Skip to content

Instantly share code, notes, and snippets.

@metastable

metastable/wordpress-bootstrap.sh

Last active March 5, 2020 21:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save metastable/4cc02cecea720f6e54c721c4d494ae80 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save metastable/4cc02cecea720f6e54c721c4d494ae80 to your computer and use it in GitHub Desktop.
Download ZIP
wordpress setup
Raw
wordpress-bootstrap.sh
#!/usr/bin/env bash
# wordpress Amazon Linux2
export OS_USER='ec2-user'
#export OS_PASSWORD=''
export TITLE='xxxxxxxx'
export URL='https://xxxxxxxx.staging.kiwamu.work'
export CN='*.xxxxxxxx.staging.kiwamu.work'
export ADMIN_USER='wpmaster'
export ADMIN_PASSWORD='secret_password'
export ADMIN_EMAIL='root@localhost.localdomain'
export WORDPRESS_DB_USER='wordpress'
export WORDPRESS_DB_PASSWORD='secret_password'
export WORDPRESS_DB_NAME='wordpress'
export WORDPRESS_DB_HOST='localhost:/var/lib/mysql/mysql.sock'
export WORDPRESS_DB_PREFIX='wp_'
export WP_HOME_PATH='/var/www/wordpress'
export WP_NAME='xxxxxxxx'
export HOST_NAME=xxxxxxxx.staging.kiwamu.work
echo "${HOST_NAME}" | sudo tee /etc/hostname > /dev/null
sudo localectl set-locale LANG=en_US.UTF-8
sudo timedatectl set-timezone Asia/Tokyo
echo "4. ネットワークチューニング(IPv6無効)"
echo "NETWORKING_IPV6=no" | sudo tee -a /etc/sysconfig/network > /dev/null
echo "options ipv6 disable=1" | sudo tee /etc/modprobe.d/disable-ipv6.conf > /dev/null
sudo tee /etc/sysctl.d/99-disable-ipv6.conf > /dev/null <<-'EOF'
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
EOF
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
# for kernel 4.9+ only
sudo modprobe tcp_bbr && sudo echo 'tcp_bbr' >> /etc/modules-load.d/99-bbr.conf
sudo tee /etc/sysctl.d/99-performance.conf > /dev/null <<-'EOF'
# Kernel sysctl configuration file for Linux
#
# Version 1.14 - 2019-04-05
# Michiel Klaver - IT Professional
# http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant
#
# This file should be saved as /etc/sysctl.conf and can be activated using the command:
# sysctl -e -p /etc/sysctl.conf
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
#
# Tested with: Ubuntu 14.04 LTS kernel version 3.13
# Debian 7 kernel version 3.2
# CentOS 7 kernel version 3.10
#
# Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
# Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates
# DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected
# ----------
# Credits:
# http://www.enigma.id.au/linux_tuning.txt
# http://www.securityfocus.com/infocus/1729
# http://fasterdata.es.net/TCP-tuning/linux.html
# http://fedorahosted.org/ktune/browser/sysctl.ktune
# http://www.cymru.com/Documents/ip-stack-tuning.html
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
# http://knol.google.com/k/linux-performance-tuning-and-measurement
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
# http://www.speedguide.net/read_articles.php?id=121
# http://lartc.org/howto/lartc.kernel.obscure.html
# http://en.wikipedia.org/wiki/Sysctl
# https://blog.cloudflare.com/http-2-prioritization-with-nginx/
###
### GENERAL SYSTEM SECURITY OPTIONS ###
###
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
#Allow for more PIDs
kernel.pid_max = 65535
# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
kernel.maps_protect = 1
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 2
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65535
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65535
# Restrict core dumps
fs.suid_dumpable = 0
# Hide exposed kernel pointers
kernel.kptr_restrict = 1
###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###
# Increase size of file handles and inode cache
fs.file-max = 209708
# Do less swapping
vm.swappiness = 30
vm.dirty_ratio = 30
vm.dirty_background_ratio = 5
# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096
# 50% overcommitment of available memory
vm.overcommit_ratio = 50
vm.overcommit_memory = 0
# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456
# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65535
###
### GENERAL NETWORK SECURITY OPTIONS ###
###
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
# Disables packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
# Disables IP source routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 7
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0
# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 0
# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
net.ipv4.tcp_timestamps = 1
# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65535
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1
# Do not auto-configure IPv6
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.eth0.autoconf=0
net.ipv6.conf.eth0.accept_ra=0
###
### TUNING NETWORK PERFORMANCE ###
###
# Use BBR TCP congestion control and set tcp_notsent_lowat to 16384 to ensure HTTP/2 prioritization works optimally
# Do a 'modprobe tcp_bbr' first (kernel > 4.9)
# Fall-back to htcp if bbr is unavailable (older kernels)
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
net.core.default_qdisc = fq
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 8388608
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 262144
net.core.rmem_max = 8388608
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 8388608
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 262144
net.core.wmem_max = 8388608
# Increase number of incoming connections
net.core.somaxconn = 32768
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 16384
net.core.dev_weight = 64
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65535
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608
net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144
# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50
# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048
# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024
# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32
# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30
# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3
# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
# Avoid falling back to slow start after a connection goes idle
# keeps our cwnd large with the keep alive connections (kernel > 3.6)
net.ipv4.tcp_slow_start_after_idle = 0
# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
net.ipv4.tcp_fastopen = 3
# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1
EOF
sudo tee /etc/sysctl.d/99-jumbo.conf > /dev/null <<-'EOF'
# recommended for hosts with jumbo frames enabled
net.ipv4.tcp_mtu_probing = 1
EOF
sudo sysctl -p
sudo sysctl --system
echo "override_install_langs=en_US" | sudo tee -a /etc/yum.conf > /dev/null
sudo tee -a /etc/sysconfig/i18n > /dev/null <<-'EOF'
LANG="en_US.UTF-8"
LANGUAGE="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
EOF
sudo tee /etc/locale.conf > /dev/null <<-'EOF'
LANG="en_US.UTF-8"
EOF
sudo tee -a /home/ec2-user/.bash_profile > /dev/null <<-'EOF'
LANG="en_US.UTF-8"
LANGUAGE="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
export LANG
export LANGUAGE
export LC_CTYPE
EOF
source /home/ec2-user/.bash_profile
sudo yum -y install deltarpm
sudo yum -y update
sudo yum -y reinstall glibc-common
sudo localedef -v -c -i en_US -f UTF-8 en_US.UTF-8
sudo yum -y reinstall \*
sudo wget https://dl.yarnpkg.com/rpm/yarn.repo -O /etc/yum.repos.d/yarn.repo
sudo tee -a /etc/yum.repos.d/cisofy-lynis.repo <<-'EOF'
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
EOF
sudo yum-config-manager --enable amzn2-core
sudo yum-config-manager --enable yarn
sudo yum-config-manager --enable nodesource
sudo yum-config-manager --disable nodesource-source
sudo amazon-linux-extras install epel nginx1.12 php7.3 memcached1.5 redis4.0 -y
sudo yum -y makecache fast
sudo yum -y install git postfix nginx certbot python2-certbot-nginx yarn nodejs npm \
php-fpm php-cli php-devel php-pear php-intl php-mbstring php-gd php-xml php-process \
php-mbstring php-dom php-pecl-memcached php-pecl-redis php-pecl-apcu php-opcache php-mysqlnd \
php-zip php-ldap mariadb-server mariadb-libs mariadb redis memcached vsftpd
sudo pecl channel-update pecl.php.net
sudo pecl config-set php_ini /etc/php.ini
sudo yum -y install gcc binutils libssh2 libssh2-devel --enablerepo=epel
sudo pecl install -f ssh2-1.2 <<<''
sudo chmod 755 /usr/lib64/php/modules/ssh2.so
sudo tee /etc/php.d/60-ssh2.ini > /dev/null <<-'EOF'
extension=ssh2.so
EOF
sudo pecl install -f xdebug
sudo chmod 755 /usr/lib64/php/modules/xdebug.so
sudo tee /etc/php.d/15-debug.ini > /dev/null <<- 'EOF'
; Enable xdebug extension module
zend_extension = /usr/lib64/php/modules/xdebug.so
xdebug.default_enable = 1
xdebug.autostart = 1
xdebug.remote_enable = 1
xdebug.remote_connect_back = 0
xdebug.remote_host = "121.101.92.213"
xdebug.remote_port = 9000
; see http://xdebug.org/docs/all_settings
EOF
# composer
sudo curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin
sudo ln -sf /usr/local/bin/composer.phar /usr/local/bin/composer
# wp-clip
sudo curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
sudo chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp
sudo curl -O https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
sudo mkdir /usr/local/share/wp
sudo mv wp-completion.bash /usr/local/share/wp/
sudo tee -a /home/${OS_USER}/.bash_profile > /dev/null <<-'EOF'
source /usr/local/share/wp/wp-completion.bash
EOF
sudo /usr/local/bin/wp --allow-root package install git@github.com:wp-cli/search-replace-command.git
##
# Add WP coding standards with php codesniffer
##
sudo COMPOSER_ALLOW_SUPERUSER=1 /usr/local/bin/composer create-project wp-coding-standards/wpcs:dev-master --no-interaction --no-dev /var/lib/wpcs
# php unit
curl -sSL https://phar.phpunit.de/phpunit-8.phar -o phpunit.phar
chmod +x phpunit.phar
sudo mv phpunit.phar /usr/bin/phpunit
# postfix
sudo systemctl enable postfix
sudo systemctl start postfix
# vsftpd
sudo yum -y install vsftpd lftp
sudo mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.default
sudo echo ${OS_USER} >> /etc/vsftpd/chroot_list
sudo cat > /etc/vsftpd/vsftpd.conf <<-'EOF'
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=NO
ascii_upload_enable=YES
ascii_download_enable=YES
ftpd_banner=
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
ls_recurse_enable=YES
listen_address=127.0.0.1
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
use_localtime=YES
EOF
sudo systemctl enable vsftpd
sudo systemctl start vsftpd
echo "9. memcachedの設定"
sudo mkdir -p /var/run/memcached
sudo chown -R memcached:memcached /var/run/memcached
sudo tee /etc/sysconfig/memcached <<-'EOF'
USER="memcached"
MAXCONN="1024"
CACHESIZE="1024"
OPTIONS="-s /var/run/memcached/memcached.sock -a 0777 -vv >> /var/log/memcached/memcached.log 2>&1"
EOF
sudo mkdir -p /var/log/memcached
sudo touch /var/log/memcached/memcached.log
sudo chown -R memcached:memcached /var/log/memcached
sudo tee /etc/logrotate.d/memcached <<-'EOF'
/var/log/memcached/*.log {
notifempty
daily
rotate 10
missingok
dateext
dateformat -%Y%m%d
copytruncate
sharedscripts
}
EOF
sudo systemctl disable memcached.service
sudo systemctl enable memcached.service
sudo systemctl start memcached.service
echo "10. redisの設定"
sudo sysctl vm.overcommit_memory=1
sudo tee -a /etc/sysctl.conf <<-'EOF'
# for redis
vm.overcommit_memory = 1
EOF
sudo tee -a /etc/redis.conf <<-'EOF'
#
# https://guides.wp-bullet.com/how-to-configure-redis-to-use-unix-socket-speed-boost/
#
# create a unix domain socket to listen on
unixsocket /var/run/redis/redis.sock
# set permissions for the socket
unixsocketperm 775
#
# https://www.linode.com/docs/databases/redis/install-and-configure-redis-on-centos-7/
#
appendonly yes
appendfsync everysec
#
# https://www.digitalocean.com/community/tutorials/how-to-install-secure-redis-centos-7
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
#
#rename-command CONFIG ""
#rename-command SHUTDOWN SHUTDOWN_MENOT
#rename-command CONFIG ASC12_CONFIG
EOF
sudo systemctl enable redis.service
sudo systemctl start redis.service
echo "11. PHPの設定"
sudo sudo groupadd web
sudo usermod -a -G web nginx
sudo usermod -a -G web ${OS_USER}
sudo mkdir /etc/php-fpm.d/attic
sudo mv /etc/php-fpm.d/*.conf /etc/php-fpm.d/attic/
sudo tee /etc/php-fpm.d/www.conf <<-'EOF'
[www]
user = nginx
group = web
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0666
pm = dynamic
pm.status_path = /status
pm.max_children = 10
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 5
pm.process_idle_timeout = 10s
pm.max_requests = 500
security.limit_extensions = .php
ping.path = /ping
ping.response = pong
slowlog = /var/log/php-fpm/www-slow.log
catch_workers_output = yes
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 256M
php_admin_value[upload_max_filesize] = 32M
php_admin_value[post_max_size] = 32M
php_admin_value[output_buffering] = 0
php_admin_value[max_input_nesting_level] = 256
php_admin_value[max_input_vars] = 10000
php_admin_value[cgi.fix_pathinfo] = 0
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
;php_value[session.save_handler] = memcached
;php_value[session.save_path] = "tcp://localhost:11211"
;php_value[session.save_path] = "/var/run/memcached/memcached.sock"
php_value[session.save_handler] = redis
;php_value[session.save_path] = "tcp://localhost:6379"
php_value[session.save_path] = "/var/run/redis/redis.sock"
;php_value[soap.wsdl_cache_dir] = "/var/lib/php/wsdlcache"
;php_admin_value[sendmail_path] = "/usr/bin/env catchmail -f root@localhost.localdomain"
EOF
sudo systemctl enable php-fpm.service
sudo systemctl start php-fpm.service
echo "14. mariadbの設定"
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
sleep 15
sudo systemctl stop mariadb.service
sudo mv /etc/my.cnf.d/server.cnf /etc/my.cnf.d/server.cnf.default
sudo tee /etc/my.cnf.d/server.cnf <<-'EOF'
[server]
socket=/var/lib/mysql/mysql.sock
character-set-server=utf8mb4
skip-character-set-client-handshake
collation-server=utf8mb4_general_ci
[mysqld]
[galera]
[embedded]
[mariadb]
EOF
sudo mv /etc/my.cnf.d/client.cnf /etc/my.cnf.d/client.cnf.default
sudo tee /etc/my.cnf.d/client.cnf <<-'EOF'
[client]
default-character-set=utf8mb4
[client-mariadb]
EOF
sudo tee /etc/my.cnf.d/mysql-clients.cnf > /dev/null << EOF
[mysql]
default-character-set=utf8mb4
[mysqldump]
force
default-character-set=utf8mb4
user=mysql
password=secret_password
EOF
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
sudo echo "10. nginxの設定"
sudo systemctl start nginx
sleep 5
sudo systemctl stop nginx
sudo mkdir -p /etc/nginx/common/
sudo mkdir -p /etc/nginx/.attic
sudo mv /etc/nginx/*.conf /etc/nginx/.attic/
sudo mv /etc/nginx/koi-* /etc/nginx/.attic/
sudo mv /etc/nginx/win-* /etc/nginx/.attic/
sudo mv /etc/nginx/*_params /etc/nginx/.attic/
sudo mv /etc/nginx/mime.types /etc/nginx/.attic/
sudo mkdir -p /etc/nginx/conf.d/.attic
sudo mv /etc/nginx/conf.d/*.conf /etc/nginx/conf.d/.attic/
sudo mkdir -p /etc/nginx/default.d/.attic
sudo mv /etc/nginx/default.d/*.conf /etc/nginx/default.d/.attic/
sudo mkdir -p /etc/systemd/system/nginx.service.d
sudo tee /etc/systemd/system/httpd.service.d/ulimit.conf > /dev/null <<-'EOF'
[Service]
LimitNOFILE=100000
LimitNPROC=100000
EOF
sudo tee /etc/nginx/mime.types <<-'EOF'
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
EOF
sudo tee /etc/nginx/fastcgi_params <<-'EOF'
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
EOF
sudo tee /etc/nginx/scgi_params <<-'EOF'
scgi_param REQUEST_METHOD $request_method;
scgi_param REQUEST_URI $request_uri;
scgi_param QUERY_STRING $query_string;
scgi_param CONTENT_TYPE $content_type;
scgi_param DOCUMENT_URI $document_uri;
scgi_param DOCUMENT_ROOT $document_root;
scgi_param SCGI 1;
scgi_param SERVER_PROTOCOL $server_protocol;
scgi_param REQUEST_SCHEME $scheme;
scgi_param HTTPS $https if_not_empty;
scgi_param REMOTE_ADDR $remote_addr;
scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name;
EOF
sudo tee /etc/nginx/uwsgi_params <<-'EOF'
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;
EOF
sudo tee /etc/nginx/nginx.conf <<-'EOF'
# https://gist.github.com/denji/8359866
user nginx;
pid /var/run/nginx.pid;
# you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that
worker_processes auto; #some last versions calculate it automatically
worker_cpu_affinity auto;
# number of file descriptors used for nginx
# the limit for the maximum FDs on the server is usually set by the OS.
# if you don't set FD's then OS settings will be used which is by default 2000
worker_rlimit_nofile 100000;
# only log critical errors
error_log /var/log/nginx/error.log crit;
events {
# determines how much clients will be served per worker
# max clients = worker_connections * worker_processes
# max clients is also limited by the number of socket connections available on the system (~64k)
worker_connections 4000;
# optimized to serve many clients with each thread, essential for linux -- for testing environment
use epoll;
# accept as many connections as possible, may flood worker connections if set too low -- for testing environment
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main_ltsv 'time:$time_local\trequest_time:$request_time\turi:$uri\trequest_uri:$request_uri\t'
'remote_addr:$remote_addr\tremote_user:$remote_user\trequest_method:$request_method\t'
'server_protocol:$server_protocol\tstatus:$status\tbody_bytes_sent:$body_bytes_sent\t'
'http_referer:$http_referer\tscheme:$scheme\thttp_user_agent:$http_user_agent';
access_log /var/log/nginx/access.log main_ltsv;
# cache informations about FDs, frequently accessed files
# can boost performance, but you need to test those values
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# to boost I/O on HDD we can disable access logs
access_log off;
# copies data between one FD and other from within the kernel
# faster than read() + write()
sendfile on;
# send headers in one piece, it is better than sending them one by one
tcp_nopush on;
# don't buffer data sent, good for small data bursts in real time
tcp_nodelay on;
# reduce the data that needs to be sent over network -- for testing environment
gzip on;
# gzip_static on;
gzip_min_length 10240;
gzip_comp_level 1;
gzip_vary on;
gzip_disable msie6;
gzip_proxied expired no-cache no-store private auth;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/ecmascript
text/javascript
text/markdown
text/xml
text/sgml
text/plain
text/x-component
application/ecmascript
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/atom+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
# request timed out -- default 60
# client_body_timeout 10;
# if client stop responding, free up memory -- default 60
send_timeout 2;
# server will close connection after this time -- default 75
keepalive_timeout 30;
# number of requests client can make over keep-alive -- for testing environment
keepalive_requests 100000;
# just for security reason
server_tokens off;
# limit the number of connections per single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
# limit the number of requests for a given session
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
# zone which we want to limit by upper values, we want limit whole server
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}
# if the request body size is more than the buffer size, then the entire (or partial)
# request body is written into a temporary file
client_body_buffer_size 128k;
# buffer size for reading client request header -- for testing environment
client_header_buffer_size 3m;
# maximum number and size of buffers for large headers to read from client request
large_client_header_buffers 4 256k;
# read timeout for the request body from client -- for testing environment
client_body_timeout 3m;
# how long to wait for the client to send a request header -- for testing environment
client_header_timeout 3m;
server_names_hash_bucket_size 64;
include /etc/nginx/conf.d/*.conf;
}
EOF
sudo tee /etc/nginx/conf.d/00-upstreams.conf <<-'EOF'
#
# FastCGI Cache
#
fastcgi_buffering on;
fastcgi_buffer_size 8k;
fastcgi_buffers 100 8k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=NGINX:15m inactive=7d max_size=1000m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout updating http_500 http_503;
fastcgi_temp_path /var/cache/nginx/temp 1 2;
fastcgi_connect_timeout 60;
fastcgi_read_timeout 2400;
fastcgi_send_timeout 2400;
fastcgi_cache_valid 200 2h;
fastcgi_cache_valid 302 2h;
fastcgi_cache_valid 301 4h;
fastcgi_cache_valid any 1m;
fastcgi_cache_revalidate on;
memcached_buffer_size 32k;
memcached_gzip_flag 1;
upstream php {
#this should match value of "listen" directive in php-fpm pool
server unix:/var/run/php-fpm/php-fpm.sock;
keepalive 60;
}
upstream memcached {
server unix:/var/run/memcached/memcached.sock;
keepalive 60;
}
EOF
echo "include fastcgi_params;" | sudo tee /etc/nginx/fastcgi.conf > /dev/null
sudo cat > /etc/nginx/common/wordpress_restrictions.conf <<-'EOF'
#
# Global Restrictions for WordPress site
# Designed to be included in any server {} block.
#
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny all xmlrpc.php access
location = /xmlrpc.php {
deny all;
access_log off;
}
# Deny all REST API access
location ^~ /wp-json/ {
deny all;
access_log off;
}
# Accept for Let's Encrypt(certbot)
location ^~ /.well-known/ {
access_log off;
log_not_found off;
autoindex off;
try_files $uri $uri/ =404;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
EOF
sudo cat > /etc/nginx/common/wordpress_public.conf <<-'EOF'
#
# WordPress single site rules.
# Designed to be included in any server {} block.
#
index index.php;
#charset utf-8;
#
# fastcgi_cache start
# https://codex.wordpress.org/Nginx#Nginx_fastcgi_cache
set $no_cache 0;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $no_cache 1;
}
if ($query_string != "") {
set $no_cache 1;
}
# Don't cache uris containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $no_cache 1;
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $no_cache 1;
}
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files $uri $uri/ /index.php?$args;
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.(php|phar)(/.*)?$ {
fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
fastcgi_intercept_errors on;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php;
client_max_body_size 5M;
# Enable FastCGI cache
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
fastcgi_cache NGINX;
fastcgi_cache_valid 200 60m;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires max;
}
}
EOF
sudo cat > /etc/nginx/common/wordpress_develop.conf <<-'EOF'
#
# WordPress single site rules.
# Designed to be included in any server {} block.
#
index index.php;
#charset utf-8;
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files $uri $uri/ /index.php?$args;
# Disable caching
add_header X-Cache-Status $upstream_cache_status;
add_header Cache-Control no-cache;
expires off;
sendfile off;
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.(php|phar)(/.*)?$ {
fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
fastcgi_intercept_errors on;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php;
client_max_body_size 5M;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
}
EOF
sudo cat > /etc/nginx/common/eccube.conf <<-'EOF'
#
# WordPress single site rules.
# Designed to be included in any server {} block.
#
index index.php;
#charset utf-8;
# クリックジャッキング対策
add_header X-Frame-Options SAMEORIGIN;
# XSS対策
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
# 403 Forbidden対応方法
# ページアクセスできない時シンボリックリンクが有効になっていない可能性あります、
# オプションを追加してください
disable_symlinks on from=$document_root;
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files $uri $uri/ /index.php?u=$uri&$args;
# Disable caching
add_header X-Cache-Status $upstream_cache_status;
add_header Cache-Control no-cache;
expires off;
sendfile off;
}
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ [^/]\.php(/|$) {
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
# This is a robust solution for path info security issue and works with cgi.fix_pathinfo = 1 in /etc/php.ini (default)
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass php;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_intercept_errors on;
client_max_body_size 5M;
}
location ~ /\.ht {
deny all;
}
# アクセス禁止ファイル
location ~* (?:/(?:src|app|tests|var|vendor|node_modules|codeception|bin)/.*|/(?:composer|COPYING|Procfile|app.json|gulpfile.js|package.json|package-lock.json|web.config))$ {
deny all;
}
# 画像などの静的ファイル
location ~* ^.+\.(?:mp4|ttf|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|ppt|tar|mid|midi|wav|bmp|rtf|wmv)$ {
# ログ出力の有無はお好みで
access_log off;
log_not_found off;
if (-f $request_filename) {
#ブラウザキャッシュの有効時間。ここもお好みに応じて。
expires 60m;
break;
}
}
EOF
sudo tee /etc/nginx/conf.d/01-${WP_NAME}.conf > /dev/null << EOF
server {
listen 80 default_server;
server_name _;
root ${WP_HOME_PATH}/web;
index index.php index.html;
charset utf-8;
client_max_body_size 128M;
# SSL
#ssl off;
# Gzip
gzip on;
# WordPress Setting
#include common/restrictions.conf;
#auth_basic "Restricted";
#auth_basic_user_file /etc/nginx/.htpasswd;
#include common/wordpress_develop.conf;
#include common/wordpress_public.conf;
include common/eccube.conf;
}
EOF
sudo mkdir -p /etc/nginx/ssl
sudo openssl req -new -newkey rsa:4096 -days 3653 -nodes -x509 \
-subj "/C=JP/ST=Tokyo/L=Shinjyuku/O=(self-singed cert for test purpose only)/CN=*.${CN}" \
-keyout /etc/nginx/ssl/wildcard.key -out /etc/nginx/ssl/wildcard.pem
sudo chown -R nginx:nginx /etc/nginx/ssl
sudo systemctl enable nginx.service
sudo systemctl start nginx.service
sudo setsebool -P httpd_setrlimit 1
sudo mkdir -p ${WP_HOME_PATH}
sudo tee ${WP_HOME_PATH}/web/phpinfo.php > /dev/null <<- 'EOF'
<?php phpinfo(); ?>
EOF
sudo tee ${WP_HOME_PATH}/web/index.php > /dev/null <<- 'EOF'
<html>
<head><title>200 OK</title></head>
<body bgcolor="white">
<center><h1>200 OK</h1></center>
<hr><center>nginx/*</center>
</body>
</html>
EOF
sudo mkdir -p ${WP_HOME_PATH}/tools
sudo chown -R ${OS_USER}:${OS_USER} ${WP_HOME_PATH}/tools
cd ${WP_HOME_PATH}/tools
sudo git clone https://github.com/jmandala/searchreplacedb2.git
sudo git clone https://github.com/mlazarov/ocp.git
sudo git clone https://github.com/rlerdorf/opcache-status.git
sudo git clone https://github.com/kn007/memcache.php.git memcache
sudo git clone https://github.com/krakjoe/apcu.git
sudo mkdir adminer
cd adminer
sudo wget https://github.com/vrana/adminer/releases/download/v4.7.6/adminer-4.7.6-mysql-en.php -o adminer.php
cd -
sudo mkdir mysqltuner
cd mysqltuner
sudo wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
cd -
sudo mkdir apc
cd apc
sudo wget https://websistent.com/wp-content/uploads/2013/03/apc.php_.zip
sudo unzip apc.php_.zip
sudo rm -f apc.php_.zip
cd -
cd ~
sudo rm -rf ${WP_HOME_PATH}/.ssh
sudo rm -rf ${WP_HOME_PATH}/web
sudo rm -rf ${WP_HOME_PATH}/vendor
sudo rm -rf ${WP_HOME_PATH}/tools
sudo tee ${WP_HOME_PATH}/create.sql > /dev/null << EOF
--DROP DATABASE ${WORDPRESS_DB_NAME};
CREATE DATABASE ${WORDPRESS_DB_NAME} CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER '${WORDPRESS_DB_USER}'@'%' IDENTIFIED BY '${WORDPRESS_DB_PASSWORD}';
CREATE USER '${WORDPRESS_DB_USER}'@'localhost' IDENTIFIED BY '${WORDPRESS_DB_PASSWORD}';
GRANT ALL PRIVILEGES ON ${WORDPRESS_DB_NAME}.* TO '${WORDPRESS_DB_USER}'@'%';
GRANT ALL PRIVILEGES ON ${WORDPRESS_DB_NAME}.* TO '${WORDPRESS_DB_USER}'@'localhost';
FLUSH PRIVILEGES;
EOF
sudo mysql -u root < ${WP_HOME_PATH}/create.sql
sudo mkdir -p ${WP_HOME_PATH}/.ssh
sudo ssh-keygen -b 2048 -t rsa -N '' -C wordpress -f ${WP_HOME_PATH}/.ssh/id_rsa
sudo chown -R ${OS_USER}:${OS_USER} ${WP_HOME_PATH}/.ssh
sudo chmod 600 ${WP_HOME_PATH}/.ssh/id_rsa
sudo chmod 644 ${WP_HOME_PATH}/.ssh/id_rsa.pub
sudo cat ${WP_HOME_PATH}/.ssh/id_rsa.pub >> /home/${OS_USER}/.ssh/authorized_keys
sudo mkdir -p ${WP_HOME_PATH}/vendor
sudo touch ${WP_HOME_PATH}/vendor/autoload.php
sudo tee ${WP_HOME_PATH}/wp-cli.yml > /dev/null << EOF
path: '${WP_HOME_PATH}/web/app'
url: '${URL}'
user: '${ADMIN_USER}'
color: false
core download:
locale: ja
core config:
dbuser: '${WORDPRESS_DB_USER}'
dbpass: '${WORDPRESS_DB_PASSWORD}'
dbname: '${WORDPRESS_DB_NAME}'
dbhost: '${WORDPRESS_DB_HOST}'
dbprefix: '${WORDPRESS_DB_PREFIX}'
dbcharset: 'utf8mb4'
dbcollate: 'utf8mb4_general_ci'
extra-php: |
require_once( '${WP_HOME_PATH}/vendor/autoload.php');
#add_filter( 'jetpack_development_mode', '__return_true' );
#\$memcached_servers = array( 'default' => array(
# '/var/run/memcached/memcached.sock:0'
#));
#define( 'WP_CACHE', true);
define( 'WP_LANG', 'ja');
define( 'WP_HOME', '${URL}');
define( 'WP_SITEURL', '${URL}/app');
define( 'WP_CONTENT_URL', '${URL}/content');
define( 'WP_PLUGIN_URL', WP_CONTENT_URL . '/plugins' );
define( 'WP_CONTENT_DIR', '${WP_HOME_PATH}/web/content');
define( 'WP_PLUGIN_DIR', WP_CONTENT_DIR . '/plugins' );
define( 'PLUGINDIR', WP_CONTENT_DIR . '/plugins' );
define( 'WP_DEBUG', true );
if ( WP_DEBUG ) {
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
}
#define( 'SAVEQUERIES', false);
#define( 'SCRIPT_DEBUG', false);
#define( 'CONCATENATE_SCRIPTS', true );
#define( 'COMPRESS_SCRIPTS', true );
#define( 'COMPRESS_CSS', true );
#define( 'ENFORCE_GZIP', true );
define( 'WP_ALLOW_REPAIR', true );
#define( 'DISABLE_WP_CRON', true );
#define( 'EMPTY_TRASH_DAYS', 30 );
#define( 'IMAGE_EDIT_OVERWRITE', true );
define( 'FS_CHMOD_DIR', ( 0755 & ~ umask() ) );
define( 'FS_CHMOD_FILE', ( 0644 & ~ umask() ) );
define( 'FS_METHOD', 'ssh2');
define( 'FTP_BASE', '${WP_HOME_PATH}/web/' );
define( 'FTP_CONTENT_DIR', WP_CONTENT_DIR . '/' );
define( 'FTP_PLUGIN_DIR ', WP_PLUGIN_DIR . '/' );
define( 'FTP_PUBKEY', '${WP_HOME_PATH}/.ssh/id_rsa.pub');
define( 'FTP_PRIKEY', '${WP_HOME_PATH}/.ssh/id_rsa');
define( 'FTP_USER', '${OS_USER}');
define( 'FTP_HOST', 'localhost:22');
define( 'FTP_SSL', false );
#define( 'FS_METHOD', 'ftpext');
#define( 'FTP_USER', '${OS_USER}' );
#define( 'FTP_PASS', '${OS_PASSWORD}' );
#define( 'FTP_HOST', 'localhost' );
#define( 'FTP_SSL', false );
# define( 'DISALLOW_FILE_EDIT', true );
# define( 'DISALLOW_FILE_MODS', true );
# define( 'AUTOMATIC_UPDATER_DISABLED', true );
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
#define( 'FORCE_SSL_ADMIN', true );
define( 'WP_POST_REVISIONS', 10 );
core install:
admin_user: '${ADMIN_USER}'
url: '${URL}'
admin_password: '${ADMIN_PASSWORD}'
admin_email: '${ADMIN_EMAIL}'
title: '${TITLE}'
EOF
sudo tee ${WP_HOME_PATH}/composer.json > /dev/null << EOF
{
"name": "root/wordpress",
"require": {},
"require-dev": {
"composer/composer": "^1.0",
"roave/security-advisories": "dev-master",
"squizlabs/php_codesniffer": "^3.5.4",
"wp-coding-standards/wpcs": "dev-master",
"phpunit/phpunit": "^8",
"brain/monkey": "^2.4",
"phpmd/phpmd" : "@stable",
"phing/phing": "^2.16"
},
"repositories": [
{
"type": "composer",
"url": "https://wpackagist.org"
}
],
"config": {
"vendor-dir": "vendor",
"preferred-install": "dist",
"optimize-autoloader": true,
"sort-packages": true,
"platform": {
"php": "7.3"
}
},
"extra" : {
"installer-paths": {
"web/content/mu-plugins/{\$name}/": ["type:wordpress-muplugin"],
"web/content/plugins/{\$name}/": ["type:wordpress-plugin"],
"web/content/themes/{\$name}/": ["type:wordpress-theme"]
},
"wordpress-install-dir": "${WP_HOME_PATH}/web/app"
},
"scripts": {
"code-sniff": [
"./vendor/bin/phpcs --config-set installed_paths ${WP_HOME_PATH}/vendor/wp-coding-standards/wpcs",
"./vendor/bin/phpcs ${WP_HOME_PATH}/web/content"
],
"unit-test": [
"./vendor/bin/phpunit ${WP_HOME_PATH}/tests/unit/*"
]
}
}
EOF
sudo mkdir -p ${WP_HOME_PATH}/web
sudo mkdir -p ${WP_HOME_PATH}/tests
cd ${WP_HOME_PATH}
sudo COMPOSER_ALLOW_SUPERUSER=1 /usr/local/bin/composer update
sudo mkdir -p ${WP_HOME_PATH}/web/content
sudo mkdir -p ${WP_HOME_PATH}/web/content/plugins
sudo mkdir -p ${WP_HOME_PATH}/web/content/themes
sudo mkdir -p ${WP_HOME_PATH}/web/content/languages
sudo mkdir -p ${WP_HOME_PATH}/web/content/uploads
sudo mkdir -p ${WP_HOME_PATH}/web/content/upgrade
sudo mkdir -p ${WP_HOME_PATH}/web/content/updates
sudo mkdir -p ${WP_HOME_PATH}/web/content/mu-plugins
sudo /usr/local/bin/wp --allow-root core download
sudo /usr/local/bin/wp --allow-root core config
#sudo mv ${WP_HOME_PATH}/html/app/wp-config.php ${WP_HOME_PATH}/html/wp-config.php
##sudo wp --allow-root create db
sudo /usr/local/bin/wp --allow-root core install --skip-email
#sudo wp --allow-root plugin uninstall hello
#sudo wp --allow-root plugin uninstall akismet
sudo /usr/local/bin/wp --allow-root plugin install wp-multibyte-patch --activate
#sudo /usr/local/bin/wp --allow-root plugin install wp-mail-smtp --activate
sudo /usr/local/bin/wp --allow-root plugin install wordpress-importer --activate
sudo wp --allow-root plugin install wp-ffpc --activate
#sudo wp --allow-root plugin install wp-ses --activate
sudo /usr/local/bih/wp --allow-root plugin install ssl-insecure-content-fixer
#sudo wp --allow-root plugin install breadcrumb-navxt
#sudo wp --allow-root plugin install wp-members
#sudo wp --allow-root plugin install advanced-custom-fields
#sudo wp --allow-root theme delete twentyfifteen
#sudo wp --allow-root theme delete twentysixteen
#sudo wp --allow-root theme install twentyseventeen --activate
sudo /usr/local/bin/wp --allow-root theme update --all
sudo /usr/local/bin/wp --allow-root plugin update --all
sudo /usr/local/bin/wp --allow-root core language update
sudo git clone https://github.com/megumiteam/staticpress-s3.git ${WP_HOME_PATH}/web/content/plugins/staticpress
sudo tee ${WP_HOME_PATH}/web/content/index.php > /dev/null << EOF
<?php
// Silence is golden.
EOF
sudo tee ${WP_HOME_PATH}/web/content/plugins/index.php > /dev/null << EOF
<?php
// Silence is golden.
EOF
sudo tee ${WP_HOME_PATH}/web/content/themes/index.php > /dev/null << EOF
<?php
// Silence is golden.
EOF
sudo tee ${WP_HOME_PATH}/web/content/mu-plugins/index.php > /dev/null << EOF
<?php
// Silence is golden.
EOF
sudo tee ${WP_HOME_PATH}/web/content/uploads/index.php > /dev/null << EOF
<?php
// Silence is golden.
EOF
sudo tee ${WP_HOME_PATH}/web/content/updates/index.php > /dev/null << EOF
<?php
// Silence is golden.
EOF
sudo tee ${WP_HOME_PATH}/web/content/upgrade/index.php > /dev/null << EOF
<?php
// Silence is golden.
EOF
sudo tee ${WP_HOME_PATH}/web/content/languages/index.php > /dev/null << EOF
<?php
// Silence is golden.
EOF
sudo find ${WP_HOME_PATH}/web -type f -exec chmod -x {} +
sudo find ${WP_HOME_PATH}/web -type d -exec chmod +rx {} \;
sudo chown -R ${OS_USER}:${OS_USER} ${WP_HOME_PATH}/*
sudo chown -R nginx:nginx ${WP_HOME_PATH}/web/content/uploads
sudo chown -R nginx:nginx ${WP_HOME_PATH}/web/content/upgrade
sudo chown -R nginx:nginx ${WP_HOME_PATH}/web/content/updates
#sudo chcon -R -u system_u -t httpd_sys_content_t ${WP_HOME_PATH}
sudo chown -R nginx:nginx ${WP_HOME_PATH}/.ssh
sudo chown nginx:nginx ${WP_HOME_PATH}/web/app/wp-config.php
sudo chmod 440 ${WP_HOME_PATH}/web/app/wp-config.php
sudo touch ${WP_HOME_PATH}/web/content/debug.log
sudo chown nginx:nginx ${WP_HOME_PATH}/web/content/debug.log
sudo touch ${WP_HOME_PATH}/web/content/advanced-cache.php
sudo chown nginx:nginx ${WP_HOME_PATH}/web/content/advanced-cache.php
sudo tee ${WP_HOME_PATH}/web/index.php > /dev/null <<-'EOF'
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* app/wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/app/wp-blog-header.php' );
EOF
sudo chown ${OS_USER}:${OS_USER} ${WP_HOME_PATH}/web/index.php
sudo chmod 444 ${WP_HOME_PATH}/web/index.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment