reg88.com

fine...I'll blog too

How to Configure and Install WordPress on Nginx + PHP-FPM

I had been using Blogger (Blogspot) for several years, but even with the latest improvements Blogger just doesn’t cut it. I have finally given up and moving on to WordPress. At this point why not host my own install. I decided to get an install going with Nginx, PHP-FPM and WordPress. Here’s a how-to on getting you own up and running as well.

Package Installation and Initial Prep
For the most part, we’re going to compile our own packages, but lets get some of the requirements out of the with via Ubuntu’s repository. The following installs packages required to build and install from source. Also, Nginx is installed to take care of some of the prerequisites and configuration files.

1
2
apt-get update
apt-get install build-essential supervisor nginx libxml2-dev libpcre3 libpcre3-dev libbz2-dev libssl-dev zlib1g-dev libmcrypt-dev libmhash-dev libmhash2 libcurl4-openssl-dev libpq-dev libpq5 unzip bison flex autoconf subversion rcconf mysql-server ntp

We’re going to compile Nginx in a later step so lets remove it for now. Remove and purge Nginx installation. NOTE: Configuration and startup files are left behind. And this is exactly what we want.

1
apt-get remove nginx && apt-get purge nginx && apt-get autoremove

Create a download and builds directory

1
mkdir /root/installs

PHP Installation
Download, Configure and Install PHP + PHP-FPM

1
2
3
4
5
6
7
8
9
10
cd /root/installs
wget http://us2.php.net/get/php-5.3.9.tar.gz/from/us.php.net/mirror (http://us.php.net/distributions/php-5.3.9.tar.gz)  
tar zxvf php-5.3.9.tar.gz
cd php-5.3.9

./configure –enable-fpm –with-mcrypt –with-zlib –enable-mbstring –disable-pdo –with-pgsql –with-curl –disable-debug –disable-rpath –enable-inline-optimization –with-bz2 –with-zlib –enable-sockets –enable-sysvsem –enable-sysvshm –enable-pcntl –enable-mbregex –with-mhash –enable-zip –with-pcre-regex –with-mysql=mysqlnd

make
make test
make install

PHP and PHP-FPM Configuration
At this point we need to create some links to make sure php is working properly with out setup

1
2
3
4
5
cp /root/installs/php-5.3.9/php.ini-production /usr/local/lib/php/php.ini
mkdir /etc/php/
ln -s /usr/local/lib/php/php.ini /etc/php/php.ini
ln -s /usr/local/etc/php-fpm.conf.default /etc/php/php-fpm.conf
ln -s /usr/local/lib/php/php.ini /usr/local/lib/php.ini

Modify the php-fpm.conf file with the following changes

1
2
3
4
5
6
7
8
9
10
11
12
vi /etc/php/php-fpm.conf
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
user = www-data
group = www-data

#listen = 127.0.0.1:9000  
listen = /var/run/php-fpm.sock
pid = /var/run/php-fpm.pid

error_log = /var/log/php-fpm.log

Create and modify the startup script

1
2
3
4
5
6
7
8
9
10
11
12
13
cp /root/installs/php-5.3.9/sapi/fpm/init.d.php-fpm.in /etc/init.d/php-fpm
chmod 755 /etc/init.d/php-fpm
update-rc.d -f php-fpm defaults

vi /etc/init.d/php-fpm
prefix=
exec_prefix=

php\_fpm\_BIN=/usr/local/sbin/php-fpm
php\_fpm\_CONF=/etc/php/php-fpm.conf
php\_fpm\_PID=/var/run/php-fpm.pid

service php-fpm start

Nginx Installation
Download, Configure and Install Nginx

1
2
3
cd /root/installs
wget http://nginx.org/download/nginx-1.0.10.tar.gz  
tar zxvf nginx-1.0.10.tar.gz

Some preperations to before building Nginx

1
2
3
mkdir /var/log/nginx
touch /var/log/nginx/error.log
touch /var/log/nginx/access.log

Build and Install Nginx

1
2
3
4
5
6
7
8
cd nginx-1.0.10
./configure –conf-path=/etc/nginx/nginx.conf \
–sbin-path=/usr/sbin \
–with-http\_ssl\_module \
–error-log-path=/var/log/nginx/error.log

make
make install

Test Nginx and PHP Installation

1
2
3
4
mkdir -p /var/www/wordpress
echo &#8220;<?php echo phpinfo(); ?>&#8221; > /var/www/wordpress/phpinfo.php


Use your browser to access http://localhost/phpinfo.php

Configure Nginx to start your Site

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
cd /etc/nginx
cp nginx.conf nginx.conf.orig
vi nginx.conf
\# include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;

#For additional security add the following at the bottom of your nginx.conf. Make sure you close the brackets properly. 

cd /etc/nginx
cp nginx.conf nginx.conf.lessSecure
vi nginx.conf
\# NOTE: Nginx default keepalive_timeout might currently be set. Comment out the default and use the below setting.

########################################################  
\# Security Directives #
########################################################  
#Start: Size Limits & Buffer Overflows  
client\_body\_buffer_size 1K;
client\_header\_buffer_size 1k;
client\_max\_body_size 1k;
large\_client\_header_buffers 2 1k;

#Start: Timeouts  
client\_body\_timeout 10;
client\_header\_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;

#Store session states in zone slimits &#8211; 32,000 sessions with 32 bytes/session/1m  
limit\_zone slimits $binary\_remote_addr 5m;

\# Restricts connections from a single ip address
limit_conn slimits 4;
}

Configure FastCGI Paramaters

1
2
3
4
5
6
7
8
9
10
vi /etc/nginx/fastcgi_params
\# Added by Mike: avoid random 503 errors from nginx
fastcgi\_connect\_timeout 60;
fastcgi\_send\_timeout 180;
fastcgi\_read\_timeout 180;
fastcgi\_buffer\_size 128k;
fastcgi_buffers 4 256k;
fastcgi\_busy\_buffers_size 256k;
fastcgi\_temp\_file\_write\_size 256k;
fastcgi\_intercept\_errors on;

Create some configuration directories. This is where you drop Site files
# Make sure the following directories exist. If not, create them

1
2
mkdir sites-available
mkdir sites-enabled

Remove the default Site if you like.

1
rm sites-enabled/default

Create your Site (VirtualHost)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
vi sites-available/wordpress.conf
\# Upstream to abstract backend connection(s) for php
upstream php {
server unix:/var/run/php-fpm.sock;
#server 127.0.0.1:9000;  
}

server {
\## Your website name goes here.
server_name example.com;
\## Your only path reference.
root /var/www/wordpress;
\## This should be in your http block and if it is, it&#8217;s not needed here.
index index.php;

access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;

fastcgi\_intercept\_errors off;

location = /favicon.ico {
log\_not\_found off;
access_log off;
}

location = /robots.txt {
#allow all;  
log\_not\_found off;
access_log off;
}

location / {
\# This is cool because no php is touched for static content
try_files $uri $uri/ /index.php;
}

location ~ \.php$ {
#NOTE: You should have &#8220;cgi.fix_pathinfo = 0;&#8221; in php.ini  
include fastcgi.conf;
fastcgi\_intercept\_errors on;
fastcgi_pass php;
}

\# Caching: the following files can be cached by the browser
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log\_not\_found off;
}

location ~ /\. { access\_log off; log\_not_found off; deny all; }
location ~ ~$ { access\_log off; log\_not_found off; deny all; }
}

#For additional security add the following the end of your site configuration file. This should be added above the &#8220;Location&#8221; Directive. Make sure you close the brackets properly.  
########################################################  
\# Security Directives #
########################################################  
\# Only requests to m.example.com are allowed #
if ($host !~ ^(example.com|m.example.com)$ )
{
return 444;
}

#Only allow these request methods  
if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 444;
}

#Block download agents  
if ($http\_user\_agent ~* LWP::Simple|BBBike|wget|Baiduspider|Jullo)
{
return 403;
}

#Block some robots  
if ($http\_user\_agent ~* msnbot|scrapbot)
{
return 403;
}

#Deny certain Referers  
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
{
return 403;
}

Enable your new site

1
2
cd sites-enabled
ln -s ../sites-available/wordpress.conf .

Modify Nginx init with the new installation PATH

1
2
3
vi /etc/init.d/nginx
\# Add the following to PATH
:/usr/local/nginx

Update Site permissions

1
chown -R www-data:www-data /var/www/wordpress

Start/restart your Nginx Service

1
service nginx restart

WordPress Installation

1
2
3
4
5
6
7
cd /root/installs
wget http://wordpress.org/latest.tar.gz  
tar zxvf latest.tar.gz

rm -rf /var/www/wordpress
mv wordpress /var/www/
chown -R www-data:www-data /var/www/wordpress

Create a WordPress database and user

1
2
3
4
5
6
mysql -u root -p
CREATE DATABASE wordpress;

GRANT ALL PRIVILEGES ON wordpress.* TO &#8220;wordpressadmin&#8221;@&#8221;localhost&#8221; IDENTIFIED BY &#8220;welcome&#8221;;
FLUSH PRIVILEGES;
exit

Configuring WordPress and Initial Setup

1
2
3
4
5
6
cd /var/www/wordpress
cp wp-config-sample.php wp-config.php
vi wp-config.php
define(&#8216;DB_NAME&#8217;, &#8216;wordpress&#8217;);
define(&#8216;DB_USER&#8217;, &#8216;wordpressadmin&#8217;);
define(&#8216;DB_PASSWORD&#8217;, &#8216;welcome&#8217;);

To complete WordPress setup visit:

http://127.0.0.1

Note: If you have any database connection issues, you may have to use “127.0.0.1″ for Database Host. You can either do this within the wp-config.php or once you visit the localhost URL. Example:

1
define(&#8216;DB_HOST&#8217;, &#8217;127.0.0.1&#8242;);

Secure your Server
Secure MySQL

1
mysql\_secure\_installation

Enable Firewall

1
2
3
4
ufw allow ssh
ufw allow http
ufw allow https
ufw allow 9222/tcp

Create a regular user with sudo access

1
2
3
4
useradd -m -s /bin/bash mike
vi /etc/group
sudo:x:27:mike
ssh:x:107:mike

Disable ROOT Login

1
2
cp /etc/securetty /etc/securetty.orig
echo > /etc/securetty

Secure SSH and Limit access

1
2
3
4
5
6
7
8
9
10
11
12
13
vi /etc/ssh/sshd_config
Port 9222
PermitRootLogin no
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no
X11Forwarding no
UsePAM no
UseDNS no
AllowGroups ssh

/etc/init.d/ssh restart

Disable control-alt-delete

1
2
vi /etc/init/control-alt-delete.conf
#exec shutdown -r now &#8220;Control-Alt-Delete pressed&#8221;  

Modify and secure kernel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
vi /etc/sysctl.conf
#####################################  
\# Kernel Modifications #
#####################################

\# Controls the use of TCP syncookies
net.ipv4.tcp\_synack\_retries = 2

\# Don&#8217;t Pass Traffic Between Networks
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

\# Don&#8217;t Accept Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

\# Log spoofed, Source Routed, and Redirect Packets
net.ipv4.conf.all.log_martians = 1

\# Enable Source Route Filtering
net.ipv4.conf.all.rp_filter = 1

# The above will take effect on the next reboot

Configure NTP

1
2
vi /etc/ntp.conf
server pool.ntp.org