使用 Docker 部署 wordpress

2020-09-09 735点热度 0人点赞 0条评论

博客停了几个月没有管理,最近将其恢复,同时也直接使用了Docker Compose来进行部署。

如果你还未安装过Docker,那么可以参考我以前写的部署步骤 Install docker in CentOS

编写 Docker Compose

version: '3.8'
services:

  db:
    image: mariadb
    volumes:
      - /data/mysql:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: mysql_root_pass
      MYSQL_DATABASE: db_name
      MYSQL_USER: user_name
      MYSQL_PASSWORD: user_pass
    restart: always

  wordpress:
    image: wordpress:5.6.0-php7.4-fpm-alpine
    restart: always
    container_name: wordpress
    depends_on:
      - db
    links:
      - db
    environment:
      - TZ=Asia/Shanghai
      - WORDPRESS_DB_HOST=mysql-master
      - WORDPRESS_DB_USER=dbuser
      - WORDPRESS_DB_PASSWORD=password
      - WORDPRESS_DB_NAME=dbname
    volumes:
      - ./data/html:/var/www/html:rw
      - ./conf.d/uploads.ini:/usr/local/etc/php/conf.d/uploads.ini
    networks:
      - web_network

  nginx:
    image: nginx:stable-alpine-perl
    container_name: web
    restart: always
    environment:
      - TZ=Asia/Shanghai
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./conf.d/nginx.conf:/etc/nginx/nginx.conf
      - ./conf.d/php_fastcgi.conf:/etc/nginx/php_fastcgi.conf
      - ./conf.d/vhost:/etc/nginx/conf.d
      - ./conf.d/ssl:/etc/nginx/ssl
      - ./data/logs:/var/log/nginx
      - ./data/html:/var/www/html:rw
    links:
      - wordpress
    networks:
      - web_network

networks:
  web_network:
    external:
      name: application

设置wordpress文件目录

在wordpress容器中,目录/var/www/html由用户www-data拥有。该用户在容器的uid是82。在主机中,它是不同的。使用以下命令删除用户名为www-data的任何现有用户,并使用uid 82创建一个新的用户。

userdel www-data
useradd -u 82 www-data

创建一个用于存放wordpress容器的目录

mkdir -p /data/html
chown -R www-data:www-data /data/html

附件上传限制

file_uploads = On
memory_limit = 500M
upload_max_filesize = 30M
post_max_size = 30M
max_execution_time = 600

nginx配置

user root;
worker_processes auto;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;

events {
    use epoll;
    worker_connections 51200;
    multi_accept on;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /var/log/nginx/access.log main;
    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 1024m;
    client_body_buffer_size 10m;
    sendfile on;
    tcp_nopush on;
    keepalive_timeout 120;

    # Limits
    limit_req_log_level  warn;
    limit_req_zone       $binary_remote_addr zone=login:10m rate=10r/m;

    # SSL
    ssl_session_timeout  1d;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_tickets  off;

    # Mozilla Modern configuration
    ssl_protocols        TLSv1.2 TLSv1.3;
    ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;


    # OCSP Stapling
    ssl_stapling         on;
    ssl_stapling_verify  on;
    resolver             8.8.8.8 8.8.4.4 valid=60s;
    resolver_timeout     2s;

    #Gzip Compression
    gzip on;
    gzip_buffers 16 8k;
    gzip_comp_level 6;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_vary on;
    gzip_types
        text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
        text/javascript application/javascript application/x-javascript
        text/x-json application/json application/x-web-app-manifest+json
        text/css text/plain text/x-component
        font/opentype application/x-font-ttf application/vnd.ms-fontobject
        image/x-icon;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    #If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
    open_file_cache max=1000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    include /etc/nginx/conf.d/*.conf;

}

为了让nginx可以包含多个server,这里采用了include方式来包含server,所以还需要创建对应的wordpress配置。

server {
    listen      80;
    listen      [::]:80;
    server_name *.bcsytv.com;
    return      301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name jalena.bcsytv.com;
    root /var/www/html; 
    index index.php;

    access_log /var/log/nginx/jalena.bcsytv.com.access.log;
    error_log /var/log/nginx/jalena.bcsytv.com.error.log;

    # SSL
    ssl_certificate                      /etc/nginx/ssl/4467178_jalena.bcsytv.com.pem;
    ssl_certificate_key                  /etc/nginx/ssl/4467178_jalena.bcsytv.com.key;

    # security headers
    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer" always;
    #add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # favicon.ico
    location = /favicon.ico {
        log_not_found off;
        access_log    off;
    }

    # robots.txt
    location = /robots.txt {
        log_not_found off;
        access_log    off;
    }

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires    7d;
        access_log off;
    }

    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires    7d;
        access_log off;
    }

    # gzip
    gzip              on;
    gzip_vary         on;
    gzip_proxied      any;
    gzip_comp_level   6;
    gzip_types        text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

    # WordPress: allow TinyMCE
    location = /wp-includes/js/tinymce/wp-tinymce.php {
        include php_fastcgi.conf;
    }

    # WordPress: deny wp-content, wp-includes php files
    location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
        deny all;
    }

    # WordPress: deny wp-content/uploads nasty stuff
    location ~* ^/uploads/.*\.(?:s?html?|php|js|swf)$ {
        deny all;
    }

    # WordPress: deny wp-content/plugins (except earlier rules)
    location ~ ^/wp-content/plugins {
        deny all;
    }

    # WordPress: deny scripts and styles concat
#   location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
#       deny all;
#   }

    # WordPress: deny general stuff
    location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
        deny all;
    }

    # WordPress: throttle wp-login.php
    location = /wp-login.php {
        limit_req zone=login burst=2 nodelay;
        include   php_fastcgi.conf;
    }

    # pass the PHP scripts to FastCGI server listening on wordpress:9000
    location ~ \.php$ {
            include php_fastcgi.conf;
    }
}

因wordpress是以fpm方式运行,这里还需要创建一个fastcgi的对应配置。

注:wordpress运行在9000端口

# 404
try_files                     $fastcgi_script_name =404;

# default fastcgi_params
include                       fastcgi_params;

# fastcgi settings
fastcgi_pass                  wordpress:9000;
fastcgi_index                 index.php;
fastcgi_buffers               8 16k;
fastcgi_buffer_size           32k;

# fastcgi params
fastcgi_param DOCUMENT_ROOT   $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
#fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/usr/lib/php/:/tmp/";

到此配置就基本完成了,最终的目录结构如下:

[root@server web]# tree -L 3 --dirsfirst -A
 .
 ├── conf.d
 │   ├── ssl
 │   │   ├── 4467178_jalena.bcsytv.com.key
 │   │   └── 4467178_jalena.bcsytv.com.pem
 │   ├── vhost
 │   │   ├── app.conf
 │   │   └── blog.conf
 │   ├── nginx.conf
 │   ├── php_fastcgi.conf
 │   └── uploads.ini
 ├── data
 │   ├── html
 │   │   ├── uploads
 │   └── logs
 └── docker-compose.yml

如何升级

docker-compose down --rmi all
docker-compose up -d

备份数据及恢复

# 备份
docker exec db sh -c 'exec mysqldump --databases blog -uuser -p"password"' > blog-new.sql

# 恢复
docker cp backup.sql db:bck.sql
docker exec -it db base
mysql -uroot -p
source /bck.sql

Jalena

原创内容,转载请注明出处! 部分内容来自网络,请遵守法律适用!

文章评论