How to migrate WordPress on CentOS8

日拱一卒

Update OS and install repo

sudo su -
dnf update
dnf install epel-release

Nginx

Install Nginx

dnf module list nginx
dnf module enable nginx:mainline
dnf install nginx

Configure Nginx

Only enable TLS 1.2 and TLS 1.3. Specify the strong ciphers in TLS 1.2.

vi /etc/nginx/nginx.conf
````nginx.conf
http {
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
}
```

Redirect http to https.

vi /etc/nginx/conf.d/default.conf
````default.conf

# Redirect tale365.com to www.tale365.com
server {
    listen 80;
    listen 443 ssl;

    server_name tale365.com;

    ssl_certificate /etc/nginx/cert/www.tale365.com.pem;
    ssl_certificate_key /etc/nginx/cert/www.tale365.com.key;

    # Redirect HTTP to HTTPS
    return 301 https://www.tale365.com$request_uri;

}

# Redirect http to https
server {
    listen 80;

    server_name www.tale365.com;

    # Redirect HTTP to HTTPS
    return 301 https://www.tale365.com$request_uri;

}

server {

    listen 443 ssl;

    server_name www.tale365.com;

    root /usr/share/nginx/htdocs;
    index index.php;

    ssl_certificate /etc/nginx/cert/www.tale365.com.pem;
    ssl_certificate_key /etc/nginx/cert/www.tale365.com.key;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

```
vi /etc/nginx/default.d/tale365.com.conf
````tale365.com.conf
client_max_body_size 20m;
client_body_buffer_size 128k;

# Resolve the permalink issue of wordpress
location / {
    try_files $uri $uri/ /index.php?$args;
}

# Protect the ini files
location ~ \.ini$ {
    return 444;
}
```

Enable Nginx service

systemctl start nginx
systemctl enable nginx

PHP

Install PHP

dnf module list php
dnf module enable php:7.4
php php-fpm php-mysqlnd php-json php-xml php-mbstring

Configure PHP

vi /etc/php-fpm.d/www.conf
````www.conf
user = nginx
group = nginx
php_admin_value[memory_limit] = 256M
php_value[session.save_path] = /tmp
```

vi /etc/php.ini
````php.ini
upload_max_filesize = 20M
post_max_size = 20M
```

Note: the configurations in /etc/php-fpm.d/www.conf overwrites /etc/php.ini. Follow the guide to optimize php-fpm.

The configuration files for Nginx are in below path.

/etc/nginx/conf.d/php-fpm.conf
/etc/nginx/default.d/php.conf

Change the permissions

chown -R nginx:nginx /var/lib/php
chmod -R 700 /var/lib/php

MySQL

dnf install mysql-server
systemctl start mysqld
systemctl enable mysqld

mysql_secure_installation

To optimize MySQL memory consumption, please refer to: How to reduce MySQL memory consumption

phpMyAdmin

Install phpMyAdmin

wget https://files.phpmyadmin.net/phpMyAdmin/5.2.1/phpMyAdmin-5.2.1-all-languages.tar.gz
tar -xvf phpMyAdmin-5.2.1-all-languages.tar.gz
mv phpMyAdmin-5.2.1-all-languages /usr/share/nginx/htdocs/phpmyadmin
cp /usr/share/nginx/htdocs/phpmyadmin/config.sample.inc.php /usr/share/nginx/htdocs/phpmyadmin/config.inc.php

Configure phpMyAdmin

vi /usr/share/nginx/html/phpmyadmin/config.inc.php

````config.inc.php
$cfg['blowfish_secret'] = 'genrated_32bit_hex';
$cfg['TempDir'] = '/tmp';
```

The genrated_32bit_hex can be generated by below command in CentOS

openssl rand -hex 16

WordPress

Copy wordpress to the server root configured in Nginx. And configure WordPress DB. And then change the permission and restart Nginx.

chown -R nginx:nginx /usr/share/nginx
chmod -R 755 /usr/share/nginx
systemctl restart nginx

If installed Ninjafirewall, we need change the path in .user.ini in the root of wordpress

vi .user.ini
````.user.ini
auto_prepend_file = /usr/share/nginx/htdocs/wp-content/nfwlog/ninjafirewall.php
```

WAF

Install Docker

dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
dnf install -y docker-ce docker-ce-cli containerd.io
systemctl start docker
systemctl enable docker

To limit the docker memory consumption, we can create the deamon config file

vi /etc/docker/deamon.json
````deamon.json

  "default-ulimits": {
    "memlock": {
      "Name": "memlock",
      "Hard": 512000,
      "Soft": 512000
    }
  }
}
```

Install SafeLine WAF

bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/setup.sh)"

After installation, use “https://server_ip:9443” to access it.

Configure WAF

To put SafeLine in front of Nginx, we need change Nginx to listen to 127.0.0.1

vi /etc/nginx/conf.d/default.conf
````default.conf
server {

    listen 8443 ssl http2;

    server_name 127.0.0.1;

    root /usr/share/nginx/htdocs;
    index index.php;

    ssl_certificate /etc/nginx/cert/www.tale365.com.pem;
    ssl_certificate_key /etc/nginx/cert/www.tale365.com.key;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}
```

Upgrade WAF

bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/upgrade.sh)"
docker rmi $(docker images | grep "safeline" | grep "none" | awk '{print $3}')

To check the resource consumption of this WAF

docker stats --no-stream

To reduce the memory consumption, add mem_limit under each service in /data/safeline/compose.yaml

services:
  postgres:
    container_name: safeline-postgres
    restart: always
    image: postgres:15.2
    mem_limit: 96m

And then recreate the images

docker compose up -d --force-recreate

Troubleshoot

phpMyAdmin issue

phpMyAdmin - Error
Error during session start; please check your PHP and/or webserver log file and configure your PHP installation properly. Also ensure that cookies are enabled in your browser.
session_start(): open(SESSION_FILE, O_RDWR) failed: Permission denied (13)
session_start(): Failed to read session data: files (path: /var/lib/php/session)

Check the permission of session.save_path of php, and make it writable by Nginx. Go back to the php configuration section.

Ninjafirewall issue

If we installed Ninjafirewall for WordPress, we may get below error:

You have a private IP : 127.0.0.1
If your site is behind a reverse proxy or a load balancer, ensure that you have setup your HTTP server or PHP to forward the correct visitor IP, otherwise use the NinjaFirewall .htninja configuration file.

We need create the .htninja file above the root directory of the website with below contents:

<?php
/*
 +===========================================================================================+
 | NinjaFirewall optional configuration file                                                 |
 |                                                                                           |
 | See: https://blog.nintechnet.com/ninjafirewall-wp-edition-the-htninja-configuration-file/ |
 +===========================================================================================+
*/

// Reverse proxy:
if (! empty($_SERVER['HTTP_X_FORWARDED_FOR']) &&
 filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) ) {
   $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

It is recommended to not have the PHP closing tag (?>)

We may encountered below error:

It seems that the user session set by NinjaFirewall was not found by the firewall script.

Check the permission of session.save_path of php, and make it writable by Nginx. Go back to the php configuration section.

Reference

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

Back to Top