Update OS and install repo
sudo su -
dnf update
dnf install epel-release
Nginx
Install Nginx
dnf module list nginx
dnf module enable nginx:mainline
dnf install nginx
Configure Nginx
Only enable TLS 1.2 and TLS 1.3. Specify the strong ciphers in TLS 1.2.
vi /etc/nginx/nginx.conf
````nginx.conf
http {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
}
```
Redirect http to https.
vi /etc/nginx/conf.d/default.conf
````default.conf
# Redirect tale365.com to www.tale365.com
server {
listen 80;
listen 443 ssl;
server_name tale365.com;
ssl_certificate /etc/nginx/cert/www.tale365.com.pem;
ssl_certificate_key /etc/nginx/cert/www.tale365.com.key;
# Redirect HTTP to HTTPS
return 301 https://www.tale365.com$request_uri;
}
# Redirect http to https
server {
listen 80;
server_name www.tale365.com;
# Redirect HTTP to HTTPS
return 301 https://www.tale365.com$request_uri;
}
server {
listen 443 ssl;
server_name www.tale365.com;
root /usr/share/nginx/htdocs;
index index.php;
ssl_certificate /etc/nginx/cert/www.tale365.com.pem;
ssl_certificate_key /etc/nginx/cert/www.tale365.com.key;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
```
vi /etc/nginx/default.d/tale365.com.conf
````tale365.com.conf
client_max_body_size 20m;
client_body_buffer_size 128k;
# Resolve the permalink issue of wordpress
location / {
try_files $uri $uri/ /index.php?$args;
}
# Protect the ini files
location ~ \.ini$ {
return 444;
}
```
Enable Nginx service
systemctl start nginx
systemctl enable nginx
PHP
Install PHP
dnf module list php
dnf module enable php:7.4
php php-fpm php-mysqlnd php-json php-xml php-mbstring
Configure PHP
vi /etc/php-fpm.d/www.conf
````www.conf
user = nginx
group = nginx
php_admin_value[memory_limit] = 256M
php_value[session.save_path] = /tmp
```
vi /etc/php.ini
````php.ini
upload_max_filesize = 20M
post_max_size = 20M
```
Note: the configurations in /etc/php-fpm.d/www.conf
overwrites /etc/php.ini
. Follow the guide to optimize php-fpm.
The configuration files for Nginx are in below path.
/etc/nginx/conf.d/php-fpm.conf
/etc/nginx/default.d/php.conf
Change the permissions
chown -R nginx:nginx /var/lib/php
chmod -R 700 /var/lib/php
MySQL
dnf install mysql-server
systemctl start mysqld
systemctl enable mysqld
mysql_secure_installation
To optimize MySQL memory consumption, please refer to: How to reduce MySQL memory consumption
phpMyAdmin
Install phpMyAdmin
wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.tar.gz
tar -xvf phpMyAdmin-5.2.1-all-languages.tar.gz
mv phpMyAdmin-5.2.1-all-languages /usr/share/nginx/htdocs/phpmyadmin
cp /usr/share/nginx/htdocs/phpmyadmin/config.sample.inc.php /usr/share/nginx/htdocs/phpmyadmin/config.inc.php
Configure phpMyAdmin
vi /usr/share/nginx/html/phpmyadmin/config.inc.php
````config.inc.php
$cfg['blowfish_secret'] = 'genrated_32bit_hex';
$cfg['TempDir'] = '/tmp';
```
The genrated_32bit_hex can be generated by below command in CentOS
openssl rand -hex 16
WordPress
Copy wordpress to the server root configured in Nginx. And configure WordPress DB. And then change the permission and restart Nginx.
chown -R nginx:nginx /usr/share/nginx
chmod -R 755 /usr/share/nginx
systemctl restart nginx
If installed Ninjafirewall, we need change the path in .user.ini in the root of wordpress
vi .user.ini
````.user.ini
auto_prepend_file = /usr/share/nginx/htdocs/wp-content/nfwlog/ninjafirewall.php
```
WAF
Install Docker
dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
dnf install -y docker-ce docker-ce-cli containerd.io
systemctl start docker
systemctl enable docker
To limit the docker memory consumption, we can create the deamon config file
vi /etc/docker/deamon.json
````deamon.json
"default-ulimits": {
"memlock": {
"Name": "memlock",
"Hard": 512000,
"Soft": 512000
}
}
}
```
Install SafeLine WAF
bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/setup.sh)"
After installation, use “https://server_ip:9443
” to access it.
Configure WAF
To put SafeLine in front of Nginx, we need change Nginx to listen to 127.0.0.1
vi /etc/nginx/conf.d/default.conf
````default.conf
server {
listen 8443 ssl http2;
server_name 127.0.0.1;
root /usr/share/nginx/htdocs;
index index.php;
ssl_certificate /etc/nginx/cert/www.tale365.com.pem;
ssl_certificate_key /etc/nginx/cert/www.tale365.com.key;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
```
Upgrade WAF
bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/upgrade.sh)"
docker rmi $(docker images | grep "safeline" | grep "none" | awk '{print $3}')
To check the resource consumption of this WAF
docker stats --no-stream
To reduce the memory consumption, add mem_limit
under each service in /data/safeline/compose.yaml
services:
postgres:
container_name: safeline-postgres
restart: always
image: postgres:15.2
mem_limit: 96m
And then recreate the images
docker compose up -d --force-recreate
Troubleshoot
phpMyAdmin issue
phpMyAdmin - Error Error during session start; please check your PHP and/or webserver log file and configure your PHP installation properly. Also ensure that cookies are enabled in your browser. session_start(): open(SESSION_FILE, O_RDWR) failed: Permission denied (13) session_start(): Failed to read session data: files (path: /var/lib/php/session)
Check the permission of session.save_path
of php, and make it writable by Nginx. Go back to the php configuration section.
Ninjafirewall issue
If we installed Ninjafirewall for WordPress, we may get below error:
You have a private IP : 127.0.0.1
If your site is behind a reverse proxy or a load balancer, ensure that you have setup your HTTP server or PHP to forward the correct visitor IP, otherwise use the NinjaFirewall.htninja
configuration file.
We need create the .htninja
file above the root directory of the website with below contents:
<?php
/*
+===========================================================================================+
| NinjaFirewall optional configuration file |
| |
| See: https://blog.nintechnet.com/ninjafirewall-wp-edition-the-htninja-configuration-file/ |
+===========================================================================================+
*/
// Reverse proxy:
if (! empty($_SERVER['HTTP_X_FORWARDED_FOR']) &&
filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) ) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
It is recommended to not have the PHP closing tag (?>
)
We may encountered below error:
It seems that the user session set by NinjaFirewall was not found by the firewall script.
Check the permission of session.save_path
of php, and make it writable by Nginx. Go back to the php configuration section.
Reference
- WordPress tuning – 美丽传说365 (tale365.com)
- Safeline WAF: 雷池简介 | 长亭雷池 WAF 社区版 (chaitin.cn)
- Ninjafirewall: NinjaFirewall (WP Edition): The .htninja configuration file – NinTechNet
- WordPress修改内存限制从而提升网站性能-腾讯云开发者社区-腾讯云 (tencent.com)
- How To Fix High CPU Usage In WordPress [20 Steps] (onlinemediamasters.com)
- Security/Server Side TLS – MozillaWiki