example.com
:您的完全限定域名(FQDN)或IP地址。wordpress
: 数据库名称。wpuser
:WordPress客户端数据库用户。password
:SQL数据库密码。192.0.2.100
:数据库服务器的私有IP。192.0.2.255
:Web服务器的私有IP。example_user
:本地非root sudo用户。203.0.113.15
:Web服务器的FQDN或IP。在数据库服务器上运行这些步骤。
sudo apt install mariadb-server
#红帽centos用 sudo yum install mariadb-server
mysql_secure_installation
脚本以设置root密码并删除不必要的服务。设置root密码并响应y
所有提示:
#root密码一定得记住,忘了挺麻烦的,本文密码是:password
sudo mysql_secure_installation
bind-address
为数据库服务器的专用IP以将MariaDB配置为接受远程连接:
编辑配置文件/etc/mysql/mariadb.conf.d/50-server.cnf,内容如下:
bind-address = 192.0.2.100
3306
通过防火墙进行端口连接。此示例使用UFW通过IPv4和IPv6自动打开端口:
sudo systemctl restart mysql
sudo ufw allow mysql
192.0.2.255
为您的Web服务器的私有IP:
sudo mysql -u root -p
# 这是输入密码的地方,不显示的,
#下面的操作是创建数据库,授权,退出
CREATE DATABASE wordpress;
CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON wordpress.* TO 'wpuser'@'localhost';
CREATE USER 'wpuser'@'192.0.2.255' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON wordpress.* TO 'wpuser'@'192.0.2.255';
FLUSH PRIVILEGES;
exitmysql -u wpuser -p
# 这是输入密码的地方,不显示的,
status;
#这显示一堆信息就表示OK了,不是error的信息
exit在Web服务器上运行这些步骤。
sudo apt update && sudo apt install mariadb-client php-mysql
192.0.2.100
为数据库Linode的私有IP:
mysql -u wpuser -h 192.0.2.100 -p
# 这是输入密码的地方,不显示的
status;
#这显示一堆信息就表示OK了,不是error的信息
exit
Web服务器现在可以连接到远端数据库了。首次通过Web界面和本地数据库安装和配置时,WordPress会创建一个名为的文件wp-config.php
。配置初始远程数据库设置。
提示:如果你还没有WordPress,可以到官网去下载,然后解压到/var/www/html目录下
cd /var/www/html/example.com/public_html
sudo cp wp-config-sample.php wp-config.php
192.0.2.100
替换为数据库服务器的私有IP:
编辑这个文件:/var/www/html/example.com/public_html/wp-config.php
/** wordpress 数据库名字 */
define('DB_NAME', 'wordpress');
/** 要使用数据库的用户名 */
define('DB_USER', 'wpuser');
/**上面用户的数据库密码 */
define('DB_PASSWORD', 'password');
/** mysql数据库服务器的IP地址 */
define('DB_HOST', '192.0.2.100');使用WordPress安全密钥生成器创建随机复杂的哈希值,WordPress将使用它来加密登录数据。复制结果并替换匹配的部分wp-config.php
:
编辑配置文件/var/www/html/example.com/public_html/wp-config.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | /**#@+
* Authentication Unique Keys and Salts. 唯一可信密钥( |
---|
mkdir ~/certs
mkdir ~/certs && cd ~/certs
-days 36500
此步骤和以下步骤中的值,根据需要设置证书期限:
sudo openssl genrsa 4096 > ca-key.pem
sudo openssl req -new -x509 -nodes -days 36500 -key ca-key.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:PA
Locality Name (eg, city) []:Phila
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:MariaDB
Email Address []:
Common Name
应该是你的Web服务器的FQDN或IP地址:
sudo openssl req -newkey rsa:4096 -days 36500 -nodes -keyout server-key.pem -out server-req.pem
Generating a 4096 bit RSA private key
......................+++
.............................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US #这些跟刚才输的一样
State or Province Name (full name) [Some-State]:PA
Locality Name (eg, city) []:Phila
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:203.0.113.15 #你服务器的IP
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
sudo openssl rsa -in server-key.pem -out server-key.pem
sudo openssl x509 -req -in server-req.pem -days 36500 -CA cacert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
sudo mkdir /etc/mysql/ssl
sudo mv *.* /etc/mysql/ssl && cd /etc/mysql/ssl
Common Name
为Web服务器的FQDN或IP地址:
sudo openssl req -newkey rsa:2048 -days 36500 -nodes -keyout client-key.pem -out client-req.pem
Generating a 4096 bit RSA private key
....................+++
............................................................................................+++
writing new private key to 'client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:PA
Locality Name (eg, city) []:Phila
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:203.0.113.15
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
sudo openssl rsa -in client-key.pem -out client-key.pem
sudo openssl x509 -req -in client-req.pem -days 36500 -CA cacert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile cacert.pem server-cert.pem client-cert.pem
#
以取消注释证书位置。修改匹配的路径:
编辑文件/etc/mysql/mariadb.conf.d/50-server.cnf 修改内容如下:
ssl-ca=/etc/mysql/ssl/cacert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
192.0.2.255
为Web服务器Linode的私有IP:
sudo mysql -u root -p
#这是输入密码的地方,
#每次输入要再输如密码很麻烦,可以: sudo mysql -u root -ppassword
GRANT ALL PRIVILEGES ON wordpress.* TO 'wpuser'@'192.0.2.255' REQUIRE SSL;
FLUSH PRIVILEGES;
exit
sudo systemctl restart mysql
example_user替换
为Web服务器的用户,把192.0.2.255
替换为Web服务器的私有IP:
scp cacert.pem client-cert.pem client-key.pem example_user@192.0.2.255:~/certs
在Web服务器上的操作:
/etc/mysql/ssl
:
sudo mkdir /etc/mysql/ssl && sudo mv ~/certs/*.* /etc/mysql/ssl
[mysql]
部分并添加证书和密钥的位置:
编辑/etc/mysql/mariadb.conf.d/50-mysql-clients.cnf,内容如下:
[mysql]
ssl-ca=/etc/mysql/ssl/cacert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem
注意:如果Web服务器使用MySQL,你可以在/etc/mysql/mysql.conf.d/mysqld.cnf中找到
mysql -u wpuser -h 192.0.2.100 -p
status;
exit
wp-config
,强制让WordPress使用SSL进行数据库连接:
编辑配置文件:/var/www/html/example.com/public_html/wp-config.php
#前后其它内容省略
...
define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL );
/** 数据库名字 */
define('DB_NAME', 'wordpress');
/** 数据库用户名 */
define('DB_USER', 'wpuser');
/** 该用户名的密码 */
define('DB_PASSWORD', 'password');
/** mysql数据库的IP地址 */
define('DB_HOST', '192.0.2.100');
...example.com/wp-admin
。如果数据库连接成功,您将看到安装屏幕:
注:被遮住的部分为你的域名,或IP地址(web服务器的),既然数据库已配置为通过安全连接进行通信,请考虑将SSL / TLS用于Web服务器本身。我们的NGINX上的TLS指南详细介绍了保护NGINX和Web服务器的一些最佳实践。有关其他服务器和Linux发行版的信息,请访问Linode Docs 的SSL证书部分。
有关此主题的其他信息,您可能需要参考以下资源。虽然提供这些是希望它们有用,但请注意,我们无法保证外部托管材料的准确性或及时性。