Skip to content

Instantly share code, notes, and snippets.

@andrey-hohlov
Last active December 5, 2020 19:32
Show Gist options
  • Save andrey-hohlov/dcccf46e428cfdcca4e2 to your computer and use it in GitHub Desktop.
Save andrey-hohlov/dcccf46e428cfdcca4e2 to your computer and use it in GitHub Desktop.
VPS setup for Wordpress

Настройка VPS под Wordpress

Ubuntu 16 + Nginx + PHP-FPM + MariaDB + Memcached

Базовые настройки

Обновить систему
sudo apt-get update
sudo apt-get upgrade
Настроить swap-файл
sudo swapon -s

https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04

Настроить доступы

Создать нового пользователя и добавить его в группу sudo:

adduser username
adduser username sudo

Сменить ssh-порт по умолчанию (вместо 22) и запретить логин под root

sudo nano /etc/ssh/sshd_config
Port 22
PermitRootLogin no

Перезагрузить ssh

$ sudo service ssh restart

и залогиниться под новым пользователем.

TODO: авторизация по ssh-ключам

Настройки файрвола и fail2ban

sudo apt-get install ufw

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

Базовый набор правил

sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

Доступ по SHH (указать правильный порт)

sudo ufw allow ssh

или

sudo ufw allow 22/tcp

Веб-сервер и ftp

sudo ufw allow www или sudo ufw allow 80/tcp sudo ufw allow ftp или sudo ufw allow 21/tcp

Fail2ban
sudo apt-get install fail2ban

TODO: настроить https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-with-fail2ban-on-ubuntu-14-04

Настройки логов

Настройка временной зоны

sudo dpkg-reconfigure tzdata

TODO: logrotate и logwatch

Дополнительные настройки безопасности

sudo nano /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 1
net.ipv4.ip_local_port_range = 2000 65000
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
vm.swappiness=10

Веб-сервер

Установка Nginx
sudo apt-get install nginx
Установка PHP-FPM
sudo apt-get install php-fpm php-mysql php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc

Устранение уязвимости php

sudo nano /etc/php/7.0/fpm/php.ini
cgi.fix_pathinfo=0
sudo service php7.0-fpm restart
Установка Memcached
sudo apt-get install memcached php-memcache
Установка MariaDB
sudo apt-get install mariadb-server mariadb-client
FTP доступ
sudo apt-get install -y vsftpd
sudo nano /etc/vsftpd.conf
write_enable=YES
service vsftpd restart

Настройка Nginx

Конфигурация
sudo nano /etc/nginx/nginx.conf
worker_processes 1; # равно количеству ядер процессора
pid		/var/run/nginx.pid;

timer_resolution 100ms;
worker_rlimit_nofile 8192;
worker_priority -5;

events {
  worker_connections  1024;
  use epoll;
}

http {
 
  sendfile	on;  
  tcp_nopush on;
  tcp_nodelay on;
  
  types_hash_max_size 2048;

  keepalive_timeout 30;
  keepalive_requests 100;
 
  reset_timedout_connection on; 
  send_timeout 10;
  client_header_timeout 10; 
  client_body_timeout 10;
  client_body_buffer_size 1K;
  client_header_buffer_size 1k;
  client_max_body_size  1m;
  large_client_header_buffers 4 8k;
  open_file_cache max=200000 inactive=20s; 
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;

  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  access_log  off;
  error_log  /var/log/nginx/error.log crit;

  gzip on;
  gzip_disable "msie6";
  gzip_min_length 1100;
  gzip_buffers 64 8k;
  gzip_comp_level 3;
  gzip_http_version 1.1;
  gzip_proxied any;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

  include /etc/nginx/conf.d/*.conf;
}
sudo systemctl restart nginx

Права на директории

sudo usermod -aG www-data username
sudo chown -R www-data:www-data /home/username/example.com/public_html
sudo chmod -R 0775 /home/username/example.com/public_html
sudo find /home/username/example.com/public_html -type d -exec chmod 755 {} \; 
sudo find /home/username/example.com/public_html -type f -exec chmod 644 {} \;

Настройка Nginx для Wordpress

Конфиг сайта
mkdir /home/username/example.com/logs/
touch /home/username/example.com/logs/error.log
touch /home/username/example.com/logs/access.log
sudo nano /etc/nginx/sites-available/example.com
server {
  listen  80;
  server_name  www.example.com;
  rewrite ^ http://example.com$request_uri? permanent; #301 redirect
}

server {
  listen 80;
  server_name example.com;

  root /home/username/example.com/public_html;
  index index.php index.html;

  error_log   /home/username/example.com/logs/error.log;
  access_log  /home/username/example.com/logs/access.log;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ /\. {
    deny all;
    return 404;
  }

  location ~ /wp-config.php {
    deny all;
    return 404;
  }

  location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    return 404;
  }

  location / {
    try_files $uri $uri/ /index.php?q=$uri&$args;
  }

  location ~*^.+.(jpg|jpeg|gif|png|ico|css|bmp|swf|js|mov|avi|mp4|mpeg4)$ {
    access_log off;
    expires 30d;
  }

  location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }  
  
}
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment