM}/${PHP_MEM_LIMIT}+5" | bc)"
echo " Calculated the maximum number of PHP processes as ${MAX_PHP_PROCESSES}. You may want to tune this value due to variations in your configuration. It is not unusual to see values between 10-100 in production configurations."
echo " Configuring NGINX Unit to use PHP and WordPress"
cat > /tmp/wordpress.json << EOM
{
"settings": {
"http": {
"header_read_timeout": 30,
"body_read_timeout": 30,
"send_timeout": 30,
"idle_timeout": 180,
"max_body_size": $(numfmt --from=iec ${UPLOAD_MAX_FILESIZE})
}
},
"listeners": {
"127.0.0.1:8080": {
"pass": "routes/wordpress"
}
},
"routes": {
"wordpress": [
{
"match": {
"uri": [
"*.php",
"*.php/*",
"/wp-admin/"
]
},
"action": {
"pass": "applications/wordpress/direct"
}
},
{
"action": {
"share": "/var/www/wordpress",
"fallback": {
"pass": "applications/wordpress/index"
}
}
}
]
},
"applications": {
"wordpress": {
"type": "php",
"user": "www-data",
"group": "www-data",
"processes": {
"max": ${MAX_PHP_PROCESSES},
"spare": 1
},
"isolation": {
${NAMESPACES}
},
"targets": {
"direct": {
"root": "/var/www/wordpress/"
},
"index": {
"root": "/var/www/wordpress/",
"script": "index.php"
}
}
}
}
}
EOM
curl -X PUT --data-binary @/tmp/wordpress.json --unix-socket /run/control.unit.sock http://localhost/configIsetha i-NGINX
Ilungiselela Izilungiselelo Eziyisisekelo ze-NGINX
Iskripthi sidala uhla lwemibhalo lwenqolobane ye-NGINX bese sidala ifayela eliyinhloko lokucushwa nginx.conf. Naka inani lezinqubo zesibambi kanye nokulungiselelwa kobukhulu besayizi lefayela ukuze lilayishwe. Kukhona futhi umugqa ohlanganisa ifayela lezilungiselelo zokucindezelwa elichazwe esigabeni esilandelayo, elilandelwa izilungiselelo zesikhashana.
ikhodi yombhalo
# Make directory for NGINX cache
mkdir -p /var/cache/nginx/proxy
echo " Configuring NGINX"
cat > ${NGINX_CONF_DIR}/nginx.conf << EOM
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include ${NGINX_CONF_DIR}/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size ${UPLOAD_MAX_FILESIZE};
keepalive_timeout 65;
# gzip settings
include ${NGINX_CONF_DIR}/gzip_compression.conf;
# Cache settings
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=wp_cache:10m
max_size=10g
inactive=60m
use_temp_path=off;
include ${NGINX_CONF_DIR}/conf.d/*.conf;
}
EOMIsetha ukucindezelwa kwe-NGINX
Ukucindezela okuqukethwe endizeni ngaphambi kokukuthumela kumakhasimende kuyindlela enhle yokuthuthukisa ukusebenza kwesayithi, kodwa kuphela uma ukucindezela kulungiselelwe ngendlela efanele. Lesi sigaba sombhalo sisekelwe kuzilungiselelo .
ikhodi yombhalo
cat > ${NGINX_CONF_DIR}/gzip_compression.conf << 'EOM'
# Credit: https://github.com/h5bp/server-configs-nginx/
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 6;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
EOMUkusetha i-NGINX ye-WordPress
Okulandelayo, iskripthi sidala ifayela lokucushwa le-WordPress okuzenzakalelayo.conf kukhathalogi conf.d. Ilungiselelwe lapha:
- Ukwenza kusebenze izitifiketi ze-TLS ezitholwe kokuthi Masibethele nge-Certbot (ukuyimisa kuzoba esigabeni esilandelayo)
- Ilungiselela izilungiselelo zokuphepha ze-TLS ngokusekelwe ezincomweni ezivela ku-Let's Encrypt
- Nika amandla izicelo zokweqa kunqolobane ihora elingu-1 ngokuzenzakalelayo
- Khubaza ukungena ngemvume, kanye nokungena ngephutha uma ifayela lingatholakali, kumafayela amabili ajwayelekile aceliwe: favicon.ico kanye ne-robots.txt
- Vimbela ukufinyelela kumafayela afihliwe namanye amafayela .phpukuvimbela ukufinyelela okungekho emthethweni noma ukuqala okungahlosiwe
- Khubaza ukungena ngemvume kumafayela amile kanye nefonti
- Ukulungiselelwa kweheda kumafayela efonti
- Ingeza umzila we-index.php namanye ama-statics.
ikhodi yombhalo
cat > ${NGINX_CONF_DIR}/conf.d/default.conf << EOM
upstream unit_php_upstream {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 80;
listen [::]:80;
# ACME-challenge used by Certbot for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://${TLS_HOSTNAME}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${TLS_HOSTNAME};
root /var/www/wordpress/;
# Let's Encrypt configuration
ssl_certificate ${CERT_DIR}/fullchain.pem;
ssl_certificate_key ${CERT_DIR}/privkey.pem;
ssl_trusted_certificate ${CERT_DIR}/chain.pem;
include ${NGINX_CONF_DIR}/options-ssl-nginx.conf;
ssl_dhparam ${NGINX_CONF_DIR}/ssl-dhparams.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Proxy caching
proxy_cache wp_cache;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd,
# .DS_Store (Mac)
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban)
location ~ /. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory;
# works in subdirectory installs and also in multi-site network.
# Keep logging the requests to parse later (or to pass to firewall utilities
# such as fail2ban).
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# WordPress: deny access to wp-content, wp-includes PHP files
location ~* ^/(?:wp-content|wp-includes)/.*.php$ {
deny all;
}
# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}
# Do not log access for static assets, media
location ~* .(?:css(.map)?|js(.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
access_log off;
}
location ~* .(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
access_log off;
}
location / {
try_files $uri @index_php;
}
location @index_php {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://unit_php_upstream;
}
location ~* .php$ {
proxy_socket_keepalive on;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
try_files $uri =404;
proxy_pass http://unit_php_upstream;
}
}
EOMIsetha i-Certbot yezitifiketi ezivela ku-Asibethele futhi sizivuselele ngokuzenzakalela
iyithuluzi lamahhala le-Electronic Frontier Foundation (EFF) elikuvumela ukuthi uthole futhi uvuselele ngokuzenzakalelayo izitifiketi ze-TLS ku-Let's Encrypt. Umbhalo wenza lokhu okulandelayo ukuze ulungiselele i-Certbot ukucubungula izitifiketi kusuka ku-Asibethele ku-NGINX:
- Imisa i-NGINX
- Ukulanda okunconyiwe kwezilungiselelo ze-TLS
- Isebenzisa i-Certbot ukuthola izitifiketi zesayithi
- Iqala kabusha i-NGINX ukuze isebenzise izitifiketi
- Ilungiselela i-Certbot ukuthi isebenze nsuku zonke ngo-3:24 AM ukuze ihlole ukuthi izitifiketi zidinga ukuvuselelwa, futhi uma kudingeka, landa izitifiketi ezintsha bese uqala kabusha i-NGINX.
ikhodi yombhalo
echo " Stopping NGINX in order to set up Let's Encrypt"
service nginx stop
mkdir -p /var/www/certbot
chown www-data:www-data /var/www/certbot
chmod g+s /var/www/certbot
if [ ! -f ${NGINX_CONF_DIR}/options-ssl-nginx.conf ]; then
echo " Downloading recommended TLS parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:36:07 GMT"
-o "${NGINX_CONF_DIR}/options-ssl-nginx.conf"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
|| echo "Couldn't download latest options-ssl-nginx.conf"
fi
if [ ! -f ${NGINX_CONF_DIR}/ssl-dhparams.pem ]; then
echo " Downloading recommended TLS DH parameters"
curl --retry 6 -Ls -z "Tue, 14 Apr 2020 16:49:18 GMT"
-o "${NGINX_CONF_DIR}/ssl-dhparams.pem"
"https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
|| echo "Couldn't download latest ssl-dhparams.pem"
fi
# If tls_certs_init.sh hasn't been run before, remove the self-signed certs
if [ ! -d "/etc/letsencrypt/accounts" ]; then
echo " Removing self-signed certificates"
rm -rf "${CERT_DIR}"
fi
if [ "" = "${LETS_ENCRYPT_STAGING:-}" ] || [ "0" = "${LETS_ENCRYPT_STAGING}" ]; then
CERTBOT_STAGING_FLAG=""
else
CERTBOT_STAGING_FLAG="--staging"
fi
if [ ! -f "${CERT_DIR}/fullchain.pem" ]; then
echo " Generating certificates with Let's Encrypt"
certbot certonly --standalone
-m "${WORDPRESS_ADMIN_EMAIL}"
${CERTBOT_STAGING_FLAG}
--agree-tos --force-renewal --non-interactive
-d "${TLS_HOSTNAME}"
fi
echo " Starting NGINX in order to use new configuration"
service nginx start
# Write crontab for periodic Let's Encrypt cert renewal
if [ "$(crontab -l | grep -m1 'certbot renew')" == "" ]; then
echo " Adding certbot to crontab for automatic Let's Encrypt renewal"
(crontab -l 2>/dev/null; echo "24 3 * * * certbot renew --nginx --post-hook 'service nginx reload'") | crontab -
fiUkwenza ngokwezifiso okwengeziwe kwesayithi lakho
Sikhulume ngenhla ngokuthi iskripthi sethu siyimisa kanjani i-NGINX kanye ne-NGINX Unit ukuze isebenze isayithi elilungele ukukhiqiza eline-TLSSSL enikwe amandla. Ungakwazi futhi, kuye ngezidingo zakho, ukwengeza esikhathini esizayo:
- ukusekela , ukucindezelwa okuthuthukisiwe lapho undiza phezu kwe-HTTPS
- Ρ ukuvimbela ukuhlasela okuzenzakalelayo kusayithi lakho
- ye-WordPress evumelana nawe
- ngosizo lwe (Ubuntu)
- I-Postfix noma i-msmtp ukuze i-WordPress ikwazi ukuthumela imeyili
- Ukuhlola isayithi lakho ukuze uqonde ukuthi ingakanani ithrafikhi engakwazi ukuyiphatha
Ukuze uthole ukusebenza okungcono kakhulu kwesayithi, sincoma ukuthi uthuthukele ku , umkhiqizo wethu wezohwebo, wezinga lebhizinisi ngokusekelwe kumthombo ovulekile we-NGINX. Ababhalisile bayo bazothola imojuli ye-Brotli elayishwe ngamandla, kanye (ngemali eyengeziwe) . Siphinde sinikele , imojula ye-WAF ye-NGINX Plus esekelwe kubuchwepheshe bokuphepha obuhamba phambili embonini kusuka ku-F5.
NB Ukuze uthole ukusekelwa kwesayithi elayishwe kakhulu, ungaxhumana nochwepheshe . Sizoqinisekisa ukusebenza okusheshayo nokuthembekile kwewebhusayithi yakho noma isevisi ngaphansi kwanoma yimuphi umthwalo.
Source: www.habr.com