写给自己看的备份文档
使用Docker的好处很多,关键点在于方便迁移,不影响主机等等。本blog就使用Docker安装,现将过程记录如下。
首先,你需要有一台主机,这是废话。
安装docker-ce与docker-compose,推荐按照官网的官方步骤安装,在这里不多说。
域名与DNS解析,这个应该也不需要我来提。
第一、你需要建立目录来放置nginx配置文件
mkdir wordpress && cd wordpress mkdir nginx-conf vim nginx-conf/nginx.conf
server {
listen 80;
listen [::]:80;
server_name 346pro.club www.346pro.club;
index index.php index.html index.htm;
root /var/www/html;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}
请将server_name的域名更换为自己的域名
我暂时不对配置文件做详细的分析,如有兴趣可以自己看nginx文档
二、建立环境,设置sql密码
在之前的目录中,创立.env环境文件vim .env
MYSQL_ROOT_PASSWORD=your_root_password MYSQL_USER=your_wordpress_database_user MYSQL_PASSWORD=your_wordpress_database_password
设置你自己想设置的数据库密码
再建立docker忽略目录,这样保证密码文件不会出现在docker里面
三、创建docker-compose.yml文件
docker-compose.yml文件包含了使用docker的镜像、版本以及运行方式,其作为本次搭建的最主要部分,创建docker-compose.yml文件vim docker-compose.yml我使用了如下配置
version: '3.3'
services:
db:
image: mysql:8
container_name: db
restart: unless-stopped
env_file: .env
environment:
- MYSQL_DATABASE=wordpress
volumes:
- dbdata:/var/lib/mysql
command: '--default-authentication-plugin=mysql_native_password'
networks:
- app-network
wordpress:
depends_on:
- db
image: wordpress:fpm-alpine
container_name: wordpress
restart: unless-stopped
env_file: .env
environment:
- WORDPRESS_DB_HOST=db:3306
- WORDPRESS_DB_USER=$MYSQL_USER
- WORDPRESS_DB_PASSWORD=$MYSQL_PASSWORD
- WORDPRESS_DB_NAME=wordpress
volumes:
- wordpress:/var/www/html
networks:
- app-network
webserver:
depends_on:
- wordpress
image: nginx:alpine
container_name: webserver
restart: unless-stopped
ports:
- "80:80"
volumes:
- wordpress:/var/www/html
- ./nginx-conf:/etc/nginx/conf.d
- certbot-etc:/etc/letsencrypt
networks:
- app-network
certbot:
depends_on:
- webserver
image: certbot/certbot
container_name: certbot
volumes:
- certbot-etc:/etc/letsencrypt
- wordpress:/var/www/html
command: certonly --webroot --webroot-path=/var/www/html --email [email protected] --agree-tos --no-eff-email --force-renewal -d 346pro.club -d www.346pro.club
volumes:
certbot-etc:
wordpress:
dbdata:
networks:
app-network:
driver: bridge
在这一部分中,我们规定了docker镜像所拉取的版本以及端口号的映射方式,其结构包括以下几个部分:
db:mysql数据库镜像
wordpress:wordpress版本镜像
web-server:网站服务器nginx镜像
certbot:自动证书镜像
使用桥接网络,镜像共享数据
配置完成以后,我们就可以运行镜像了
四、运行docker-compose
我们使用docker-compose up -d来运行docker-compose,在启用后,我们可以看到镜像的拉取过程与运行结果,之后,我们使用docker-compose ps来查看运行的结果,若结果不为
Name Command State Ports
-------------------------------------------------------------------------
certbot certbot certonly --webroot ... Exit 0
db docker-entrypoint.sh --def ... Up 3306/tcp, 33060/tcp
webserver nginx -g daemon off; Up 0.0.0.0:80->80/tcp
wordpress docker-entrypoint.sh php-fpm Up 9000/tcp 则需要使用docker-compose logs service_name命令来查看出问题的服务,并使用docker-compose up -d --force-recreate --no-deps service_name重启服务
五、配置证书服务
如果上述服务启动完成,我们则需要修改nginx配置文件使其可以访问443端口服务,将文件内容替换为
server {
listen 80;
listen [::]:80;
server_name 346pro.club www.346pro.club;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 346pro.club www.346pro.club;
index index.php index.html index.htm;
root /var/www/html;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/346pro.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/346pro.club/privkey.pem;
include /etc/nginx/conf.d/options-ssl-nginx.conf;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}
并在docker-compose.yml文件中加入443端口
webserver:
depends_on:
- wordpress
image: nginx:alpine
container_name: webserver
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- wordpress:/var/www/html
- ./nginx-conf:/etc/nginx/conf.d
- certbot-etc:/etc/letsencrypt
networks:
- app-network
之后重启webserver服务docker-compose up -d --force-recreate --no-deps webserver。之后可以用docker-compose ps来查看运行的结果,应该是
Name Command State Ports
----------------------------------------------------------------------------------------------
certbot certbot certonly --webroot ... Exit 0
db docker-entrypoint.sh --def ... Up 3306/tcp, 33060/tcp
webserver nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
wordpress docker-entrypoint.sh php-fpm Up 9000/tcp 六、配置计划任务,自动重签证书
创建文件ssl_renew.sh
#!/bin/bash COMPOSE="/usr/local/bin/docker-compose --no-ansi" DOCKER="/usr/bin/docker" cd /home/sammy/wordpress/ $COMPOSE run certbot renew --dry-run && $COMPOSE kill -s SIGHUP webserver $DOCKER system prune -af
给予其执行权限chmod +x ssl_renew.sh并使用sudo crontab -e 将其加入到计划任务中,这样就可以自动执行证书重签的工作了。
PS.
我在使用cf的cdn服务时,曾经遇到了ssh证书重定向过多的问题,这种情况下,只需要将cf的证书加密选项,由灵活改为full就可以解决这个问题了,这在cf的文档中也有记载。
别整docker部署了,阿里云函数太香辣