使用者工具

網站工具


tech:centos8_wordpress

CentOS8 安裝 WordPress 5 程序

  • centOS 8.2.2004 (Core)
  • Nginx
  • MariaDB 10
  • PHP 8

安裝 Nginx / MariaDB 10 / PHP 7.4

  • EPEL
    dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
  • REMI 啟用 PHP 7.4
    dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
    dnf module list php
    dnf module enable php:remi-7.4
  • Nginx
    vi /etc/yum.repos.d/nginx.repo
    [nginx]
    name=nginx repo
    baseurl=http://nginx.org/packages/centos/8/$basearch/
    gpgcheck=0
    enabled=1
    dnf install nginx
  • php-fpm
    dnf install php php-fpm
  • mariadb-server
    dnf install mariadb-server

設定與驗證 nginx+php-fpm / mariadb

  • Firewall 開啟 http / https
    firewall-cmd --permanent --zone=public --add-service=http
    firewall-cmd --permanent --zone=public --add-service=https
    firewall-cmd --reload
  • 設定 nginx 開機啟動
    systemctl restart nginx
    systemctl enable nginx 
  • 產生自簽 SSL 測試憑證
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
  • 設定主網站頁目錄
    • /etc/nginx/conf.d/default.conf
      vi /etc/nginx/conf.d/default.conf
      server {
          listen       80;
          server_name  localhost;
      
          # 將 HTTP 資源永久導向至 HTTPS
          return 301 https://$server_name$request_uri;
      }
      
      server {
          # 使用 https 和 http/2 協定
          listen 443 ssl http2;
          # 上述的 IPv6 方式
          listen [::]:443 ssl http2;
      
          gzip on;
          gzip_comp_level    5;
          gzip_min_length    256;
          gzip_proxied       any;
          gzip_vary          on;
      
          gzip_types
          application/atom+xml
          application/javascript
          application/json
          application/ld+json
          application/manifest+json
          application/rss+xml
          application/vnd.geo+json
          application/vnd.ms-fontobject
          application/x-font-ttf
          application/x-web-app-manifest+json
          application/xhtml+xml
          application/xml
          font/opentype
          image/bmp
          image/svg+xml
          image/x-icon
          text/cache-manifest
          text/css
          text/plain
          text/vcard
          text/vnd.rim.location.xloc
          text/vtt
          text/x-component
          text/x-cross-domain-policy;
          # text/html is always compressed by gzip module
      
          location ~*  \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
              expires 7d;
          }
      
      
          charset utf-8;
          access_log  /var/log/nginx/access.log  main;
      
          index  index.php; 
      
          # 調用 PHP FastCGI 設定檔 (NGINX 預設提供)
          include             /etc/nginx/default.d/php.conf;
          # 調用共用設定檔 - 限制檔案
          include             /etc/nginx/global/restrictions.conf;
          # 調用共用設定檔 - 不快取條件
          include             /etc/nginx/global/no-cache.conf;
      
          #
          # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
          #
      
          # SSL 憑證證書路徑
          ssl_certificate     /etc/nginx/ssl/nginx.crt;
          # 私鑰路徑
          ssl_certificate_key /etc/nginx/ssl/nginx.key;
      
          # 調用共用設定檔 - TLS/SSL 憑證
          include             /etc/nginx/global/ssl.conf;
      
      }
    • /etc/nginx/global/restrictions.conf
      mkdir /etc/nginx/global
      vi /etc/nginx/global/restrictions.conf
      # Global restrictions configuration file.
      # Designed to be included in any server {} block.
      location = /favicon.ico {
          log_not_found off;
          access_log off;
      }
       
      location = /robots.txt {
          allow all;
          log_not_found off;
          access_log off;
      }
       
      # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
      # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
      location ~ /\. {
          deny all;
      }
       
      # Deny access to any files with a .php extension in the uploads directory
      # Works in sub-directory installs and also in multisite network
      # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
      location ~* /(?:uploads|files)/.*\.php$ {
          deny all;
      }
      
      location / {
          # This is cool because no php is touched for static content.
          # include the "?$args" part so non-default permalinks doesn't break when using query string
          try_files $uri $uri/ /index.php?$args;
      }
      
      location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
              expires max;
              log_not_found off;
      }
    • /etc/nginx/global/ssl.conf
      vi /etc/nginx/global/ssl.conf
      # 快取有效期
      ssl_session_timeout 1d;
      # 快取憑證類型和大小
      ssl_session_cache shared:SSL:50m;
      
      
      #
      # intermediate configuration. tweak to your needs.
      #
      
      # 使用的加密協定
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      # 加密演算法,越前面的優先級越高
      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
      # 交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
      ssl_prefer_server_ciphers on;
      
      
      #
      # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
      #
      
      # 增加 http header
      add_header Strict-Transport-Security max-age=15768000;
    • /etc/nginx/global/no-cache.conf
      vi /etc/nginx/global/no-cache.conf
      # 啟用 FastCGI Cache 快取
      set $no_cache 0;
       
      # POST 請求和帶有查詢字串的網址不快取
      if ($request_method = POST) {
          set $no_cache 1;
      }
      if ($query_string != "") {
          set $no_cache 1;
      }   
       
      # 以下 URI 不快取
      if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
          set $no_cache 1;
      }   
       
      # 登入用戶或最近留言者不快取
      if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
          set $no_cache 1;
      }
      
      # 加入快取資訊表頭 (除錯用)
      add_header X-Cache $upstream_cache_status;
  • 修改 php 設定
    vi /etc/php.ini
    :
    ;cgi.fix_pathinfo=1
    cgi.fix_pathinfo=0
    :
    [Date]
    :
    date.timezone = Asia/Taipei
    :
  • 修改 php-fpm 設定
    vi /etc/php-fpm.d/www.conf
    :
    ; Default Values: user and group are set as the running user
    ;                 mode is set to 0660
    listen.owner = nobody
    listen.group = nobody
    ;listen.mode = 0660
    :
    systemctl restart php-fpm
    systemctl enable php-fpm 
  • 啟動 MariaDB 與驗證新密碼
    systemctl restart mariadb
    systemctl enable mariadb 
    mysql_secure_installation

    設定 root 密碼, 與移除預設的用戶與資料庫..完成後可以使用

    mysql -u root -p

    來進行驗證使用新密碼登入

  • 安裝其他 php 套件
    dnf install php-mysqlnd php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-zip php-curl php-cli
    systemctl restart php-fpm
    systemctl restart nginx

下載最新版 Wordpress

  • 下載網址 : http://wordpress.org/download/
    dnf install wget unzip
    cd /usr/share/nginx/html
    wget http://wordpress.org/latest.zip
    unzip latest.zip
    chown -R apache:apache wordpress

開始基本設定

  • 建立 wordpress db
    mysql -u root -p
    CREATE DATABASE `wordpress`;
    CREATE USER 'wpadmin'@'localhost' IDENTIFIED BY '**Password**';
    GRANT ALL ON wordpress.* TO 'wpadmin'@'localhost';
    FLUSH privileges;
    quit
  • 透過網頁安裝設定 wordpress : http://xxx.xxx.xxx/wordpress ←- 依據只是經過三個步驟就可以安裝完成
  • 使用 admin 與預設密碼(0adf3e 這樣的密碼) 登入, 先將預設密碼改成你要的密碼

參考網址

tech/centos8_wordpress.txt · 上一次變更: 2020/11/19 15:39 由 jonathan_tsai