・旧
WordPress(PHP7+nginx) for Amazon Linux AMI 2016.09
EC2
$ sudo su -l
$ passwd ec2-user
#ローカルタイム変更
$ cp -rp /etc/localtime /etc/localtime.org
$ cp -rp /usr/share/zoneinfo/Japan /etc/localtime
/etc/sysconfig/clock
#yum updateなどでUTCにもどるのを防ぐ
-ZONE="UTC"
-UTC=true
+ZONE="Asia/Tokyo"
+UTC=false
/etc/sysconfig/i18n
-LANG=en_US.UTF-8
+LANG=ja_JP.UTF-8
PHP7.3
$ yum install -y php73 php73-fpm php73-gd php73-mbstring php73-mcrypt php73-mysqlnd php73-zip php73-opcache php73-devel
#yum list available | grep php73
#yum list installed | grep php
Imagick
$ yum install gcc
$ yum install -y ImageMagick*
$ yum install php7-pear
$ pecl7 channel-update pecl.php.net
$ pecl7 install imagick
/etc/php-fpm-7.3.d/www.conf
-user = apache
+user = nginx
-group = apache
+group = nginx
/etc/php.ini
+date.timezone = "Asia/Tokyo"
-memory_limit = 128M
+memory_limit = 256M
#X-Powered-Byヘッダを送らない
-expose_php = On
+expose_php = Off
post_max_size = 8M
upload_max_filesize = 4M
#memory_limit > post_max_size > upload_max_filesize
#3 days
session.gc_maxlifetime = 259200
[imagick]
extension=imagick.so
GitHub
$ yum install -y git
$ git config --global user.email "[GitHubメールアドレス]"
$ git config --global user.name "[GitHubユーザー名]"
# GitHub クローン
$ cd /var/www/
$ mv /var/www/html /var/www/_html
$ git clone https://github.com/[path_to_git].git html
# 以降はpullで
$ cd /var/www/html
$ git pull origin master
$ chown -R nginx:nginx /var/www/html
phpMyAdmin
$ cd /var/www/
$ wget https://files.phpmyadmin.net/phpMyAdmin/4.9.6/phpMyAdmin-4.9.6-all-languages.tar.gz
$ tar zxvf phpMyAdmin-4.9.6-all-languages.tar.gz
$ rm phpMyAdmin-4.9.6-all-languages.tar.gz
$ mv phpMyAdmin-4.9.6-all-languages phpmyadmin
$ cd /var/www/phpmyadmin/
$ cp config.sample.inc.php config.inc.php
/var/www/phpmyadmin/config.inc.php
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';//BASIC認証
/* Server parameters */
$cfg['Servers'][$i]['host'] = 'localhost';
nginx
$ yum install -y nginx
$ nginx -v
# nginx version: nginx/1.16.1
$ cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.org
# Perfect Forward Security
$ cd /etc/nginx/ssl
$ openssl dhparam 2048 -out dhparam.pem
/etc/nginx/nginx.conf
worker_rlimit_nofile 40000; #要確認
events {
worker_connections 2048; #要確認
}
http {
index index.php index.html index.htm;
charset UTF-8;
server_tokens off;
#Fastcgi_cache
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=FCKZ:32m inactive=3d max_size=128m;
fastcgi_cache_use_stale error timeout invalid_header http_500;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name localhost;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /var/www/html;
client_max_body_size 4m;
ssl_certificate "/etc/nginx/ssl/[証明書]";
ssl_certificate_key "/etc/nginx/ssl/[秘密鍵]";
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:60m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
#include /etc/nginx/default.d/*.conf;
#Fastcgi_cache Settings
set $do_not_cache 0;
if ($request_method !~ ^(GET)$) {
set $do_not_cache 1;
}
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $do_not_cache 1;
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $do_not_cache 1;
}
set $mobilef '';
if ($http_user_agent ~* '(Mobile|Android|Silk|Kindle|BlackBerry|Opera Mini|Opera Mobi)') {
set $mobilef 'mobile.';
}
fastcgi_cache_key "$mobilef$scheme://$host$request_uri";
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
fastcgi_cache_bypass $do_not_cache;
fastcgi_no_cache $do_not_cache;
fastcgi_cache FCKZ;
fastcgi_cache_valid 200 5m;
fastcgi_cache_valid any 10m;
fastcgi_pass_header X-Accel-Expires;
fastcgi_ignore_headers Cache-Control Expires;
add_header x-cache $upstream_cache_status;
}
location ^~ /phpmyadmin {
#allow 0.0.0.0;#IP制限
deny all;
alias /var/www/phpmyadmin;
index index.php;
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_split_path_info ^/phpmyadmin(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME /var/www/phpmyadmin$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
}
location ~* ^.+.(jp?g|gif|png|css|js|flv|swf|ico|xml|txt|eot|svg|ttf|woff|woff2)$ {
access_log off;
log_not_found off;
expires 30d;
}
location ~ /(\.ht|\.user.ini|\.git|\.hg|\.bzr|\.svn) {
deny all;
}
}
}
#####client_max_body_size
php.ini の upload_max_filesize と同じ値にしとくと平和。
#####worker_rlimit_nofile
$ cat /proc/sys/fs/file-max
379002
↑プロセス数によるがこいつの10%前後にすることにした。
#####worker_connections
worker_rlimit_nofile / 4 なら大丈夫らしい。
まあ 2048 or 4096 で問題ないやろ。
FastCGIcache
WordpressでNginx(FastCGIcache)の設定
Let’s Encrypt
Let’s Encrypt for Amazon Linux + Nginx
SSL確認
$ openssl s_client -connect [ドメイン]:443 -showcerts
起動
$ chown -R nginx:nginx /var/lib/php/7.3/session
$ chown -R nginx:nginx /var/www/html
$ service nginx start
$ service php-fpm-7.3 start
$ chkconfig nginx on
$ chkconfig php-fpm-7.3 on
ブラウザで確認
/var/www/html/phpinfo.php
<?php echo phpinfo();?>
セキュリティ評価
BASIC認証
$ yum install -y httpd-tools
$ cd /etc/nginx
$ htpasswd -c .htpasswd [ユーザー名]
/etc/nginx/nginx.conf
server {
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}