WordPress + Reverse Proxy (Nginx) + SSL

 This teaching has passed the test of Ubunut 20.04, 18.04 or earlier versions may not be compatible, some instructions of the process need to be changed by yourself.

When WordPress is installed, Reverse Proxy is used, and SSL is used, some special settings are required to operate normally. Many teachings on the Internet are either out of date or wrong. This tutorial does not include WordPress installation and tool details for each link. You can refer to other bloggers' articles.

The service structure is as follows:

[Nginx: Reverse Proxy: https port 443] — [Nginx: Web Service: http port 8050] — [WordPress]

Key points:

  • The http port can be modified, but not https.
  • WordPress itself is not friendly to SSL and Reverse Proxy and requires code modification and plug-in.
  • In the process of setting up and debugging, please remember to clear the browser's cache and cancel the http to https automatic guidance.

SSL

If you choose to use the free Let's Encrypt, pay attention to python version compatibility issues.

sudo apt-get install letsencrypt
sudo apt-get install python3-certbot-nginx

Connect all domains/sub domains that you want to encrypt with the universal -d.

sudo certbot –nginx -d domain.com -d www.domain.com

Automatic renewal.

sudo crontab -e

Add settings:

30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 sudo systemctl reload nginx

Key points:

  • Some English questions will pop up, asking you whether to automatically http to https, you can choose yes to let him generate the code, and then manage it manually.

Add WordPress SSL Plugin

Install and enable the "Really Simple SSL" plug-in for WordPress, and use the free version first.

Nginx Reverse Proxy

Configure the reverse proxy for SSL encryption on the front end, remember to change the domain/sub domain.

server {
    server_name www.domain.com;
    location / {
      client_max_body_size 128m;
       try_files $uri @app;
     }

    location @app {    
# This block is the key point. There will be many strange problems if you set it incorrectly. Many teachings are either incomplete or wrong.
        proxy_pass http://10.0.0.1:8050; #Replace your backend Nginx Web Service IP And port.

        add_header X-Frame-Options SAMEORIGIN;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy-Frame-heads X
     }

    listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2 ; # managed by Certbot

#The following is the automatic addition of Cerbot, which can be managed manually. Remember to replace the check path with your own.

    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl- nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
# Automatically transfer all domain.com to www.domain.com.
    server_name domain.com;

    return 301 $scheme://www.domain.com$request_uri;

     listen [::]:443 ssl http2; # managed by Certbot
    listen 443 ssl http2 ; # managed by Certbot

    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl- nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
# Automatically transfer http to https.
    if ($host = domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = www.domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name domain.com www.domain.com;

    listen 80 default_server;
    listen [::]:80 default_server;

    return 404; # managed by Certbot
}

Restart Nginx.

sudo systemctl reload nginx

Nginx Web Service

Remember to modify the port that is exposed to the previous Nginx Reverse Proxy. This tutorial uses 8050.

server {
    listen 8050;
    listen [::]:8050;
    root /var/www/wpweb;

    index index.php index.html index.htm;

# The following bold text is the focus, many teachings are wrong
   server_name _;

    location / {
       try_files $uri $uri/ /index.php?$args;
         client_max_body_size 256m;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }
}

Restart Nginx.

sudo systemctl reload nginx

Modify wp-config.php

Open wp-config.php, this tutorial is under /var/www/wpweb, it depends on where WordPress is installed. Add the following code after <?php:

On the top:

if($_SERVER['HTTP_X_FORWARDED_PROTO'] =='https') {
            $_SERVER['HTTPS'] ='on';
            $_SERVER['SERVER_PORT'] = 443;
}

At the bottom:

define('WP_HOME','https://www.domain.com');
define('WP_SITEURL','https://www.domain.com');

This modification is in the php layer, no need to restart Nginx.

after finishing

After all is done, you should be able to enter www.domain.com or domain.com to access WordPress under SSL, and you're done.

In this state, you may find that WordPress cannot be accessed using Public/Private IP. This is normal. Public and Private have different levels. For Private, you need to modify wp-config.php more. Public involves SSL technology. Necessary, this article will not discuss it. If necessary, you can find it: multiple domain name settings will be enlightening.

Comments

Post a Comment

Popular posts from this blog

Getting started with Gradle-Grovvy language foundation

Image
  Why learn Grovvy The official recommended language of Gradle is Groovy, which is a jvm language. If you want to perform plug-in modules, hot repairs, complex construction systems, etc., you need a little understanding of Groovy. You don't need to learn the details of Groovvy. Generally, the benefits are too great. Low, like bloggers only use Gradle to build SpringBoot, and the main project language is not Groovy. There are quite a few Gradle users who have no basic concepts at all. Whenever they encounter a need or problem, they need to find it online. This is a misunderstanding. Gradle is not just a configuration script, I personally think that behind it is a combination of two languages: Groovy Language + Gradle DSL The DSL part can also be expanded. If you are using the Android ecosystem, there will also be Android DSL, a total of three. The full name of DSL is Domain Specific Language, that is, "domain specific language", which means that this language is not univer...
Read more

Gradle configuration Spring multi-project test

  For projects with multiple Gradle projects, if the main project is executing unit test, other sub-projects will be executed together, and some advanced settings are required. First refer to another article, use eclipse to configure two SpringBoot projects: lab-springboot, library1. Gradle references the level project First, modify the build.gradle of library1 and add these codes at the bottom of the file: configurations { // Gradle DSL // The names of the configurations which this configuration extends from. testOutput.extendsFrom (testImplementation) } task jarTest (type: Jar, dependsOn: testClasses) { from sourceSets.test.output classifier = 'test' // The classifier distinguishes different artifacts build from the same project. } artifacts { testOutput jarTest } Then modify the build.gradle of lab-springboot and add these codes at the bottom of the file. Note that there may be other codes in the dependencies: dependencies { im...
Read more

WordPress easy to generate static website plug-in

Image
  Some people use Static CMS to design things like Jekyll and Hexo, but almost none of these things have more user-friendly content editors, such as powerful things like Divi, so there is another trick, which is to edit the website with WordPress. , And then use some static generators to generate static websites. There is a set of the simplest and most effective to try: Simply Static. After installation, select "Save for offline use" in Settings and "Temporary Files Directory" in Advanced settings to set the path to be exported. The permissions of the path must be readable and writable.  Then you can go to Generate and click "Generate Static Files". The set path may not allow you to click URL download directly, you can download it in other ways, or write an automatic sftp transmission to other places. After testing, the plug-in can normally produce the design and layout edited by Divi.
Read more