与 apline 的 wiki 教程不同,本文采用 LNMP 栈进行安装,并配置了 proxy 协议访问。
更换为国内源。
sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
apk update
安装 sshd 。(可选)
apk add openssh
service sshd start
rc-update add sshd
安装 LNMP Stack
安装 Nginx PHP Mariadb。
apk add nginx mariadb mariadb-client php82-fpm php82-mysqlnd php82-mysqli nginx-mod-http-cache-purge
安装 WordPress 相关 PHP 模块
apk add php82-bcmath php82-common php82-ctype php82-curl php82-dom php82-exif php82-fileinfo php82-gd php82-gmp php82-iconv php82-intl php82-mbstring php82-openssl php82-pecl-igbinary php82-pecl-imagick php82-session php82-shmop php82-simplexml php82-sodium php82-xml php82-xmlreader php82-zip openssl imagemagick icu-data-full
配置 PHP
修改 php-fpm 的配置文件。
vi /etc/php82/php-fpm.d/www.conf
设置进程和 unix socket 的权限。
user = nginx
group = nginx
listen = /run/php-fpm82/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
配置数据库
rc-service mariadb setup
rc-service mariadb start
mysql_secure_installation
安装 WordPress
下载最新的 WordPress ,设置权限。
wget https://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz -C /srv
chown nginx:nginx -R /srv/wordpress
find /srv/wordpress -type d \-exec chmod 755 {} \;
find /srv/wordpress -type f \-exec chmod 644 {} \;
创建 WordPress 数据库
mysql -u root -p
创建 wordpress 数据库和 wordpress 用户,假设 wp 用户密码为 ‘wordpress password’ ,数据库名 wordpress 和 用户名都可自定义。
CREATE DATABASE wordpress;
GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'wordpress password';
FLUSH PRIVILEGES;
EXIT
配置 SSL 证书
Cloudflare 申请证书可以参考 Fedora + Alpine 部署 Frp 内网穿透,只需要内网访问,申请私有证书也可以参考这个。
配置 Nginx
mkdir -p /etc/nginx/snippets/php/upstream
cat > /etc/nginx/snippets/php/upstream/fpm82.conf <<EOF
upstream php_fpm {
server unix:/run/php-fpm82/php-fpm.sock;
}
EOF
openssl dhparam -dsaparam -out /etc/ssl/private/dsa4096.pem 4096
mkdir -p /etc/nginx/snippets/ssl
cat > /etc/nginx/snippets/ssl/dhparam.conf <<EOF
# Path of the file with Diffie-Hellman parameters for EDH ciphers.
# TIP: Generate with: openssl dhparam -dsaparam -out /etc/ssl/private/dsa4096.pem 4096
ssl_dhparam /etc/ssl/private/dsa4096.pem;
ssl_ecdh_curve secp521r1:secp384r1;
EOF
cat > /etc/nginx/snippets/ssl/ocsp.conf <<EOF
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
EOF
cat > /etc/nginx/snippets/ssl/ssl.conf <<EOF
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384';
EOF
cat > /etc/nginx/snippets/ssl_params.conf <<EOF
include snippets/ssl/ssl.conf;
include snippets/ssl/dhparam.conf;
include snippets/ssl/ocsp.conf;
EOF
mkdir -p /etc/nginx/snippets/wordpress
cat > /etc/nginx/snippets/wordpress/restrictions.conf <<EOF
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\. {
deny all;
}
location ~* /(?:uploads|files)/.*\.php\$ {
deny all;
}
EOF
cat > /etc/nginx/snippets/client_params.conf <<EOF
client_max_body_size 512M;
client_body_timeout 300s;
client_body_buffer_size 512k;
EOF
cat > /etc/nginx/snippets/hsts.conf <<EOF
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
EOF
准备好 SSL 证书,假设证书存放目录是 /etc/letsencrypt/live/example.com 。
cat > /etc/nginx/snippets/example.com_cert.conf <<EOF
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
EOF
新建 WordPress 的 Nginx 配置。
cat > /etc/nginx/http.d/example.com.conf <<EOF
include snippets/php/upstream/*.conf;
server {
listen 80;
server_name example.com;
rewrite ^(.*)\$ https://\$host\$1 permanent;
}
server {
listen 443 ssl http2;
server_name example.com;
root /srv/wordpress;
index index.php;
include snippets/example.com_cert.conf;
include snippets/ssl_params.conf;
include snippets/hsts.conf;
include snippets/client_params.conf;
include snippets/wordpress/restrictions.conf;
location / {
try_files \$uri \$uri/ /index.php?\$args;
}
location ~ \.php\$ {
include fastcgi.conf;
fastcgi_pass php_fpm;
}
}
EOF
配置 Frp 内网 proxy 访问(可选)
如果通过 frp proxy协议访问,还需要配置下面文件。
cat > /etc/nginx/snippets/frp_proxy.conf <<EOF
# frp 内网ip
set_real_ip_from 10.0.10.100/32;
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
EOF
修改原来的 wordpress 配置文件,在 server 块中添加下面内容。
server {
listen 8080 proxy_protocol;
include snippets/frp_proxy.conf;
location ~ \.php\$ {
include fastcgi.conf;
fastcgi_pass php_fpm;
fastcgi_param HTTPS on;
}
}
然后配置 frpc 连接主机的 8080 端口。
[[proxies]]
name = "example.com"
type = "http"
localIP = "10.0.10.101"
localPort = 8080
customDomains = ["example.com"]
transport.useCompression = true
transport.proxyProtocolVersion = "v2"
启动 LNMP
测试 Nginx 配置。
nginx -t
启动服务并添加自启服务。
rc-service php-fpm82 start
rc-service nginx start
rc-update add nginx
rc-update add mariadb
rc-update add php-fpm82
最后,浏览器打开 WordPress 网页,填好数据库信息和博客信息即可。
优化
php-fpm 设置
修改 php-fpm 的 www.conf 配置文件。
搜索 PHP-FPM Process Calculator,设置当前的内存,Process size 查看 php-fpm 当前占用的内存。最后,会给出类似下面的参数数值,在 www.conf 中配置。
pm.max_children = 8
pm.start_servers = 2
pm.min_spare_servers = 2
pm.max_spare_servers = 6
Redis Cache
使用 redis 缓存页面,数据库查询,Object等。
安装 redis。
apk install redis php82-redis
service php82-fpm restart
WordPress 安装 redis cache 相关插件,比如 Redis Object Cache 、W3 Total Cache。
如果是 W3 Total Cache 可能会生成相关服务器配置,要进一步处理,假设是 Nginx,会在 WordPress 根目录生成一个 nginx.conf,需要网站配置文件 include 进去。