0x01 Precondition
#There is a domain name, my own domain name is nomansky.xyz
一Taiwan vps or cloud host, if it is a domestic IP, it needs to be registered
User with sudo permissions or root permissions, here I create a new wordpress user to run the program, and use the following command to set it as nologin
- ##Use sudo yum install -y epel- release installed the epel source
- Close firewalld, I prefer to use iptables for security reinforcement
##a. sudo systemctl stop firewalld
##0x02 Install nginx
Execute sudo yum install nginx to install nginx
-
Start the nginx daemon and set it to start automatically at boot
-
b. sudo systemctl enable nginx
-
At this time, visit http://nomansky.xyz and you will see the following page, which means nginx is installed Successfully
0x03 Install mariadb
mariadb as an open source branch of mysql, It has become the default database used by centos to replace mysql, so I also use mariadb as the database here.
Execute sudo yum install mariadb-server -y to install mariadb
-
Start mariadb and set it to start automatically at boot
-
a. sudo systemctl start mariadb
-
b. sudo systemctl enable mariadb
In addition, change the address monitored by mariadb to 
127.0.0.1:3306
vim /etc/my.cnf.d/server.cnf
Open the mariadb configuration file
[mysqld]
Add
bind=127.0.0.1 below, as shown in the figure below
##c. Execute
systemctl restart mariadb
Restart the database
d. Execute netstat -lntp
You can see that it is listening to the local loopback address
0x04 Create database
After installing the mariadb database and strengthening it, we naturally need to create a new database to store data. Here, first we use the root account password set previously to log in to the databasemysql -uroot -p, and execute the following statements
create database wordpress character set utf8mb4 collate utf8mb4_general_ci; # 创建数据库
grant all on wordpress.* to 'wordpress'@'localhost' identified by '你的密码'; # 创建用户
flush privileges; # 刷新数据库权限
exit;
Copy after login
0x05 Install php
The default version of php for centos is 5.4, but the one recommended by wordpress The version is 7.2, so we are installing the version of php7.2 hereExecute the following command to install php and all required php extensions
sudo yum install yum-utils
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo yum-config-manager --enable remi-php72
sudo yum install php-cli php-fpm php-mysql php-json php-opcache php-mbstring php-xml php-gd php-curl
Copy after login
We installed php fpm because we are using nginx as the web server, and nginx This component does not come with it. In addition, php fpm runs on port 9000 as the apache user by default. We changed this user to wordpress and changed it from tcp socket to unix socket. For details on how to modify it, see the following steps
Open
/ etc/php-fpm.d/www.conf
, and modify the following places
...
user = wordpress
...
group = wordpress
...
listen = /run/php-fpm/www.sock
...
listen.owner = wordpress
listen.group = wordpress
Copy after login
Use the command sudo chown -r root:wordpress /var/lib/phpEnsure that the directory is All group permissions are wordpress
Restart and start php fpm
a.
sudo systemctl restart php-fpm
b.
sudo systemctl enable php-fpm
0x06 Apply for a free certificate
As a technical (qiong) technical (bi) geek, I will definitely use it if there is a free certificate. Free. Therefore, we can apply for a free let's encrypt certificate. This certificate is not only free, but also very simple to operate. Although it is only valid for 90 days at a time, the crontab can be configured to be updated regularly through a script.
a.
mkdir -p /etc/nginx/ssl
Directory to store certificates
b. openssl genrsa 4096 > account. key
Enter this directory and create an rsa private key for let's encrypt to identify your identity
c. openssl genrsa 4096 > domain.key
Create the domain name rsa private key key
d. openssl req -new -sha256 -key domain.key -out domain.csr有了私钥文件,就可以生成 csr 文件了。生成csr会要求填入一些东西信息,这里common name为你的域名
我们知道,ca 在签发 dv(domain validation)证书时,需要验证域名所有权。传统 ca 的验证方式一般是往 admin@yoursite.com 发验证邮件,而 let's encrypt 是在你的服务器上生成一个随机验证文件,再通过创建 csr 时指定的域名访问,如果可以访问则表明你对这个域名有控制权。所以首先创建用于存放验证文件的目录,例如:
mkdir /home/wordpress/challenges
然后配置一个http服务,以nginx为例:
server {
server_name www.nomansky.xyz nomansky.xyz;
location ^~ /.well-known/acme-challenge/ {
alias /home/wordpress/challenges/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://nomansky.xyz/$1 permanent;
}
}Copy after login
以上配置表示查找 /home/wordpress/challenges/ 目录下的文件,如果找不到就重定向到 https 地址。这个验证服务以后更新证书还要用到,要一直保留。
接下来把acme-tiny保存到ssl目录wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
然后指定账户私钥、csr 以及验证目录,执行脚本python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wordpress/challenges/ > ./signed.crt,看到如下图所示,则说明生成成功了
最后还要下载let's encrypt 的中间证书,配置https证书时既不要漏掉中间证书,也不要包含根证书。在 nginx 配置中,需要把中间证书和网站证书合在一起:
wget -o - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
Copy after login
为了后续能顺利启用ocsp stapling,我们再把根证书和中间证书合在一起(此步也可省略)
wget -o - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem
Copy after login
let's encrypt签发的证书只有90天有效期,推荐使用脚本定期更新。创建一个renew_cert.sh并通过chmod a+x renew_cert.sh赋予执行权限。文件内容如下:
#!/bin/bash
cd /etc/nginx/ssl/
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /home/wordpress/challenges/ > signed.crt || exit
wget -o - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
systemctl restart nginx
Copy after login
在crontabl中配置定时任务0 0 1 * * /etc/nginx/ssl/renew_cert.sh >/dev/null 2>&1
0x07 下载wordpress并配置nginx
将wordpress下载到/home/wordpress/目录下wget https://wordpress.org/latest.tar.gz
tar zxvf latest.tar.gz解压wordpress文件
chown -r wordpress:wordpress wordpress将wordpress目录的所有者改为wordpress用户
接着,打开vim /etc/nginx/nginx.conf将nginx的运行角色改为wordpress
···
user wordpress;
worker_processes auto;
···
Copy after login
然后这里我把处于解耦合的目的,把主配置文件nginx.conf里的server配置块注释掉
新建sudo mkdir /etc/nginx/snippets目录并vim letsencrypt.conf来将以下配置粘贴到里面
location ^~ /.well-known/acme-challenge/ {
alias /home/wordpress/challenges/;
try_files $uri =404;
}Copy after login
接下来新建vim /etc/nginx/conf.d/wordpress.conf配置文件,修改成如下配置
# redirect http -> https
server {
listen 80;
server_name www.nomansky.xyz nomansky.xyz;
include snippets/letsencrypt.conf;
return 301 https://nomansky.xyz$request_uri;
}
# redirect www -> non www
server {
listen 443 ssl http2;
server_name www.nomansky.xyz;
ssl_certificate /etc/nginx/ssl/chained.pem;
ssl_certificate_key /etc/nginx/ssl/domain.key;
return 301 https://nomansky.com$request_uri;
}
server {
listen 443 ssl http2;
server_name nomansky.com;
root /home/wordpress/wordpress;
index index.php;
# ssl parameters
ssl_certificate /etc/nginx/ssl/chained.pem;
ssl_certificate_key /etc/nginx/ssl/domain.key;
# log files
access_log /home/wordpress/log/nomansky.xyz.access.log;
error_log /home/wordpress/log/nomansky.xyz.error.log;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param script_filename $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires max;
log_not_found off;
}Copy after login
创建日志目录mkdir -p /home/wordpress/log,并设置权限chown -r wordpress:wordpress /home/wordpress/log
nginx -t查看是否是否语法检查正常,如正常则nginx -s reload重载nginx
接下来看到wordpress页面成功打开了,就此大功告成啦
The above is the detailed content of How to build a personal blog using nginx and WordPress. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
