术→技巧, 研发, 运维

Ubuntu Server 20.04 WordPress环境安装与配置

钱魏Way · · 529 次浏览

博客先前部署在阿里云上马上就要过期,正好双11腾讯云做活动,所以将服务器迁移到腾讯云。迁移的同时打算换个操作系统部署,将原有的CentOS 7.4更换为Ubuntu 20.04 LTS。

其他环境基本不变,还是和以前一样使用Nginx + MariaDB + phpMyAdmin + Let’s Encrypt。由于CentOS和Ubuntu使用不同的包管理工具。安装时还是存在一些差异。

安装前装备

1、查看并确认系统版本

sudo lsb_release -a

2、修改软件源

sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup
sudo nano /etc/apt/sources.list

腾讯云已经帮忙修改好了软件源,所以这里不用再进行修改。

3、更新系统

sudo apt update
sudo apt upgrade

安装Nginx

sudo apt install nginx

# 查看服务是否已经启动
systemctl status nginx
# 添加开机启动
sudo systemctl enable nginx

sudo systemctl stop nginx
sudo systemctl start nginx
sudo systemctl restart nginx

开启防火墙

# 打开OpenSSH的端口
sudo ufw allow OpenSSH

# 打开 Nginx的端口
sudo ufw allow 'Nginx Full'

# 开启防火墙
sudo ufw enable

# 查看ufw状态
sudo ufw status
ubuntu@VM-0-7-ubuntu:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
ubuntu@VM-0-7-ubuntu:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)

安装PHP 7.4

确定软件源中的PHP版本:

apt search --names-only ^php

可以看到目前的版本是PHP 7.4,如果是Ubuntu 18.04想要安装最新的7.4则需要安装额外的源:

# Install PHP 7.4 on Ubuntu 18.04
sudo apt-get update
sudo apt -y install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update

安装PHP程序及常用模块/扩展

sudo apt install php7.4
ubuntu@VM-0-7-ubuntu:~$ sudo apt install php7.4
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php7.4 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libjansson4 liblua5.2-0 php-common php7.4-cli php7.4-common php7.4-json php7.4-opcache
  php7.4-readline ssl-cert
Suggested packages:
  apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser php-pear openssl-blacklist
The following NEW packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php7.4 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libjansson4 liblua5.2-0 php-common php7.4 php7.4-cli php7.4-common php7.4-json php7.4-opcache
  php7.4-readline ssl-cert
0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,881 kB of archives.
After this operation, 26.0 MB of additional disk space will be used.
Do you want to continue? [Y/n]

这里可以看到除了安装PHP外还会安装一些其他的模块组件,这里还安装了apache,由于服务器使用Nginx,所以不需要Apache。

# 禁用Apache
sudo systemctl disable --now apache2

安装PHP组件和模块

安装组件的方法为:

sudo apt install php7.4-extension_name

这里整理了常用的组件:

sudo apt install php7.4-fpm php7.4-cli php7.4-common php7.4-json php7.4-opcache php7.4-readline php7.4-dev php7.4-mysql php7.4-sqlite3 php7.4-xml php7.4-xmlrpc php7.4-curl php7.4-gd php7.4-imagick php7.4-imap php7.4-soap php7.4-mbstring php7.4-zip php7.4-ssh2 php7.4-intl php7.4-zip

修改PHP配置文件

sudo nano /etc/php/7.4/fpm/php.ini

主要是修改安全风险就提升性能:

cgi.fix_pathinfo=0
upload_max_filesize = 32M 
post_max_size = 48M 
memory_limit = 256M 
max_execution_time = 600 
max_input_vars = 3000 
max_input_time = 1000

修改完成后重启php-fpm,让配置生效:

sudo systemctl restart php7.4-fpm

修改Nginx配置,测试PHP是否安装成功

sudo nano /etc/nginx/sites-available/default

去除以下几行代码下的注释:

# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
        include snippets/fastcgi-php.conf;
#
#       # With php-fpm (or other unix sockets):
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#       # With php-cgi (or other tcp sockets):
#       fastcgi_pass 127.0.0.1:9000;
}

重新加载Nginx配置文件,让配置生效:

sudo nginx -t
sudo systemctl reload nginx

创建PHP文件:

sudo nano /var/www/html/info.php

文件内容:

<?php
phpinfo();

保存文件后打开:http://your_server_ip/info.php,看是否能正常打开PHP信息页面。

备注:查看后建议删除info.php文件,否则可能有安全风险。

sudo rm /var/www/html/info.php

安装MariaDB

sudo apt install mariadb-server mariadb-client
sudo systemctl status mariadb
sudo systemctl stop mariadb
sudo systemctl start mariadb
sudo systemctl enable mariadb

# 初始化设置:
sudo mysql_secure_installation

安装phpMyAdmin

sudo apt install phpmyadmin

安装程序将要求您选择应自动配置运行phpMyAdmin的Web服务器。没有选择Nginx的选项,这里按ESC进行退出。

接下来,安装程序将询问您是否要使用dbconfig-common工具来设置数据库。选择Yes,然后按Enter。

输入phpMyAdmin的密码以在数据库中注册,选择OK,然后按Enter。

配置Nginx

让Nginx可以访问到phpMyAdmin的程序文件:/usr/share/phpmyadmin,

sudo ln -s  /usr/share/phpmyadmin /var/www/html/phpmyadmin
sudo chmod 775 -R /usr/share/phpmyadmin/
sudo chown root:www-data -R /usr/share/phpmyadmin/

修改/etc/nginx/sites-available/default文件。

sudo nano /etc/nginx/sites-available/default

默认文件中添加index.php

然后重启sudo systemctl restart nginx。完成后可通过http://your_server_ip/phpmyadmin/访问。

登录账号为phpmyadmin,密码为刚才你设置的密码。登录进取后发现没有新建表的权限等。

退出后换root账号登录,发现无法登录,原因是默认情况下root账号使用auth_socket插件进行身份验证。

sudo mysql -u root

解决方案1:修改root账号的登录方式

SELECT user,plugin,host FROM mysql.user WHERE user = 'root';
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '******';
FLUSH PRIVILEGES;
EXIT;

解决方案2:添加一个管理员账号:

GRANT ALL PRIVILEGES ON *.* TO 'dbadmin'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
EXIT;

完成后用root账户或新的管理员账号登录phpmyadmin即可。

phpMyAdmin安全设置

直接将phpMyAdmin安装在服务器上可能存在一些安全风险。解决方式是掩藏目录。

cd /var/www/html/
sudo mv phpmyadmin nothingtosee

这里的目录名称可以自己设置。目的是防止别人猜到phpMyAdmin路径进行攻击。

添加Nginx验证,掩藏phpMyAdmin登录界面。

# 生成密码加密后值
openssl passwd nginx_password
# 输出值
tpr9W.ydSHL7M

# 创建密码文件
sudo nano /etc/nginx/pma_pass

# 密码文件内容:
sammy:tpr9W.ydSHL7M

冒号前面为接下来登录的用户名,后面为刚才生成的加密后的密码。

修改Nginx配置未见,添加如下内容:

server {
    . . .

        location /nothingtosee {
                auth_basic "Admin Login";
                auth_basic_user_file /etc/nginx/pma_pass;
        }


    . . .
}
sudo nginx -t
sudo systemctl reload nginx

修改后的地址为:https://server_domain_or_IP/nothingtosee,并且进入前需要先进行Nginx的验证。

部署Wordpress

# 安装上传下载工具
sudo apt install lrzsz
# 上传打包网站文件后修改目录权限

sudo chown -R www-data:www-data /srv/www/www.biaodianfu.com/
sudo chmod -R 755 /srv/www/www.biaodianfu.com/
sudo find /srv/www/www.biaodianfu.com/ -type d -exec chmod 755 {} \;

# 配置文件
sudo nano /etc/nginx/sites-enabled/www.biaodianfu.com
server {
    listen 80;
    listen [::]:80;

    server_name  biaodianfu.com www.biaodianfu.com;
    root   /srv/www/www.biaodianfu.com/;
    index index.html index.htm index.php;
    charset utf-8;

    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    # include snippets/well-known;

    access_log /var/log/nginx/www.biaodianfu.com.access.log;
    error_log /var/log/nginx/www.biaodianfu.com.error.log;

    client_max_body_size 100M;

    autoindex off;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ .php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
         fastcgi_read_timeout 300s;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
}

安装Let’s Encrypt

sudo apt install certbot

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
sudo nano /etc/nginx/snippets/well-known
location ^~ /.well-known/acme-challenge/ {
    allow all;
    root /var/lib/letsencrypt/;
    default_type "text/plain";
    try_files $uri =404;
}

申请证书

sudo certbot certonly --agree-tos --email username@email.com --webroot -w /var/lib/letsencrypt/ -d www.biaodianfu.com
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

调整Nginx配置文件:

server {
    listen 80;
    listen [::]:80;

    server_name  biaodianfu.com www.biaodianfu.com;
    include snippets/well-known;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name  biaodianfu.com www.biaodianfu.com;
    root   /srv/www/www.biaodianfu.com/;
    index index.html index.htm index.php;
    charset utf-8;

    if ($host != "www.biaodianfu.com") {
           return 301 https://www.biaodianfu.com$request_uri;
       }

    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    include snippets/well-known;
    ssl_certificate /etc/letsencrypt/live/www.biaodianfu.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.biaodianfu.com/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_trusted_certificate /etc/letsencrypt/live/www.biaodianfu.com/chain.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 223.5.5.5 223.6.6.6 valid=300s;
    resolver_timeout 30s;
    
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    access_log /var/log/nginx/www.biaodianfu.com.access.log;
    error_log /var/log/nginx/www.biaodianfu.com.error.log;


    client_max_body_size 100M;

    autoindex off;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ .php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
         fastcgi_read_timeout 300s;
    }


    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
}

自动更新证书:

sudo crontab -e
30 2 * */2 * /usr/bin/certbot renew --quiet --renew-hook "nginx -s reload" >> /var/log/letsencrypt/renew.log

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注