MIS 腳印 logo

MIS 腳印

記錄 IT 學習的軌跡

NGINX 搭配 PHP-FPM 配置 WordPress 多站點網站 for CentOS 8

在 CentOS Linux 8 使用 NGINX 網站伺服器搭配 PHP-FPM,建置多個獨立的 WordPress.ORG 多站點網站,並將相同邏輯可重複使用的 NGINX 設定檔分割,即可讓多站點網站個別的 NGINX 設定檔直調用。

WordPress.ORG

WordPress

下載

開啟 WordPress.org Taiwan 正體中文點擊【取得 WordPress】。

複製【下載 .tar.gz】連結網址。

貼上連結網址下載檔案:

wget https://wordpress.org/latest.tar.gz

解壓縮檔案:

tar -zxv -f latest-zh_TW.tar.gz

移除壓縮檔案:

rm latest-zh_TW.tar.gz

將解壓縮後的 wordpress 目錄移動到欲命名的 NGINX 網站根目錄 (root),通常會依使用的網域名稱或子域名來命名目錄名稱:

mv wordpress/ /var/www/www.footmark.com.tw

目錄和檔案權限設定

遞迴更改網站目錄下,所有目錄的權限設定:

find /var/www/ -type d -exec chmod 2775 {} \;

遞迴更改網站目錄下,所有檔案的權限設定:

find /var/www/ -type f -exec chmod 664 {} \;

wp-config.php 設定

WordPress wp-config.php 設定請參考 Editing wp-config.php | WordPress.org

NGINX 設定

CentOS 8 的 NGINX 預設提供的目錄和設定檔大致如下:

  • 主要設定檔:/etc/nginx/nginx.conf
  • 調用設定檔:/etc/nginx/conf.d/ (所有網站設定檔均建立在此)
    • PHP-FPM 設定檔:php-fpm.conf
  • PHP 設定檔:/etc/nginx/default.d/php.conf

共用設定檔

在 nginx 目錄下新建 global 目錄,用來放置相同邏輯可重複使用的設定檔:

mkdir /etc/nginx/global

限制檔案

vim /etc/nginx/global/restrictions.conf
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
    log_not_found off;
    access_log off;
}
 
location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}
 
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
    deny all;
}
 
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}

location / {
    # This is cool because no php is touched for static content.
    # include the "?$args" part so non-default permalinks doesn't break when using query string
    try_files $uri $uri/ /index.php?$args;
}

location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
}

TLS/SSL 憑證

vim /etc/nginx/global/ssl.conf
# 緩存有效期
ssl_session_timeout 1d;
# 緩存憑證類型和大小
ssl_session_cache shared:SSL:50m;


#
# intermediate configuration. tweak to your needs.
#

# 使用的加密協定
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# 加密演算法,越前面的優先級越高
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# 交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
ssl_prefer_server_ciphers on;


#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#

# 增加 http header
add_header Strict-Transport-Security max-age=15768000;

獨立設定檔

如欲建立不同網域名稱 (Domain Name) 或子域名 (Subdomain) 的多站點網站,只需依下述建立對應的設定檔即可,並將下列設定的設定值 www.footmark.com.tw 替換為實際使用的網域名稱或子域名:

  • server_name
  • root
  • ssl_certificate
  • ssl_certificate_key
vim /etc/nginx/conf.d/www.footmark.com.tw.conf
server {
    listen 80;
    listen [::]:80;
    server_name footmark.com.tw www.footmark.com.tw *.footmark.com.tw;
    # 將 HTTP 資源永久導向至 HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    # 使用 https 和 http/2 協定
    listen 443 ssl http2;
    # 上述的 IPv6 方式
    listen [::]:443 ssl http2;

    ## Your website name goes here.
    server_name footmark.com.tw www.footmark.com.tw *.footmark.com.tw;
    ## Your only path reference.
    root /var/www/www.footmark.com.tw;
    ## This should be in your http block and if it is, it's not needed here.
    index index.php;

    # 調用通用限制檔案設定檔
    include             /etc/nginx/global/restrictions.conf;
    # 調用 NGINX 預設提供的 PHP 設定檔
    include             /etc/nginx/default.d/php.conf;


    # #
    # # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    # #

    # SSL 憑證證書路徑
    ssl_certificate     /etc/nginx/ssl/www.footmark.com.tw/cert.pem;
    # 私鑰路徑
    ssl_certificate_key /etc/nginx/ssl/www.footmark.com.tw/key.pem;

    # 調用通用 TLS/SSL 設定檔
    include             /etc/nginx/global/ssl.conf;
}

參考

發表迴響