How to Install WordPress with Apache2 and Let’s Encrypt SSL/TLS Certificates on Ubuntu 16.04 | 18.04
Ubuntu 18.04 пакеты в репозитарии
# apt update
# apt upgrade
# apt install mc
# adduser user
# usermod -aG sudo user
# su user
$ cd ~
$ mkdir ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
Скачать и использовать для входа /home/user/.ssh/id_rsa
$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ rm ~/.ssh/id_rsa.pub
$ rm ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ exit
# nano /etc/ssh/sshd_config
Проверить:
PasswordAuthentication no
.....
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Сохранить.
$ sudo systemctl reload sshd
После проверки входа и sudo
Отключть вход root по ssh
$ sudo nano /etc/ssh/sshd_config
Исправить:
PermitRootLogin no
Сохранить.
$ sudo systemctl reload sshd
# отключим ipv6
$ sudo /bin/su -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf"
#sudo /bin/su -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
$ sudo sysctl -p
$ sudo apt update
$ sudo apt install apache2
$ sudo apt-get install mariadb-server mariadb-client
$ sudo mysql_secure_installation
Enter current password for root (enter for none): Enter
Set root password? [Y/n] Y
New password: 12345
Re-enter new password: 12345
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y
$ sudo mysql -u root -p
$ sudo apt install php7.2 libapache2-mod-php7.2 php7.2-common php7.2-mysql php7.2-gmp php7.2-curl php7.2-intl php7.2-mbstring php7.2-xmlrpc php7.2-gd php7.2-xml php7.2-cli php7.2-zip
$ sudo nano /etc/php/7.2/apache2/php.ini
Изменить:
memory_limit = 256M
upload_max_filesize = 100M
max_execution_time = 360
#date.timezone
Сохранить.
$ sudo systemctl restart apache2.service
$ sudo nano /var/www/html/phpinfo.php
<?php phpinfo( ); ?>
Сохранить.
http://example.com/phpinfo.php
$ sudo mysql -u root -p
Enter password:
MariaDB [(none)]> CREATE DATABASE wpdatabase;
MariaDB [(none)]> CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'new_password_here';
MariaDB [(none)]> GRANT ALL ON wpdatabase.* TO 'wpuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;
$ cd /tmp
$ wget https://wordpress.org/latest.tar.gz
$ tar -xvzf latest.tar.gz
$ sudo mv wordpress /var/www/html/example.com
$ sudo chown -R www-data:www-data /var/www/html/example.com/
$ sudo chmod -R 755 /var/www/html/example.com/
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/html/example.com
<Directory /var/www/html/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/example.com/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
Сохранить.
$ sudo a2ensite example.com.conf
$ sudo a2enmod rewrite
$ sudo systemctl reload apache2
$ sudo apt install certbot
$ sudo mkdir -p /var/lib/letsencrypt/.well-known
$ sudo chgrp www-data /var/lib/letsencrypt
$ sudo chmod g+s /var/lib/letsencrypt
$ sudo nano /etc/apache2/conf-available/well-known.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
Сохранить.
$ sudo a2enmod ssl
$ sudo a2enmod headers
$ sudo a2enmod http2
$ sudo a2enconf well-known
$ sudo systemctl restart apache2
$ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/html/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/html/example.com/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
Сохранить.
$ sudo nano /etc/apache2/mods-available/ssl.conf
Добавить после <IfModule mod_ssl.c> :
<IfModule mod_ssl.c>
# Set the location of the SSL OCSP Stapling Cache
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Сохранить.
$ sudo systemctl restart apache2
$ sudo crontab -e
Добавить:
0 1 * * * /usr/bin/certbot renew & > /dev/null
Сохранить.
https://example.com/
Имя базы данных: wpdatabase
Имя пользователя: wpuser
Пароль: new_password_here
Ubuntu 18.04 пакеты в репозитарии
# apt update
# apt upgrade
# apt install mc
# adduser user
# usermod -aG sudo user
# su user
$ cd ~
$ mkdir ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
Скачать и использовать для входа /home/user/.ssh/id_rsa
$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ rm ~/.ssh/id_rsa.pub
$ rm ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ exit
# nano /etc/ssh/sshd_config
Проверить:
PasswordAuthentication no
.....
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Сохранить.
$ sudo systemctl reload sshd
После проверки входа и sudo
Отключть вход root по ssh
$ sudo nano /etc/ssh/sshd_config
Исправить:
PermitRootLogin no
Сохранить.
$ sudo systemctl reload sshd
# отключим ipv6
$ sudo /bin/su -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf"
#sudo /bin/su -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
$ sudo sysctl -p
$ sudo apt update
$ sudo apt install apache2
$ sudo apt-get install mariadb-server mariadb-client
$ sudo mysql_secure_installation
Enter current password for root (enter for none): Enter
Set root password? [Y/n] Y
New password: 12345
Re-enter new password: 12345
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y
$ sudo mysql -u root -p
$ sudo apt install php7.2 libapache2-mod-php7.2 php7.2-common php7.2-mysql php7.2-gmp php7.2-curl php7.2-intl php7.2-mbstring php7.2-xmlrpc php7.2-gd php7.2-xml php7.2-cli php7.2-zip
$ sudo nano /etc/php/7.2/apache2/php.ini
Изменить:
memory_limit = 256M
upload_max_filesize = 100M
max_execution_time = 360
#date.timezone
Сохранить.
$ sudo systemctl restart apache2.service
$ sudo nano /var/www/html/phpinfo.php
<?php phpinfo( ); ?>
Сохранить.
http://example.com/phpinfo.php
$ sudo mysql -u root -p
Enter password:
MariaDB [(none)]> CREATE DATABASE wpdatabase;
MariaDB [(none)]> CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'new_password_here';
MariaDB [(none)]> GRANT ALL ON wpdatabase.* TO 'wpuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;
$ cd /tmp
$ wget https://wordpress.org/latest.tar.gz
$ tar -xvzf latest.tar.gz
$ sudo mv wordpress /var/www/html/example.com
$ sudo chown -R www-data:www-data /var/www/html/example.com/
$ sudo chmod -R 755 /var/www/html/example.com/
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/html/example.com
<Directory /var/www/html/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/example.com/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
Сохранить.
$ sudo a2ensite example.com.conf
$ sudo a2enmod rewrite
$ sudo systemctl reload apache2
$ sudo apt install certbot
$ sudo mkdir -p /var/lib/letsencrypt/.well-known
$ sudo chgrp www-data /var/lib/letsencrypt
$ sudo chmod g+s /var/lib/letsencrypt
$ sudo nano /etc/apache2/conf-available/well-known.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
Сохранить.
$ sudo a2enmod ssl
$ sudo a2enmod headers
$ sudo a2enmod http2
$ sudo a2enconf well-known
$ sudo systemctl restart apache2
$ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/html/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/html/example.com/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
Сохранить.
$ sudo nano /etc/apache2/mods-available/ssl.conf
Добавить после <IfModule mod_ssl.c> :
<IfModule mod_ssl.c>
# Set the location of the SSL OCSP Stapling Cache
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Сохранить.
$ sudo systemctl restart apache2
$ sudo crontab -e
Добавить:
0 1 * * * /usr/bin/certbot renew & > /dev/null
Сохранить.
https://example.com/
Имя базы данных: wpdatabase
Имя пользователя: wpuser
Пароль: new_password_here
Комментариев нет:
Отправить комментарий