使用 Docker 部署 wordpress

博客停了几个月没有管理，最近将其恢复，同时也直接使用了Docker Compose来进行部署。

如果你还未安装过Docker，那么可以参考我以前写的部署步骤 Install docker in CentOS

编写 Docker Compose

为了更好的管理，这里使用dockers-compose进行管理，同时使用环境变量来配置所有的参数项

配置环境变量

创建.env配置项

# default environment arguments for docker-compose.yml
# set master data dir
MYSQL_DATA=./data/mysql/data
MYSQL_FILES_DATA=./data/mysql/files
MYSQL_CUSTOM_CONFIG=./conf.d/mysql

# set mysql password
MYSQL_ROOT_PASSWORD=1234567890
MYSQL_USER=wordpress
MYSQL_PASSWORD=1234567890

WORDPRESS_DATA_DIR=./data/html
WORDPRESS_PHP_CONFIG=./conf.d/nginx/uploads.ini
WORDPRESS_UPLOADS=./data/wordpress/uploads
WORDPRESS_THEMES=./data/wordpress/themes
NGINX_DATA_DIR=./data/html
NGINX_LOG_DIR=./data/logs
NGINX_CONF=./conf.d/nginx/nginx.conf
NGINX_PHP_FASTCGI=./conf.d/nginx/php_fastcgi.conf
NGINX_VHOST=./conf.d/nginx/vhost
NGINX_SSL=./conf.d/nginx/ssl

创建docker-compose.yml配置文件

version: '3.9'
services:

  mysql:
    image: mysql:8.0.31
    restart: always
    container_name: mysql
    env_file:
      - env/mysql-common.env
    volumes:
      - ${MYSQL_DATA}:/var/lib/mysql
      - ${MYSQL_FILES_DATA}:/var/lib/mysql-files
      - ${MYSQL_CUSTOM_CONFIG}:/etc/mysql/conf.d
    networks:
      - backend

  wordpress:
    image: wordpress:6.1.0-php8.1-fpm-alpine
    restart: always
    container_name: wordpress
    depends_on:
      - mysql
    env_file:
      - env/wordpress.env
    volumes:
      - ${WORDPRESS_DATA_DIR}:/var/www/html
      - ${WORDPRESS_UPLOADS}:/var/www/html/uploads
      - ${WORDPRESS_THEMES}:/var/www/html/wp-content/themes
      - ${WORDPRESS_PHP_CONFIG}:/usr/local/etc/php/conf.d/uploads.ini
    networks:
      - backend

  nginx:
    image: nginx:stable-alpine-perl
    container_name: web
    restart: always
    environment:
      - TZ=Asia/Shanghai
    ports:
      - 80:80
      - 443:443
    volumes:
      - ${NGINX_CONF}:/etc/nginx/nginx.conf
      - ${NGINX_PHP_FASTCGI}:/etc/nginx/php_fastcgi.conf
      - ${NGINX_VHOST}:/etc/nginx/conf.d
      - ${NGINX_SSL}:/etc/nginx/ssl
      - ${NGINX_LOG_DIR}:/var/log/nginx
      - ${NGINX_DATA_DIR}:/var/www/html:rw
      - ${WORDPRESS_UPLOADS}:/var/www/html/uploads
      - ${WORDPRESS_THEMES}:/var/www/html/wp-content/themes
    depends_on:
      - wordpress
    networks:
      - backend

networks:
  backend:
    name: backend
    driver: bridge
    ipam:
      config:
        - subnet: 172.16.16.0/24
          gateway: 172.16.16.1

设置wordpress文件目录

在wordpress容器中，目录/var/www/html由用户www-data拥有。该用户在容器的uid是82。在主机中，它是不同的。使用以下命令删除用户名为www-data的任何现有用户，并使用uid 82创建一个新的用户。

userdel www-data
useradd -u 82 www-data

创建一个用于存放wordpress容器的目录

mkdir -p /data/html
chown -R www-data:www-data /data/html

附件上传限制

由于wordpress容器本身也是一个php容器，所以需要自行编写一个配置去覆盖部分配置项。

创建uploads.ini配置，并在docker-compose.yml的wordpress节点中挂载volumes项，详见上面的docker-compose.yml配置。

file_uploads = On
memory_limit = 500M
upload_max_filesize = 30M
post_max_size = 30M
max_execution_time = 600

nginx配置

nginx主配置文件

user root;
worker_processes auto;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;

events {
    use epoll;
    worker_connections 51200;
    multi_accept on;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /var/log/nginx/access.log main;
    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 1024m;
    client_body_buffer_size 10m;
    sendfile on;
    tcp_nopush on;
    keepalive_timeout 120;

    # Limits
    limit_req_log_level  warn;
    limit_req_zone       $binary_remote_addr zone=login:10m rate=10r/m;

    # SSL
    ssl_session_timeout  1d;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_tickets  off;

    # Mozilla Modern configuration
    ssl_protocols        TLSv1.2 TLSv1.3;
    ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;


    # OCSP Stapling
    ssl_stapling         on;
    ssl_stapling_verify  on;
    resolver             8.8.8.8 8.8.4.4 valid=60s;
    resolver_timeout     2s;

    #Gzip Compression
    gzip on;
    gzip_buffers 16 8k;
    gzip_comp_level 6;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_vary on;
    gzip_types
        text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
        text/javascript application/javascript application/x-javascript
        text/x-json application/json application/x-web-app-manifest+json
        text/css text/plain text/x-component
        font/opentype application/x-font-ttf application/vnd.ms-fontobject
        image/x-icon;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    #If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
    open_file_cache max=1000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    include /etc/nginx/conf.d/*.conf;

}

为了让nginx可以包含多个server，这里采用了include方式来包含server，所以还需要创建对应的wordpress配置。

server {
    listen      80;
    listen      [::]:80;
    server_name *.bcsytv.com;
    return      301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name jalena.bcsytv.com;
    root /var/www/html; 
    index index.php;

    access_log /var/log/nginx/jalena.bcsytv.com.access.log;
    error_log /var/log/nginx/jalena.bcsytv.com.error.log;

    # SSL
    ssl_certificate                      /etc/nginx/ssl/4467178_jalena.bcsytv.com.pem;
    ssl_certificate_key                  /etc/nginx/ssl/4467178_jalena.bcsytv.com.key;

    # security headers
    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer" always;
    #add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }

    # index.php fallback
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # favicon.ico
    location = /favicon.ico {
        log_not_found off;
        access_log    off;
    }

    # robots.txt
    location = /robots.txt {
        log_not_found off;
        access_log    off;
    }

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires    7d;
        access_log off;
    }

    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires    7d;
        access_log off;
    }

    # gzip
    gzip              on;
    gzip_vary         on;
    gzip_proxied      any;
    gzip_comp_level   6;
    gzip_types        text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

    # WordPress: allow TinyMCE
    location = /wp-includes/js/tinymce/wp-tinymce.php {
        include php_fastcgi.conf;
    }

    # WordPress: deny wp-content, wp-includes php files
    location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
        deny all;
    }

    # WordPress: deny wp-content/uploads nasty stuff
    location ~* ^/uploads/.*\.(?:s?html?|php|js|swf)$ {
        deny all;
    }

    # WordPress: deny wp-content/plugins (except earlier rules)
    location ~ ^/wp-content/plugins {
        deny all;
    }

    # WordPress: deny scripts and styles concat
#   location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
#       deny all;
#   }

    # WordPress: deny general stuff
    location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
        deny all;
    }

    # WordPress: throttle wp-login.php
    location = /wp-login.php {
        limit_req zone=login burst=2 nodelay;
        include   php_fastcgi.conf;
    }

    # pass the PHP scripts to FastCGI server listening on wordpress:9000
    location ~ \.php$ {
            include php_fastcgi.conf;
    }
}

因wordpress是以fpm方式运行，这里还需要创建一个fastcgi的对应配置。

注：wordpress运行在9000端口

# 404
try_files                     $fastcgi_script_name =404;

# default fastcgi_params
include                       fastcgi_params;

# fastcgi settings
fastcgi_pass                  wordpress:9000;
fastcgi_index                 index.php;
fastcgi_buffers               8 16k;
fastcgi_buffer_size           32k;

# fastcgi params
fastcgi_param DOCUMENT_ROOT   $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
#fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/usr/lib/php/:/tmp/";

到此配置就基本完成了，最终的目录结构如下：

[root@server web]# tree -L 3 --dirsfirst -A
 .
 ├── conf.d
 │   ├── ssl
 │   │   ├── 4467178_jalena.bcsytv.com.key
 │   │   └── 4467178_jalena.bcsytv.com.pem
 │   ├── vhost
 │   │   ├── app.conf
 │   │   └── blog.conf
 │   ├── nginx.conf
 │   ├── php_fastcgi.conf
 │   └── uploads.ini
 ├── data
 │   ├── html
 │   │   ├── uploads
 │   └── logs
 └── docker-compose.yml

如何升级

docker-compose down --rmi all
docker-compose up -d

备份数据及恢复

# 备份
docker exec db sh -c 'exec mysqldump --master-data=2 --single-transaction --set-gtid-purged=OFF --databases blog -uuser -p"password"' > blog-new.sql

# 恢复
docker cp backup.sql db:bck.sql
docker exec -it db base
mysql -uroot -p
source /bck.sql