上一篇编译安装LAMP的补充,实现WordPress个人博客搭建的应用
附自动安装脚本:
http://scripts.dongfei.tech/lamp_make.sh
服务器端部署:
[root@lamp ~]# wget http://src.dongfei.tech/wordpress-4.9.4-zh_CN.zip
[root@lamp ~]# unzip wordpress-4.9.4-zh_CN.zip
[root@lamp ~]# mkdir /lamp/data/www/
[root@lamp ~]# mv wordpress /lamp/data/www/
[root@lamp ~]# setfacl -R -m u:apache:rwx /lamp/data/www/wordpress/
[root@lamp ~]# cd /lamp/application/httpd24/conf/
主配文件:
[root@lamp conf]# vim httpd.conf #保证以下参数与示例一致
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf
Include conf/extra/httpd-vhosts.conf
#AddType application/x-httpd-php .php
#AddType application/x-httpd-php-source .phps
#ProxyRequests Off
#ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/lamp/application/httpd24/htdocs/
#DocumentRoot "/lamp/application/httpd24/htdocs"
#<Directory "/lamp/application/httpd24/htdocs">
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
虚拟主机配置文件:
[root@lamp conf]# vim extra/httpd-vhosts.conf
DirectoryIndex index.php
<VirtualHost *:80>
DocumentRoot "/lamp/data/www/wordpress"
<Directory "/lamp/data/www/wordpress">
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
ServerName blog.dongfei.com
ErrorLog "logs/blog.dongfei.com-error_log"
CustomLog "logs/blog.dongfei.com-access_log" common
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
ProxyRequests Off
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/lamp/data/www/wordpress/
Header always set Strict-Transport-Security "max-age=31536000"
RewriteEngine on
RewriteRule ^(/wp-admin.*)$ https://%{HTTP_HOST}$1 [redirect=302]
RewriteRule ^(/wp-login.*)$ https://%{HTTP_HOST}$1 [redirect=302]
</VirtualHost>
搭建CA:
[root@lamp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:dongfei.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.dongfei.com
[root@lamp CA]# touch index.txt
[root@lamp CA]# echo 01 > serial
[root@lamp CA]# cd /lamp/application/httpd24/conf/extra/
[root@lamp extra]# mkdir ssl
[root@lamp extra]# cd ssl
[root@lamp ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
[root@lamp ssl]# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:dongfei.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:blog.dongfei.com
[root@lamp ssl]# cp httpd.csr /etc/pki/CA/
[root@lamp ssl]# cd /etc/pki/CA/
[root@lamp CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 350
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@lamp CA]# cp certs/httpd.crt cacert.pem /lamp/application/httpd24/conf/extra/ssl/
[root@lamp ~]# scp /etc/pki/CA/cacert.pem 192.168.0.7:/root/cacert.crt #将根证书发给客户端一份
配置https:
[root@lamp CA]# cd /lamp/application/httpd24/conf
[root@lamp conf]# cp extra/httpd-ssl.conf{,.bak}
[root@lamp conf]# vim extra/httpd-ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/lamp/application/httpd24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/lamp/data/www/wordpress/"
ServerName blog.dongfei.com:443
ServerAdmin admin@dongfei.com
ErrorLog "/lamp/application/httpd24/logs/error_log"
TransferLog "/lamp/application/httpd24/logs/access_log"
SSLEngine on
SSLCertificateFile "/lamp/application/httpd24/conf/extra/ssl/httpd.crt"
SSLCertificateKeyFile "/lamp/application/httpd24/conf/extra/ssl/httpd.key"
SSLCACertificateFile "/lamp/application/httpd24/conf/extra/ssl/cacert.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/lamp/application/httpd24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/lamp/application/httpd24/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/lamp/data/www/wordpress">
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
ProxyRequests Off
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/lamp/data/www/wordpress/
</VirtualHost>
[root@lamp ~]# apachectl restart
创建数据库:
[root@lamp ~]# mysql
MariaDB [(none)]> CREATE DATABASE wpdb;
MariaDB [(none)]> GRANT ALL ON wpdb.* TO wpuser@'127.0.0.1' IDENTIFIED BY 'wppass';
在客户端配置WordPress:
[root@centos7 ~]# vim /etc/hosts
192.168.0.8 blog.dongfei.com
[root@centos7 ~]# firefox http://blog.dongfei.com
此时我们由于没有信任根证书,所以提示不安全
导入证书:Preferences - Advanced - Certificates - View Certificates - Import... - 选择/root/cacert.crt导入证书,刷新
接下来根据提示来填写信息
到此,实现了访问后台管理页面是基于https协议,访问博客基于http协议,主要是为了保护登录时是加密传输,防止密码泄露。在以上配置中使用的是私有证书,仅仅为自己使用,如果是开发注册站点建议申请ssl证书。
推荐几个实用的wordpress插件:
Autoptimize:缓存加速功能
Limit Login Attempts Reloaded:管理后台防暴力破解
WP Editor.md:markdown编辑器插件
WP 统计:站点统计插件
Crayon Syntax Highlighter:代码高亮插件