2021 在Ubuntu 20.04上部署LAMP环境并安装WordPress

开始之前你可能要问我为啥用Apache而不是Nginx?主要是因为Apache可以用.htaccess文件来修改虚拟机配置,而不像Nginx需要配置主机文件。再说现在Apache的性能也不差,对于我们这种网站足够了。下面我们开始在VPS上部署LAMP环境并安装Wordpress。

一、创建sudo用户

以root用户身份登录到服务器:

ssh root@server_ip_address

创建一个新的用户帐户:

adduser username

将新用户添加到sudo组中

usermod -aG sudo username

退出root用户

exit

以新用户登录到服务器

ssh username@server_ip_address

更新系统

sudo apt update
sudo apt upgrade
exit

二、设置SSH密钥登录

将公钥复制到服务器。在本地计算机上输入:

ssh-copy-id username@server_ip_address

如果由于某种原因该ssh-copy-id实用程序在本地计算机上不可用,请使用以下命令复制公钥:

cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

禁用SSH密码认证和root SSH登录
在禁用SSH密码认证之前,请确保您可以不使用密码登录服务器。

登录到远程服务器:

ssh username@server_ip_address

使用文本编辑器打开SSH配置文件:

sudo vi /etc/ssh/sshd_config
修改下列选项
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

重新启动SSH服务:

sudo systemctl restart ssh

打开22端口并开启防火墙

sudo ufw allow ssh
sudo ufw enable

三、安装Apache

sudo apt install apache2

打开HTTP和HTTPs端口

sudo ufw allow 'Apache Full'

设置虚拟主机
Apache默认会启用一个虚拟主机。指向服务器IP地址的所有域都将与默认虚拟主机匹配。如果您只托管一个网站,则可以将内容上传到/var/www/html并进行编辑,然后编辑/etc/apache2/sites-enabled/000-default.conf虚拟主机配置。

创建目录结构
你可以按照自己的喜好安排目录结构,下面是我常用的目录结构:
/var/www/
├── example.com
│ └── public_html
├── example2.com
│ └── public_html

服务器上托管的网站根目录都将设置为/var/www/domain/public_html。
首先创建网站根目录(你可以用自己的域名替换example.com):

sudo mkdir -p /var/www/example.com/public_html

为了测试虚拟主机是否起效,我们将在根目录里创建一个index.html文档:

sudo vi /var/www/example.com/public_html/index.html
<!DOCTYPE html>
<html lang="en" dir="ltr">
  <head>
    <meta charset="utf-8">
    <title>Welcome to example.com</title>
  </head>
  <body>
    <h1>Success! example.com home page!</h1>
  </body>
</html>

修改网站目录权限,确保Apache能够访问:

sudo chown -R www-data: /var/www/example.com

创建虚拟主机

sudo vi /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/example.com/public_html

    <Directory /var/www/example.com/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
</VirtualHost>
  • ServerName:虚拟主机配置的域名。
  • ServerAlias:虚拟主机的其他域或子域,例如www子域。
  • DocumentRoot:文件的目录。
  • Options:此伪指令控制特定目录中可用的服务器功能。
    -Indexes:防止目录列表。
    FollowSymLinks:启用此选项后,Apache将遵循符号链接。
  • AllowOverride:指定.htaccess文件中声明的指令可以覆盖配置指令。
  • ErrorLog,CustomLog:指定日志文件的位置。

启用虚拟主机:

sudo a2ensite example.com

另一种启用虚拟主机的方法:

sudo ln -s /etc/apache2/sites-available/example.com.conf /etc/apache2/sites-enabled/

启用URL重写模块

sudo a2enmod rewrite

测试配置是否存在语法错误:

sudo apachectl configtest

重新启动Apache服务:

sudo systemctl restart apache2

四、安装Certbot

sudo apt install certbot

生成一组新的2048位DH参数以增强安全性:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

为了更简单,我们将所有HTTP请求映射.well-known/acme-challenge到一个目录/var/lib/letsencrypt。

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

为避免重复代码并使配置更易于维护,请创建以下两个配置片段:

sudo vi /etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
sudo vi /etc/apache2/conf-available/ssl-params.conf
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Header always set Strict-Transport-Security "max-age=63072000"

在启用配置文件之前,先确保mod_ssl和mod_headers已经启用:

sudo a2enmod ssl
sudo a2enmod headers

接下来,通过运行以下命令来启用SSL配置文件:

sudo a2enconf letsencrypt
sudo a2enconf ssl-params

启用HTTP/2模块:

sudo a2enmod http2

重新加载Apache:

sudo systemctl reload apache2

运行Certbot工具并获取SSL证书文件:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

编辑虚拟主机配置使https生效:

sudo vi /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  Protocols h2 http/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  DocumentRoot /var/www/example.com/public_html
  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

  <Directory /var/www/example.com/public_html/>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>

  <IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
  </IfModule>
</VirtualHost>

重新加载Apache:

sudo systemctl reload apache2

自动更新SSL证书

sudo vi /etc/cron.d/certbot
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"

测试SSL证书续订:

sudo certbot renew --dry-run

五、安装MySQL

sudo apt install mysql-server

设置数据库root密码,提高MySQL的安全性:

sudo mysql_secure_installation

创建数据库和用户

sudo mysql -u root -p
CREATE DATABASE wordpress_db;
CREATE USER wordpress_user@localhost IDENTIFIED BY 'strong-password';
GRANT ALL PRIVILEGES ON wordpress_db.* TO wordpress_user@localhost;
FLUSH PRIVILEGES;
EXIT;

六、安装PHP

Ubuntu 20.04 LTS默认安装的是PHP7.4:

sudo apt install php libapache2-mod-php php-opcache php-cli php-gd php-curl php-mysql php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip

重新启动Apache服务:

sudo systemctl restart apache2

七、下载安装Wordpress

cd /tmp
wget https://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz
sudo mv wordpress/* /var/www/example.com/public_html/
sudo chown -R www-data: /var/www/example.com

下面就是访问域名安装指示安装即可,这里就不做过多演示了。

八、其他你可能想要的工具和配置

安装PhpMyAdmin(非必须,可以不安装)

sudo apt install phpmyadmin

如果中间出现错误

mysql -u root -p
UNINSTALL COMPONENT "file://component_validate_password";
exit
sudo apt install phpmyadmin
mysql -u root -p
INSTALL COMPONENT "file://component_validate_password";

sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf
sudo a2enconf phpmyadmin.conf
sudo systemctl reload apache2.service

开启Gzip

sudo a2enmod deflate

编辑虚拟主机目录下.htaccess添加下面的内容

<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>

禁止目录浏览

编辑虚拟主机目录下.htaccess添加下面的内容
Options -Indexes

禁止uploads目录里执行php

创建/wp-content/uploads/.htaccess加入下面内容

<Files *.php>
deny from all
</Files>

禁止XML-RPC协议

编辑虚拟主机目录下.htaccess添加下面的内容

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

禁止Hotlinking

编辑虚拟主机目录下.htaccess添加下面的内容

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注