一、更新系统

和更新源同步

1	sudo apt update

显示出哪些软件可以更新

1	sudo apt list --upgradable

进行更新

1	sudo apt upgrade -y

也可以直接用复合命令更新

1	sudo apt update && sudo apt upgrade -y

二、安装 `nginx`

2.1、安装 `nginx`

安装必备组件

1	sudo apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring

导入官方 nginx 签名密钥，以便 apt 可以验证软件包真实性。

获取密钥

1 2	curl https://nginx.org/keys/nginx_signing.key \| gpg --dearmor \ \| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

验证下载的文件是否包含正确的密钥

1	gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

输出应包含完整指纹，如下所示：573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62

1
2
3

pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
      573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                      nginx signing key <signing-key@nginx.com>

如果指纹不同，请删除该文件。

将 nginx 的稳定源加入系统

1
2
3

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

设置 nginx 官方源的优先级高于 Debian 系统的官方仓库

1 2	echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \ \| sudo tee /etc/apt/preferences.d/99nginx

更新源，并安装 nginx

1	sudo apt update

1	sudo apt install nginx

查看状态，启动 nginx

安装好的 nginx 默认是 dead 状态，需要启动，并设置开机启动。

查看nginx服务的状态

1	systemctl status nginx

启动nginx服务

1	sudo systemctl start nginx

设置nginx开机启动

1	sudo systemctl enable nginx

确认nginx服务的启动状态

1	systemctl status nginx

相关命令

sudo nginx -V                       <-- 查看nginx的编译参数
cat /etc/nginx/nginx.conf           <-- 查看nginx的配置文件
cat /etc/nginx/conf.d/default.conf  <-- 还是nginx的配置文件
systemctl status nginx              <-- 查看nginx服务的状态
sudo systemctl start nginx          <-- 启动nginx服务
sudo systemctl enable nginx         <-- 设置nginx开机启动
systemctl status nginx              <-- 确认nginx服务的启动状态
ip a                                <-- 查看本机IP地址

2.2、新建证书文件夹 `cert`

1	cd /etc/nginx

1	mkdir cert

cd

将证书上传到 cert 文件夹

使用 Xftp 将下载好的证书上传到证书文件夹。

2.3、默认 `nginx` 配置文件

位于 /etc/nginx/conf.d/default.conf 的配置可以修改如下，开启 gzip，也可以按需开启缓存。

server {
    listen       80;
    server_name  localhost;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
    
    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}

    # 开启gzip
    gzip on;

    # 启用gzip压缩的最小文件，小于设置值的文件将不会压缩
    gzip_min_length 1k; # 开始压缩的最小长度(再小就不要压缩了,意义不在)

    # gzip 压缩级别，1-9，数字越大压缩的越好，也越占用CPU时间，后面会有详细说明
    gzip_comp_level 1;

    # 进行压缩的文件类型。javascript有多种形式。其中的值可以在 mime.types 文件中找到。
    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png application/vnd.ms-fontobject font/ttf font/opentype font/x-woff image/svg+xml;

    # 是否在http header中添加Vary: Accept-Encoding，建议开启
    gzip_vary on;

    # 禁用IE 6 gzip
    gzip_disable "MSIE [1-6]\.";  #正则匹配UA，配置禁用gzip条件。此处表示ie6及以下不启用gzip（因为ie低版本不支持）

    # 设置压缩所需要的缓冲区大小     
    gzip_buffers 32 4k; # 缓冲(压缩在内存中缓冲几块? 每块多大?)

    # 设置gzip压缩针对的HTTP协议版本，没做负载的可以不用
    # gzip_http_version 1.0;
    # gzip_http_version 1.1; # 开始压缩的http协议版本(可以不设置,目前几乎全是1.1协议)

    # 开启缓存
    # 缓存图片
    # location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ { 
    #     access_log   off; 
    #     expires      2d;
    # }

    #缓存js、css、视频文件
    # location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
    #     access_log   off;
    #     expires      24h;
    # }

    # 缓存html类型文件
    # location ~* ^.+\.(html|htm)$ {
    #     expires      1h;
    # }

    # 缓存字体文件，配合gzip更好
    # location ~* ^.+\.(eot|ttf|otf|woff|svg)$ {
    #     access_log   off;
    #     expires 2d;
    # }

    # 格式
    # expires 30s;
    # expires 30m;
    # expires 2h;
    # expires 30d;
    # expires max;

}

验证并重载 nginx 配置

nginx -t

1	nginx -s reload

三、安装 MariaDB

3.1、查看版本

MySQL 在默认的 Debian 存储库中不可用。 MariaDB 是 Debian 11 中的默认数据库。

MariaDB 是 MySQL 的直接替代品，完全兼容 MySQL，支持所有标准的 MySQL 功能，包括 API 和命令行等。

通过以下命令，我们可以检查 Debian 11 官方源提供的 mariadb-server 是哪个版本的。

1	apt-cache search mariadb-server

1	apt-cache show mariadb-server

3.2、安装 `MariaDB`

更新源

1	sudo apt update

安装 mariadb-server

1	sudo apt install mariadb-server

确认 mariadb 已启动

1	systemctl status mariadb

执行数据库自带的安全脚本，按提示进行配置

1	sudo mysql_secure_installation

输出内容如下：

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] n
 ... skipping.
 
//Unix socket 认证是另一种保护 MariaDB 数据库的方法。Unix socket 认证允许您在不输入密码的情况下连接到 MariaDB。相反，您使用位于服务器上的特殊套接字文件连接到 MariaDB。

//Unix socket 认证比使用密码更安全，因为它不需要您将密码传输到网络上。但是，重要的是要注意，unix socket 认证仅适用于您从同一台机器连接到 MariaDB 服务器的情况。

//如果您不确定使用哪种方法，一般建议设置 root 用户密码并使用 mysql 客户端连接到 MariaDB。这将为您提供安全性和便利性的良好平衡。

You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] y     //修改 root 用户密码，输入 y 并回车或直接回车
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y     //是否删除匿名用户，建议删除
 ... Success!
//匿名用户是不需要密码即可登录 MariaDB 的用户。删除匿名用户可以帮助您防止未经授权的访问。

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y     //是否禁止 root 远程登录，建议禁止
 ... Success!
//默认情况下，root 用户可以从任何主机远程登录 MariaDB。禁止 root 用户远程登录可以帮助您防止未经授权的访问。

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y     //是否删除test数据库，y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!
 //测试数据库包含一些示例数据，用于测试 MariaDB 功能。删除测试数据库和对它的访问权限可以帮助您防止数据被损坏。

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y     //是否重新加载权限表，y
 ... Success!
//重新加载权限表将使 MariaDB 应用程序使用新的权限设置。

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

设置开机启动

1	sudo systemctl enable mariadb

3.3、新建数据库和用户，并进行授权

连接数据库，连接成功后，在 MariaDB [(none)]> 后输入操作命令

1	mysql -uroot -p

输出如下

root@iZj6cbu3y55faj33gzi8ybZ:~# mysql -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 38
Server version: 10.5.19-MariaDB-0+deb11u2 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

修改 root 用户权限设置

1	GRANT ALL PRIVILEGES ON . TO 'root'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

1	flush privileges;

exit

1	mysql -uroot -p

新建数据库

1	show databases;

1	create database wordpressdb;

添加新用户

1	create user 'wordpress'@'localhost' identified by '123456';

授权新用户拥有指定数据库的权限

1	grant all privileges on wordpressdb.* to 'wordpress'@'localhost' with grant option;

刷新使之立刻生效

1	flush privileges;

exit

测试新用户连接数据库，输入上面设定好的密码

1	mysql -uwordpress -p

1	show databases;

exit

四、安装 `PHP`

官方手册

4.1、查看版本

1	apt-cache search php-fpm

1	apt-cache show php-fpm

通过以上指令，我们可以确认官方源自带 php-fpm 的版本就是7.4，所以我们直接安装系统自带的版本（7.4版本）就好。

4.2、安装依赖

1	sudo apt install openssl libssl-dev libpcre3 libpcre3-dev libsodium23 libsodium-dev zlib1g zlib1g-dev libmcrypt4 libmcrypt-dev imagemagick ghostscript

4.3、安装核心模块及其他模块

可以只安装核心模块，但很可能还需要更多模块，例如 MySQL，cURL，GD 等。这些模块也可以通过 apt 命令安装。

1	sudo apt install php7.4-fpm php7.4-{json,mysql,curl,common,imagick,mbstring,xml,zip,bcmath,gd,intl,ssh2}

显示 php 信息

php -i

查看 php7.4-fpm 服务状态，上面也会显示 php-fpm 所采用的配置文件为 /etc/php/7.4/fpm/php-fpm.conf

1	systemctl status php7.4-fpm

php-fpm 配置文件，实际加载了 /etc/php/7.4/fpm/pool.d/ 目录下的所有 .conf 配置文件

1	cat /etc/php/7.4/fpm/php-fpm.conf

php-fpm 的实际配置文件

1	cat /etc/php/7.4/fpm/pool.d/www.conf

php 配置文件

1	cat /etc/php/7.4/fpm/php.ini

4.4、配置 `PHP-FPM`

确认 nginx 启动的用户，为 nginx

1	cat /etc/nginx/nginx.conf

id nginx

编辑 user、group、listen.owner 和 listen.group 属性，改为与 nginx 启动相同的用户——即 nginx

1	sudo vi /etc/php/7.4/fpm/pool.d/www.conf

1	sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.4/fpm/php.ini

重启 php7.4-fpm 服务

1	sudo systemctl restart php7.4-fpm

确认 socket 用户已变更

1	ls -al /run/php/php7.4-fpm.sock

设置 php-fpm 服务开机启动

1	sudo systemctl enable php7.4-fpm

配置完成，应如下所示

root@iZj6cbu3y55faj33gzi8ybZ:~# grep '^user' /etc/nginx/nginx.conf
user  nginx;
root@iZj6cbu3y55faj33gzi8ybZ:~# cat /etc/php/7.4/fpm/pool.d/www.conf | grep '^[^;]' | grep 'user\|group\|owner'
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
root@iZj6cbu3y55faj33gzi8ybZ:~# grep 'cgi.fix_pathinfo=' /etc/php/7.4/fpm/php.ini
cgi.fix_pathinfo=0
root@iZj6cbu3y55faj33gzi8ybZ:~# ls -alF /run/php/php7.4-fpm.sock
srw-rw---- 1 nginx nginx 0 Sep 21 01:09 /run/php/php7.4-fpm.sock=

4.5、配置 `nginx` 支持 `php` 网页

备份nginx当前的站点配置

1	sudo cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.20230920.bak

1	sudo mkdir -p /usr/share/nginx/www

变更站点目录的所有者为 nginx 用户

1	sudo chown -R nginx:nginx /usr/share/nginx/www/

1	ls -al /usr/share/nginx/www/

编辑 nginx 的站点配置，示例配置，可直接配置网站的配置文件

1	vim /etc/nginx/conf.d/default.conf

# /etc/nginx/conf.d/default.conf

# WordPress single site rules.
# Designed to be included in any server {} block.
# Upstream to abstract backend connection(s) for php
upstream php {
        server unix:/run/php/php7.4-fpm.sock;
}

server {
    listen       80;
    server_name  localhost;

    #access_log  /var/log/nginx/host.access.log  main;

    root   /usr/share/nginx/html/test-www;
    index  index.php index.html index.htm;

    location / {
        # This is cool because no php is touched for static content.
        # include the "?$args" part so non-default permalinks doesn't break when using query string
        try_files $uri $uri/ /index.php?$args;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        include fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_pass php;
        #The following parameter can be also included in fastcgi_params file
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # WordPress global restrictions file

    # Global restrictions configuration file.
    # Designed to be included in any server {} block.
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~ /\. {
        deny all;
    }

    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }

    # General WordPress rules

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}

验证并重载 nginx 配置

1	sudo nginx -t

1	sudo nginx -s reload

五、部署 `WordPress`

5.1、部署

下载最新版的WordPress

1	wget https://wordpress.org/latest.tar.gz

解压文件

1	tar xzvf latest.tar.gz

1	sudo mv ./wordpress/* /usr/share/nginx/www/

1	rm -rf ./wordpress/

1	sudo chown -R nginx:nginx /usr/share/nginx/www/

5.2、`nginx` 配置

将准备好的域名解析到服务器的 IP
将证书上传到 cert 文件夹
使用 Xftp 将下载好的证书上传到证书文件夹。
将 nginx 配置上传到 /etc/nginx/conf.d 文件夹

upstream php {
        server unix:/run/php/php7.4-fpm.sock;
}

server {

    listen 80;
    listen [::]:80;

    server_name test.ysbzcn.com;

    return 301 https://$host$request_uri;

}

server {

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name test.ysbzcn.com; #你的域名，已经解析到服务器ip

  #HTTP 重定向到 HTTPS
    # if ($ssl_protocol = "") { return 301 https://$host$request_uri; }

  #判断 $host 如果不是设置好的域名，就返回403页面，可以禁止 IP 访问 Web。
    if ($host !~ (test.ysbzcn.com)$){
      return 403;
   }

  # IP 访问跳转至域名，将域名替换成自己的。就是判断 $host 如果不是域名结尾的，就重定向至该域名。
  #   if ($host !~ (test.ysbzcn.com)$){
  #     rewrite ^ https://ad.ysbzcn.com$request_uri?;
  #  }

  # IP 访问跳转至域名，将 IP 和域名替换成自己的。判断是 IP 的，就重定向。
  #   if ($host ~ 192.168.1.1){
  #   rewrite ^ https://www.yourdomain.com$request_uri?;
  #  }


  #证书位置
    ssl_certificate      /etc/nginx/cert/test.ysbzcn.com.pem; 
    ssl_certificate_key  /etc/nginx/cert/test.ysbzcn.com.key;

  #证书配置
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;  #安全链接可选的加密协议
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;  #加密算法
    ssl_prefer_server_ciphers on;  #表示优先使用服务端加密套件。默认开启
    ssl_session_timeout 10m;  #缓存有效期

    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_buffer_size 1400;
    add_header Strict-Transport-Security max-age=15768000;
    ssl_stapling on;
    ssl_stapling_verify on;
    client_max_body_size 1024m;

  #Nginx 默认的 client_max_body_size 配置大小为 1m，可能会导致你在 Halo 后台上传文件被 Nginx 限制，
  #所以此示例配置文件加上了 client_max_body_size 1024m; 这行配置。当然，1024m 可根据你的需要自行修改

  #日志
    access_log   /var/log/nginx/nginx.test.access.log;
    error_log    /var/log/nginx/nginx.test.error.log;

    root   /usr/share/nginx/www;
    index  index.php index.html index.htm;
    
    error_page  404 /404.html;
    location = /404.html {
        root   /usr/share/nginx/www;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location / {
        # This is cool because no php is touched for static content.
        # include the "?$args" part so non-default permalinks doesn't break when using query string
        try_files $uri $uri/ /index.php?$args;
    }

    #pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    
    location ~ \.php$ {
        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        include fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_pass php;
        #The following parameter can be also included in fastcgi_params file
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~ /\. {
        deny all;
    }

    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }

    # General WordPress rules

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }

  #禁止访问的文件或目录
    location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
      deny all;
    }
  #禁止访问的文件或目录
  
}