Detailed explanation of the whole process of building a personal blog with nginx+WordPress

0x00 Introduction

WordPress is the most popular CMS system in the world. It is based on the PHP and MySQL technology stack, and has many plug-ins, making it very extensible. I happened to have a spare ECS recently, so I built one for fun. This tutorial is built based on the LEMP technology stack. The versions are as follows:

1. The L version is CentOS7.6.
2. E version is nginx1.12.2
3. M version is Distrib 5.5.60-MariaDB
4. The P version is php7.2

In addition, full https is now a trend, and naturally we can't fall behind, so we will also use Let's Encrypt to generate free SSL certificates for configuration

0x01 Preconditions

• There is a domain name, my own domain name is nomansky.xyz
• A VPS or cloud server, if it is a domestic IP, needs to be registered
• A user with sudo or root privileges. Here I create a new wordpress user to run the program and set it to nologin using the following command
  • a. sudo useradd -s /sbin/nologin wordpress
• Installed the epel source using sudo yum install -y epel-release
• Turn off firewalld. I prefer to use iptables for security reinforcement.
  • a. sudo systemctl stop firewalld
  • b. sudo systemctl disable firewalld

0x02 Install nginx

• Run sudo yum install nginx to install nginx
• Start the nginx daemon and set it to start automatically at boot
  • a. sudo systemctl start nginx
  • b. sudo systemctl enable nginx
• Add the wordpress user to the nginx group usermod -a -G nginx wordpress, and set the directory permissions chmod 770 -R /var/lib/nginx/
• At this time, visit http://nomansky.xyz and you can see the following page, which means that nginx has been installed successfully.
  

0x03Install Mariadb

Mariadb, as an open source branch of MySQL, has become the default database used by CentOS to replace MySQL, so I also use Mariadb as the database here.

• Execute sudo yum install mariadb-server -y to install mariadb
• Start Mariadb and set it to start automatically at boot
  • a. sudo systemctl start mariadb
  • b. sudo systemctl enable mariadb
• Run sudo mysql_secure_installation to secure Mariadb. You will see requirements to set the database root password, remove anonymous users, restrict database root users to localhost, and remove the test database. It is recommended to select Y (YES) for all of them, as shown in the figure below. The default database root password is blank
  

In addition, the address that mariadb listens on must be changed 127.0.0.1:3306

a. vim /etc/my.cnf.d/server.cnf to open Mariadb configuration file

b. Add bind=127.0.0.1 under [mysqld] , as shown below

c. Execute systemctl restart mariadb to restart the database

d. Execute netstat -lntp and you can see that it is listening to the local loopback address.

0x04 Create a database

After installing the mariadb database and hardening it, we naturally need to create a new database to store data. Here we first use the root account password set previously to log in to the database mysql -uroot -p and execute the following statements

CREATE DATABASE wordpress CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; # Create database GRANT ALL ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'your password'; # Create user FLUSH PRIVILEGES; # Refresh database permissions EXIT;

0x05 Install PHP

The default PHP version of CentOS is 5.4, but the recommended version of WordPress is 7.2, so we install the PHP 7.2 version here. Execute the following command to install PHP and all required PHP extensions

sudo yum install yum-utils
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo yum-config-manager --enable remi-php72
sudo yum install php-cli php-fpm php-mysql php-json php-opcache php-mbstring php-xml php-gd php-curl

We install PHP FPM because we use Nginx as our web server, and Nginx does not come with this component. In addition, PHP FPM runs as the apache user on port 9000 by default. We change this user to wordpress and change it from TCP Socket to Unix Socket. See the steps below for details on how to modify it.

Open /etc/php-fpm.d/www.conf and modify the following places

...
user = wordpress
...
group = wordpress
...
listen = /run/php-fpm/www.sock
...
listen.owner = wordpress
listen.group = wordpress

Use the command sudo chown -R root:wordpress /var/lib/php to ensure that all group permissions of the directory are wordpress

Restart and start PHP FPM automatically

a. sudo systemctl restart php-fpm
b. sudo systemctl enable php-fpm

0x06 Apply for a free certificate

As a tech geek, I would definitely use a free certificate if one is available. Therefore, we can apply for a free Let's Encrypt certificate, which is not only free but also very easy to use. Although it is only valid for 90 days each time, it can be updated regularly through the script configuration crontab.

a. mkdir -p /etc/nginx/ssl directory stores the certificate

b. openssl genrsa 4096 > account.key Enter this directory and create an RSA private key for Let's Encrypt to identify you

c. openssl genrsa 4096 > domain.key to create a domain name RSA private key

d. openssl req -new -sha256 -key domain.key -out domain.csr the private key file, you can generate the CSR file. When generating a CSR, you will be asked to fill in some information. Here, Common Name is your domain name.

We know that when CA issues a DV (Domain Validation) certificate, it needs to verify the domain name ownership. The traditional CA verification method is generally to send a verification email to [email protected], while Let's Encrypt generates a random verification file on your server and then accesses it through the domain name specified when creating the CSR. If it can be accessed, it means that you have control over the domain name. So first create a directory to store the verification files, for example:
mkdir /home/wordpress/challenges

Then configure an HTTP service, taking Nginx as an example:

server {
  server_name www.nomansky.xyz nomansky.xyz;

  location ^~ /.well-known/acme-challenge/ {
    alias /home/wordpress/challenges/;
    try_files $uri =404;
  }

  location / {
    rewrite ^/(.*)$ https://nomansky.xyz/$1 permanent;
  }
}

The above configuration means to search for files in the /home/wordpress/challenges/ directory, and redirect to the HTTPS address if it is not found. This verification service will be used again when updating the certificate in the future, so it must be retained at all times.

Next, save acme-tiny to the ssl directory wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

Then specify the account private key, CSR and verification directory, execute the script python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/wordpress/challenges/ > ./signed.crt , and see the following figure, which means that the generation is successful

Finally, you need to download the intermediate certificate of Let's Encrypt. When configuring the HTTPS certificate, do not omit the intermediate certificate or include the root certificate. In the Nginx configuration, you need to combine the intermediate certificate and the website certificate:

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

In order to enable OCSP Stapling smoothly later, we will combine the root certificate and the intermediate certificate together (this step can also be omitted)

wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem

The certificate issued by Let's Encrypt is only valid for 90 days. It is recommended to use scripts to renew it regularly. Create a renew_cert.sh and give it execution permission via chmod a+x renew_cert.sh . The file contents are as follows:

#!/bin/bash

cd /etc/nginx/ssl/
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /home/wordpress/challenges/ > signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
systemctl restart nginx

Configure the scheduled task in crontabl 0 0 1 * * /etc/nginx/ssl/renew_cert.sh >/dev/null 2>&1

0x07 Download WordPress and configure Nginx

Download WordPress to /home/wordpress/ directory wget https://wordpress.org/latest.tar.gz

tar zxvf latest.tar.gz to extract the WordPress files

chown -R wordpress:wordpress wordpress changes the owner of the wordpress directory to the wordpress user

Next, open vim /etc/nginx/nginx.conf and change the running role of nginx to wordpress

···
user wordpress;
worker_processes auto;
···

Then here I comment out the server configuration block in the main configuration file nginx.conf for the purpose of decoupling.

Create a new sudo mkdir /etc/nginx/snippets directory and vim letsencrypt.conf to paste the following configuration into it

location ^~ /.well-known/acme-challenge/ {
   alias /home/wordpress/challenges/;
   try_files $uri =404;
}

Next, create a new vim /etc/nginx/conf.d/wordpress.conf configuration file and modify it to the following configuration

 # Redirect HTTP -> HTTPS
  server {
    listen 80;
    server_name www.nomansky.xyz nomansky.xyz;

    include snippets/letsencrypt.conf;
    return 301 https://nomansky.xyz$request_uri;
  }

  # Redirect WWW -> NON WWW
  server {
    listen 443 ssl http2;
    server_name www.nomansky.xyz;

    ssl_certificate /etc/nginx/ssl/chained.pem;
    ssl_certificate_key /etc/nginx/ssl/domain.key;

    return 301 https://nomansky.com$request_uri;
  }

  server {
    listen 443 ssl http2;
    server_name nomansky.com;

    root /home/wordpress/wordpress;
    index index.php;

    # SSL parameters
    ssl_certificate /etc/nginx/ssl/chained.pem;
    ssl_certificate_key /etc/nginx/ssl/domain.key;

    # log files
    access_log /home/wordpress/log/nomansky.xyz.access.log;
    error_log /home/wordpress/log/nomansky.xyz.error.log;

    location = /favicon.ico {
      log_not_found off;
      access_log off;
    }
    
          location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

    location / {
      try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
      try_files $uri =404;
      fastcgi_pass unix:/run/php-fpm/www.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
      expires max;
      log_not_found off;
    }

Create a log directory mkdir -p /home/wordpress/log and set permissions chown -R wordpress:wordpress /home/wordpress/log

nginx -t checks whether the syntax check is normal. If normal, reload nginx nginx -s reload

Next, you will see that the WordPress page is successfully opened, and you are done.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.