Wordpress 架設流程-Debian
BUBU 因為要幫老婆大人工作室建立一個官方的網頁及購物中心,因此選擇最熱門 WordPree CRM 套件來設架
111.05.19 修改系統版本
運行環境
環境都是在 「Proxmox VE 」 虛擬系統上架設,都是以 「 LXC 」模式為主,除非有特殊狀況會告知使用 「 VM 」 模式
- 系統環境: Debian 11
- Web 服務: Nginx 1.21.7
- PHP 服務: PHP 8.0
- 資料庫服務: MariaDB 10.8
安裝或測試過程
Nginx 安裝及設定
請參考 BUBU 站內寫文章的設定 Nginx 模組擴充 - Debian \ Ubuntu 或者直接使用系統預設版本安裝版也可以
MariaDB 安裝及設定
- 安裝密鑰及來源庫 官方下載點
sudo apt-get install apt-transport-https curl
sudo curl -o /etc/apt/trusted.gpg.d/mariadb_release_signing_key.asc 'https://mariadb.org/mariadb_release_signing_key.asc'
sudo sh -c "echo 'deb https://ftp.ubuntu-tw.org/mirror/mariadb/repo/10.8/debian bullseye main' >>/etc/apt/sources.list"
- 安裝 Mariadb 服務
sudo apt-get update
sudo apt-get install mariadb-server
- 啟動資料庫
systemctl enable mariadb ; systemctl start mariadb
- 資料庫安裝及設定
# 資料庫初始化
mariadb-secure-installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
Switch to unix_socket authentication [Y/n]
Enabled successfully!
Reloading privilege tables..
... Success!
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n]
New password: << 填入 root 密碼
Re-enter new password: << 填入 root 密碼
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n]
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
- 設定 wordpress 資料庫
mariadb -u root -p # 登入資料庫裡設定資表及權限
CREATE DATABASE wordpressdb; #在資料庫裡新增wordpress表單
GRANT ALL PRIVILEGES ON wordpressdb.* TO 'wpuser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION; #密碼請自己輸入好記錄的密碼
FLUSH PRIVILEGES;
exit
Mariadb 資料庫 root 預設是免密碼就可以登入,這個需手動自行修正此問題, BUBU 站本有記錄怎麼修正請參考此文章:MariaDB root 可空白登入
PHP安裝及設定
- 安裝必要套件
sudo apt update
sudo apt install -y lsb-release ca-certificates apt-transport-https software-properties-common
- 新增 GPG key
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
- 新增 PHP 來源庫
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/sury-php.list
- 導入金鑰
wget -qO - https://packages.sury.org/php/apt.gpg | sudo apt-key add -
- PHP 套件安裝
apt update
apt install curl php php-pear php8.0 php8.0-{common,mbstring,fpm,mysql,gd,cli,opcache,curl,ldap,odbc,xmlrpc,soap,intl,zip,tidy,xml,mysqlnd,pdo,imagick,mcrypt,readline} -y
- 安裝好 PHP 要去修改 「
vim /etc/php/8.0/fpm/php.ini
」 設定檔
修改前
;cgi.fix_pathinfo=1
修改後
cgi.fix_pathinfo=0
修改時區
[Date]
修改前
;date.timezone =
修改後
date.timezone = Asia/Taipei
修改資料上傳限制
; 上傳檔案大小上限(單一檔案大小)
upload_max_filesize = 50M
; POST 大小上限(所有檔案大小加總)
post_max_size = 200M
; 記憶體用量上限
memory_limit = 512M
;Script執行時間上限(單位:秒)
max_execution_time = 600
; Script處理資料時間上限(單位:秒)
max_input_time = 600
; Socket無回應斷線時間(單位:秒)
default_socket_timeout = 600
; 調整 PHP 的 POST 數量限制
max_input_vars = 1500
存檔
:wq
- 設定「php-fpm」「
vim /etc/php/8.0/fpm/pool.d/www.conf
」
由誰使用此服務
; RPM: apache user chosen to provide access to the same directories as httpd
;user = apache
user = www-data
; RPM: Keep a group allowed to write in log dir.
;group = apache
group = www-data
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
修改好存檔
:wq
- 重啟及開機自動啟動 php-fpm 服務
systemctl start php8.0-fpm ; systemctl enable php8.0-fpm
設定 Nginx 服務設定檔
設定「vim /etc/nginx/nginx.conf
」
- 全域設定
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
#
events {
multi_accept on;
worker_connections 65535;
}
#
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#
access_log /var/log/nginx/access.log main;
#
#
client_body_timeout 120s;
#
server_tokens off;
#
# Default is 60, May need to be increased for very large uploads
#
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
default_type application/octet-stream;
#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 以下是反代理取得真實 IP
# Restoring the original visitor IP for your web application
set_real_ip_from 內網 IP;
set_real_ip_from 公網 IP 指的是自己目前當下的 IP;
set_real_ip_from 127.0.0.1;
# use any of the following two
# real_ip_header CF-Connecting-IP;
real_ip_header X-Forwarded-For;
#
brotli on;
brotli_comp_level 6;
brotli_min_length 512;
brotli_types text/plain text/javascript text/css text/xml text/x-component application/javascript application/x-javascript application/xml application/json application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
brotli_static always;
}
- 設定「vim /etc/nginx/conf.d/XXX.conf」
server {
# 這個主機的 Port
listen 80;
# 這個主機的名稱
server_name 主機IP或網址;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
#
server {
# 使用 https 和 http/2 協定
listen 443 ssl http2;
# 上述的 IPv6 方式
listen [::]:443 ssl http2;
server_name 主機IP或網址;
root /var/www/html/wordpress;
#
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
#
# SSL 憑證證書路徑
ssl_certificate /etc/nginx/ssl/fullchain.pem;
# 私鑰路徑
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# 緩存有效期
ssl_session_timeout 1d;
# 緩存憑證類型和大小
ssl_session_cache shared:SSL:50m;
#
# intermediate configuration. tweak to your needs.
#
# 使用的加密協定
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
# 加密演算法,越前面的優先級越高
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
# 交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
ssl_prefer_server_ciphers on;
#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#
# 增加 http header
add_header Strict-Transport-Security max-age=63072000;
#
access_log /var/log/nginx/wp_access.log;
error_log /var/log/nginx/wp_error.log;
#
client_max_body_size 1G;
fastcgi_buffers 64 4K;
#
# html 檔
location / {
# 使用「瀏覽器」瀏覽根目錄時,未指定檔名時預設使用的檔案
index index.php index.html index.htm;
autoindex on;
try_files $uri $uri/ /index.php?$args;
}
location = /50x.html {
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
# php 檔
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
fastcgi_index index.php;
try_files $uri =404;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
#
location ~* \.(?:ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
expires 30d;
log_not_found off;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
# 發生 404 指定導向哪個網頁
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
# location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
}
- 重啟 nginx 服務
systemctl restart nginx
開始安裝 wordpree
-
到官方網站下載最新版本 官方 當時下載的版本為6.0,下載好之後將檔案放置到 web 服務下的目錄,並且重新設定該目錄的權限
-
進入要放置的目錄例如:
# 預設沒有此目錄需手動建立
mkdir -p /var/www/html
cd /var/www/html
- 下載官方目前提供新版本,BUBU 目前取得版本是 5.9 版
wget https://tw.wordpress.org/wordpress-5.9.3-zh_TW.tar.gz
- 解壓縮剛剛下載檔案
tar -zxvf wordpress-5.9.3-zh_TW.tar.gz
- 刪除剛剛下載的檔案
rm wordpress-5.9.3-zh_TW.tar.gz
- 修改目錄權限
chown -R www-data:www-data wordpress/
開啟瀏灠器輸入站台的網域設定站台基本資料就可以開始使用 wordpree 服務來經營個人、工作室或企業官方網站了
補充說明
如果想要指定 wordpress 特定的版本,安裝時又不想升級那就要安裝前先設定好不要讓系統自動更新就好了
- 在 wordparss 目錄下有一個
wp-config-sample.php
檔案
/* 關閉所有自動更新 */
define( 'AUTOMATIC_UPDATER_DISABLED', true );
/* 關閉 WordPress 核心更新 */
define( 'WP_AUTO_UPDATE_CORE', false );