Shulou(Shulou.com)06/02 Report--

Preface of 0x00

WordPress is the most popular CMS system in the world, it is based on php and MySQL technology stack, and there are many plug-ins, scalability is very strong. There happens to be a free ECS recently, so let's build one for fun. This tutorial is based on the LEMP technology stack, and each version is as follows:

L version is CentOS7.6 version, E version is nginx1.12.2 version, M version is Distrib 5.5.60-MariaDBP version, php7.2 version

In addition, comprehensive https is a trend now, and naturally we can't lag behind, so we will also use Let's Encrypt to generate free SSL certificates for configuration.

0x01 precondition

There is a domain name. My own domain name is nomansky.xyz, a VPS or a CVM. If a domestic IP needs to record a user with sudo permission or root permission, here I create a new wordpress user to run the program, and use the following command to set it to nologina. Sudo useradd-s / sbin/nologin wordpress uses sudo yum install-y epel-release to install Epel Source off firewalld, I prefer to use iptables for security reinforcement a. Sudo systemctl stop firewalldb. Sudo systemctl disable firewalld

0x02 install nginx

Execute sudo yum install nginx installation nginx to start the nginx daemon and set it to boot a. Sudo systemctl start nginxb. Sudo systemctl enable nginx adds wordpress users to the nginx group usermod-a-G nginx wordpress, and sets directory permissions chmod 770-R / var/lib/nginx/. If you visit http://nomansky.xyz at this time, you can see the following page, which means that nginx has been installed successfully.

0x03 install Mariadb

Mariadb, as an open source branch of MySQL, has become the default database that CentOS uses to replace MySQL, so I also use Mariadb as the database here.

Execute sudo yum install mariadb-server-y to install mariadb boot Mariadb and set it to boot a. Sudo systemctl start mariadbb. Sudo systemctl enable mariadb executes sudo mysql_secure_installation to reinforce Mariadb. You will see that you are required to set the database root password, remove anonymous users, restrict login of root users to the database through localhost and remove test database. It is recommended to select Y (YES). As shown in the following figure, the default database root password is empty.

In addition, you need to change the address of mariadb listening to 127.0.0.1 to 3306.

A. Vim / etc/my.cnf.d/server.cnf opens the configuration file of Mariadb

b. Add bind=127.0.0.1 under [mysqld], as shown in the following figure

c. Execute systemctl restart mariadb to restart the database

d. Execute netstat-lntp to see that the local loopback address has been listened to.

0x04 creates a database

After installing the mariadb database and strengthening it, we naturally need to create a new database to store the data. Here, first of all, we log in to the database mysql-uroot-p with the previously set root account password, and execute the following statements

CREATE DATABASE wordpress CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; # create database GRANT ALL ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY' your password; # create user FLUSH PRIVILEGES; # refresh database permissions EXIT

0x05 install PHP

The default PHP version of CentOS is 5.4, but the recommended version of WordPress is 7.2, so we install the version of php7.2 here.

Execute the following command to install php and all required php extensions

Sudo yum install yum-utilssudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpmsudo yum-config-manager-- enable remi-php72sudo yum install php-cli php-fpm php-mysql php-json php-opcache php-mbstring php-xml php-gd php-curl

We installed PHP FPM because we used Nginx as the web server, and Nginx didn't come with this component. In addition, PHP FPM runs on port 9000 as an apache user by default. We change this user to wordpress and change it from TCP Socket to Unix Socket. See the following steps on how to modify it.

Open / etc/php-fpm.d/www.conf and modify the following place

... user = wordpress...group = wordpress...listen = / run/php-fpm/www.sock...listen.owner = wordpresslisten.group = wordpress

Use the command sudo chown-R root:wordpress / var/lib/php to ensure that all group permissions of the directory are wordpress

Restart and boot self-boot PHP FPM

A. Sudo systemctl restart php-fpm

B. Sudo systemctl enable php-fpm

0x06 applies for a free certificate

As a qiong (bi) home, naturally there is a free certificate is sure to use free. So we can apply for a free Let's Encrypt certificate, which is not only free, but also very easy to operate, although it is only valid for 90 days at a time, but it can be updated regularly through script configuration crontab.

A. mkdir-p / etc/nginx/ssl directory stores certificates

B. openssl genrsa 4096 > account.key enter this directory and create a RSA private key for Let's Encrypt to identify you.

C. Openssl genrsa 4096 > domain.key create domain name RSA private key

D. Openssl req-new-sha256-key domain.key-out domain.csr with the private key file, you can generate the CSR file. Generating CSR will require you to fill in some information. Here Common Name is your domain name.

We know that CA needs to verify domain name ownership when issuing DV (Domain Validation) certificates. The traditional method of CA verification is to send verification email to admin@yoursite.com, while Let's Encrypt generates a random verification file on your server and accesses it through the domain name specified when you created the CSR. If you can access it, you have control over the domain name. So first create a directory to store the validation files, for example:

Mkdir / home/wordpress/challenges

Then configure a HTTP service, taking Nginx as an example:

Server {server_name www.nomansky.xyz nomansky.xyz; location ^ ~ / .well-known/acme-challenge/ {alias / home/wordpress/challenges/; try_files $uri = 404;} location / {rewrite ^ / (. *) $https://nomansky.xyz/$1 permanent;}}

The above configuration means looking for files in the / home/wordpress/challenges/ directory and redirecting to the HTTPS address if you can't find them. This verification service will be used to update the certificate in the future and should be retained all the time.

Next, save acme-tiny to the ssl directory wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

Then specify the private key, CSR and verification directory of the account, and execute the script python acme_tiny.py-- account-key. / account.key-- csr. / domain.csr-- acme-dir / home/wordpress/challenges/ >. / signed.crt. If you see the figure below, the generation is successful.

Finally, download the intermediate certificate for Let's Encrypt. Do not omit the intermediate certificate and do not include the root certificate when configuring the HTTPS certificate. In the Nginx configuration, you need to combine the intermediate certificate and the website certificate:

Wget-O-https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pemcat signed.crt intermediate.pem > chained.pem

In order to enable OCSP Stapling later, we will combine the root certificate and the intermediate certificate (this step can also be omitted)

Wget-O-https://letsencrypt.org/certs/isrgrootx1.pem > root.pemcat intermediate.pem root.pem > full_chained.pem

Certificates issued by Let's Encrypt are only valid for 90 days and are recommended to be updated regularly using scripts. Create a renew_cert.sh and grant execute permissions through chmod aquix renew_cert.sh. The contents of the document are as follows:

#! / bin/bashcd / etc/nginx/ssl/python acme_tiny.py-account-key account.key-csr domain.csr-acme-dir / home/wordpress/challenges/ > signed.crt | | exitwget-O-https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pemcat signed.crt intermediate.pem > chained.pemsystemctl restart nginx

Configure the scheduled task 0 01 * * / etc/nginx/ssl/renew_cert.sh > / dev/null 2 > & 1 in crontabl

0x07 downloads WordPress and configures Nginx

Download WordPress to / home/wordpress/ directory wget https://wordpress.org/latest.tar.gz

Tar zxvf latest.tar.gz decompresses the WordPress file

Chown-R wordpress:wordpress wordpress changes the owner of the wordpress directory to the wordpress user

Next, open vim / etc/nginx/nginx.conf and change the running role of nginx to wordpress

User wordpress;worker_processes auto;

Then I comment out the server configuration block in the main configuration file nginx.conf for decoupling purposes.

Create a new sudo mkdir / etc/nginx/snippets directory and vim letsencrypt.conf to paste the following configuration into it

Location ^ ~ / .well-known/acme-challenge/ {alias / home/wordpress/challenges/; try_files $uri = 404;}

Next, create a new vim / etc/nginx/conf.d/wordpress.conf configuration file and modify it to the following configuration

# Redirect HTTP-> HTTPS server {listen 80; server_name www.nomansky.xyz nomansky.xyz; include snippets/letsencrypt.conf; return 301 https://nomansky.xyz$request_uri;} # Redirect WWW-> NON WWW server {listen 443 ssl http2; server_name www.nomansky.xyz; ssl_certificate / etc/nginx/ssl/chained.pem; ssl_certificate_key / etc/nginx/ssl/domain.key; return 301 https://nomansky.com$request_uri; } server {listen 443 ssl http2; server_name nomansky.com; root / home/wordpress/wordpress; index index.php; # SSL parameters ssl_certificate / etc/nginx/ssl/chained.pem; ssl_certificate_key / etc/nginx/ssl/domain.key; # log files access_log / home/wordpress/log/nomansky.xyz.access.log; error_log / home/wordpress/log/nomansky.xyz.error.log Location = / favicon.ico {log_not_found off; access_log off;} location = / robots.txt {allow all; log_not_found off; access_log off;} location / {try_files $uri $uri/ / index.php?$args;} location ~. Php$ {try_files $uri = 404 Fastcgi_pass unix:/run/php-fpm/www.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params;} location *\. (js | css | png | jpg | jpeg | gif | ico | svg) ${expires max; log_not_found off;}

Create the log directory mkdir-p / home/wordpress/log and set the permissions chown-R wordpress:wordpress / home/wordpress/log

Nginx-t to check whether the syntax check is normal. If so, nginx-s reload overloads nginx

Next, we see that the WordPress page has been opened successfully, and it is done.

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.