====== CentOS8 安裝 WordPress 5 程序 ======
  * centOS 8.2.2004 (Core)
  * Nginx 
  * MariaDB 10
  * PHP 8

===== 安裝 Nginx / MariaDB 10 / PHP 7.4 =====
  * EPEL <code sh>
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
</code>
  * REMI 啟用 PHP 7.4 <code sh>
dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
dnf module list php
dnf module enable php:remi-7.4
</code>
  * Nginx <code sh>
vi /etc/yum.repos.d/nginx.repo
</code><file>
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/8/$basearch/
gpgcheck=0
enabled=1
</file><code sh>
dnf install nginx
</code>
  * php-fpm <code sh>
dnf install php php-fpm
</code>
  * mariadb-server <code sh>
dnf install mariadb-server
</code>

===== 設定與驗證 nginx+php-fpm / mariadb =====
  * Firewall 開啟 http / https <code sh>
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
</code>
  * 設定 nginx 開機啟動 <code sh>
systemctl restart nginx
systemctl enable nginx 
</code>
  * 產生自簽 SSL 測試憑證<code sh>
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
</code>
  * 設定主網站頁目錄 
    * /etc/nginx/conf.d/default.conf<code sh>
vi /etc/nginx/conf.d/default.conf
</code><file>
server {
    listen       80;
    server_name  localhost;

    # 將 HTTP 資源永久導向至 HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    # 使用 https 和 http/2 協定
    listen 443 ssl http2;
    # 上述的 IPv6 方式
    listen [::]:443 ssl http2;

    gzip on;
    gzip_comp_level    5;
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;

    gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
    # text/html is always compressed by gzip module

    location ~*  \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
        expires 7d;
    }


    charset utf-8;
    access_log  /var/log/nginx/access.log  main;

    index  index.php; 

    # 調用 PHP FastCGI 設定檔 (NGINX 預設提供)
    include             /etc/nginx/default.d/php.conf;
    # 調用共用設定檔 - 限制檔案
    include             /etc/nginx/global/restrictions.conf;
    # 調用共用設定檔 - 不快取條件
    include             /etc/nginx/global/no-cache.conf;

    #
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    #

    # SSL 憑證證書路徑
    ssl_certificate     /etc/nginx/ssl/nginx.crt;
    # 私鑰路徑
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    # 調用共用設定檔 - TLS/SSL 憑證
    include             /etc/nginx/global/ssl.conf;

}
</file>
    * /etc/nginx/global/restrictions.conf<code sh>
mkdir /etc/nginx/global
vi /etc/nginx/global/restrictions.conf
</code><file>
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
    log_not_found off;
    access_log off;
}
 
location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}
 
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
    deny all;
}
 
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}

location / {
    # This is cool because no php is touched for static content.
    # include the "?$args" part so non-default permalinks doesn't break when using query string
    try_files $uri $uri/ /index.php?$args;
}

location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
}
</file>
    * /etc/nginx/global/ssl.conf <code sh>
vi /etc/nginx/global/ssl.conf
</code><file>
# 快取有效期
ssl_session_timeout 1d;
# 快取憑證類型和大小
ssl_session_cache shared:SSL:50m;


#
# intermediate configuration. tweak to your needs.
#

# 使用的加密協定
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# 加密演算法，越前面的優先級越高
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# 交握過程使用 Server 的首選加演算法，這裡使用 Client 為首選
ssl_prefer_server_ciphers on;


#
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#

# 增加 http header
add_header Strict-Transport-Security max-age=15768000;
</file>
    * /etc/nginx/global/no-cache.conf <code sh>
vi /etc/nginx/global/no-cache.conf</code><file>
# 啟用 FastCGI Cache 快取
set $no_cache 0;
 
# POST 請求和帶有查詢字串的網址不快取
if ($request_method = POST) {
    set $no_cache 1;
}
if ($query_string != "") {
    set $no_cache 1;
}   
 
# 以下 URI 不快取
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
    set $no_cache 1;
}   
 
# 登入用戶或最近留言者不快取
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
    set $no_cache 1;
}

# 加入快取資訊表頭 (除錯用)
add_header X-Cache $upstream_cache_status;
</file>
  * 修改 php 設定 <code sh>
vi /etc/php.ini
</code><file>
:
;cgi.fix_pathinfo=1
cgi.fix_pathinfo=0
:
[Date]
:
date.timezone = Asia/Taipei
:
</file>
  * 修改 php-fpm 設定 <code sh>
vi /etc/php-fpm.d/www.conf
</code><file>
:
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = nobody
listen.group = nobody
;listen.mode = 0660
:
</file><code sh>
systemctl restart php-fpm
systemctl enable php-fpm 
</code>
  * 啟動 MariaDB 與驗證新密碼 <code sh>
systemctl restart mariadb
systemctl enable mariadb 
mysql_secure_installation
</code>設定 root 密碼, 與移除預設的用戶與資料庫..完成後可以使用 <code sh>
mysql -u root -p
</code> 來進行驗證使用新密碼登入
  * 安裝其他 php 套件 <code sh>
dnf install php-mysqlnd php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-zip php-curl php-cli
systemctl restart php-fpm
systemctl restart nginx
</code>

===== 下載最新版 Wordpress ======
  * 下載網址 : http://wordpress.org/download/ <code sh>
dnf install wget unzip
cd /usr/share/nginx/html
wget http://wordpress.org/latest.zip
unzip latest.zip
chown -R apache:apache wordpress
</code>

===== 開始基本設定 =====
  * 建立 wordpress db <code sh>
mysql -u root -p
</code><code sql>
create database `wordpress`;
create user 'wpadmin'@'localhost' identified by '**Password**';
grant all on wordpress.* to 'wpadmin'@'localhost';
flush privileges;
quit
</code>
  * 透過網頁安裝設定 wordpress : http://xxx.xxx.xxx/wordpress ←- 依據只是經過三個步驟就可以安裝完成
  * 使用 admin 與預設密碼(0adf3e 這樣的密碼) 登入, 先將預設密碼改成你要的密碼

====== 參考網址 =====
  * https://www.tecmint.com/install-php-on-centos-8/
  * https://blog.gtwang.org/linux/nginx-create-and-install-ssl-certificate-on-ubuntu-linux/
  * https://www.footmark.info/web-design/wordpress/nginx-php-fpm-wordpress-centos8/

{{tag>centos8 wordpress}}