2021 在Ubuntu 20.04上部署LAMP环境并安装Wordpress
开始之前你可能要问我为啥用Apache而不是Nginx?主要是因为Apache可以用.htaccess文件来修改虚拟机配置,而不像Nginx需要配置主机文件。再说现在Apache的性能也不差,对于我们这种网站足够了。下面我们开始在VPS上部署LAMP环境并安装Wordpress。
一、创建sudo用户
以root用户身份登录到服务器:
ssh root@server_ip_address创建一个新的用户帐户:
adduser username将新用户添加到sudo组中
usermod -aG sudo username退出root用户
exit以新用户登录到服务器
ssh username@server_ip_address更新系统
sudo apt update
sudo apt upgrade
exit二、设置SSH密钥登录
将公钥复制到服务器。在本地计算机上输入:
ssh-copy-id username@server_ip_address如果由于某种原因该ssh-copy-id实用程序在本地计算机上不可用,请使用以下命令复制公钥:
cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"禁用SSH密码认证和root SSH登录
在禁用SSH密码认证之前,请确保您可以不使用密码登录服务器。
登录到远程服务器:
ssh username@server_ip_address使用文本编辑器打开SSH配置文件:
sudo vi /etc/ssh/sshd_config
修改下列选项
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
重新启动SSH服务:
sudo systemctl restart ssh打开22端口并开启防火墙
sudo ufw allow ssh
sudo ufw enable三、安装Apache
sudo apt install apache2打开HTTP和HTTPs端口
sudo ufw allow 'Apache Full'设置虚拟主机
Apache默认会启用一个虚拟主机。指向服务器IP地址的所有域都将与默认虚拟主机匹配。如果您只托管一个网站,则可以将内容上传到/var/www/html并进行编辑,然后编辑/etc/apache2/sites-enabled/000-default.conf虚拟主机配置。
创建目录结构
你可以按照自己的喜好安排目录结构,下面是我常用的目录结构:
/var/www/
├── example.com
│ └── public_html
├── example2.com
│ └── public_html
服务器上托管的网站根目录都将设置为/var/www/domain/public_html。
首先创建网站根目录(你可以用自己的域名替换example.com):
sudo mkdir -p /var/www/example.com/public_html为了测试虚拟主机是否起效,我们将在根目录里创建一个index.html文档:
sudo vi /var/www/example.com/public_html/index.html
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<title>Welcome to example.com</title>
</head>
<body>
<h1>Success! example.com home page!</h1>
</body>
</html>
修改网站目录权限,确保Apache能够访问:
sudo chown -R www-data: /var/www/example.com创建虚拟主机
sudo vi /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin [email protected]
DocumentRoot /var/www/example.com/public_html
<Directory /var/www/example.com/public_html>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
</VirtualHost>
- ServerName:虚拟主机配置的域名。
- ServerAlias:虚拟主机的其他域或子域,例如www子域。
- DocumentRoot:文件的目录。
- Options:此伪指令控制特定目录中可用的服务器功能。
-Indexes:防止目录列表。
FollowSymLinks:启用此选项后,Apache将遵循符号链接。 - AllowOverride:指定.htaccess文件中声明的指令可以覆盖配置指令。
- ErrorLog,CustomLog:指定日志文件的位置。
启用虚拟主机:
sudo a2ensite example.com另一种启用虚拟主机的方法:
sudo ln -s /etc/apache2/sites-available/example.com.conf /etc/apache2/sites-enabled/启用URL重写模块
sudo a2enmod rewrite测试配置是否存在语法错误:
sudo apachectl configtest重新启动Apache服务:
sudo systemctl restart apache2四、安装Certbot
sudo apt install certbot生成一组新的2048位DH参数以增强安全性:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048为了更简单,我们将所有HTTP请求映射.well-known/acme-challenge到一个目录/var/lib/letsencrypt。
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt为避免重复代码并使配置更易于维护,请创建以下两个配置片段:
sudo vi /etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
sudo vi /etc/apache2/conf-available/ssl-params.conf
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Header always set Strict-Transport-Security "max-age=63072000"
在启用配置文件之前,先确保mod_ssl和mod_headers已经启用:
sudo a2enmod ssl
sudo a2enmod headers接下来,通过运行以下命令来启用SSL配置文件:
sudo a2enconf letsencrypt
sudo a2enconf ssl-params启用HTTP/2模块:
sudo a2enmod http2重新加载Apache:
sudo systemctl reload apache2运行Certbot工具并获取SSL证书文件:
sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com编辑虚拟主机配置使https生效:
sudo vi /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
Protocols h2 http/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
DocumentRoot /var/www/example.com/public_html
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
<Directory /var/www/example.com/public_html/>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
</VirtualHost>
重新加载Apache:
sudo systemctl reload apache2自动更新SSL证书
sudo vi /etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"测试SSL证书续订:
sudo certbot renew --dry-run五、安装MySQL
sudo apt install mysql-server设置数据库root密码,提高MySQL的安全性:
sudo mysql_secure_installation创建数据库和用户
sudo mysql -u root -p
CREATE DATABASE wordpress_db;
CREATE USER wordpress_user@localhost IDENTIFIED BY 'strong-password';
GRANT ALL PRIVILEGES ON wordpress_db.* TO wordpress_user@localhost;
FLUSH PRIVILEGES;
EXIT;六、安装PHP
Ubuntu 20.04 LTS默认安装的是PHP7.4:
sudo apt install php libapache2-mod-php php-opcache php-cli php-gd php-curl php-mysql php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip重新启动Apache服务:
sudo systemctl restart apache2七、下载安装Wordpress
cd /tmp
wget https://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz
sudo mv wordpress/* /var/www/example.com/public_html/
sudo chown -R www-data: /var/www/example.com下面就是访问域名安装指示安装即可,这里就不做过多演示了。
八、其他你可能想要的工具和配置
安装PhpMyAdmin(非必须,可以不安装)
sudo apt install phpmyadmin如果中间出现错误
mysql -u root -p
UNINSTALL COMPONENT "file://component_validate_password";
exit
sudo apt install phpmyadmin
mysql -u root -p
INSTALL COMPONENT "file://component_validate_password";
sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf
sudo a2enconf phpmyadmin.conf
sudo systemctl reload apache2.service开启Gzip
sudo a2enmod deflate编辑虚拟主机目录下.htaccess添加下面的内容
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>
禁止目录浏览
编辑虚拟主机目录下.htaccess添加下面的内容
Options -Indexes
禁止uploads目录里执行php
创建/wp-content/uploads/.htaccess加入下面内容
<Files *.php>
deny from all
</Files>
禁止XML-RPC协议
编辑虚拟主机目录下.htaccess添加下面的内容
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
禁止Hotlinking
编辑虚拟主机目录下.htaccess添加下面的内容
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]