Haack's Wiki

User Tools

Site Tools

Trace: zfsreminders miscadmin selfhostedwp nextcloud
computing:selfhostedwp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:selfhostedwp [2023/12/16 20:33] oemb1905computing:selfhostedwp [2026/04/12 15:53] (current) oemb1905
Line 13: Line 13:
 This tutorial is for setting up a self-hosted WordPress instance on Debian GNU/Linux. This tutorial assumes you have some familiarity setting up a LAMP stack. If you need help with that, check out [[https://wiki.haacksnetworking.com/doku.php?id=computing:apachesurvival|Apache Survival]]. Alright, let's install our LAMP stack and required/optional php modules. //Make sure to review what your instance requires and don't install or configure modules you don't need.// This tutorial is for setting up a self-hosted WordPress instance on Debian GNU/Linux. This tutorial assumes you have some familiarity setting up a LAMP stack. If you need help with that, check out [[https://wiki.haacksnetworking.com/doku.php?id=computing:apachesurvival|Apache Survival]]. Alright, let's install our LAMP stack and required/optional php modules. //Make sure to review what your instance requires and don't install or configure modules you don't need.//
  
-  sudo apt install apache2 mariadb-server php8.php-common php-cgi php-cli php-zip php-mysql php-mbstring php-intl php-fpm php-curl php-gd php-imagick php-xml php-xmlrpc php-soap php-opcache php-apcu php-bcmath memcached wget unzip+  sudo apt install apache2 mariadb-server php8.php-common php-cgi php-cli php-zip php-mysql php-mbstring php-intl php-fpm php-curl php-gd php-imagick php-xml php-xmlrpc php-soap php-opcache php-apcu php-bcmath memcached wget unzip
      
 Sometimes dpkg can choose which version of php you want and it's not always the version you want. In those cases, you can explicitly specify the version you need. Some packages are only available as ''php-xx'' so run the above command first and then the command below when those situations arise: Sometimes dpkg can choose which version of php you want and it's not always the version you want. In those cases, you can explicitly specify the version you need. Some packages are only available as ''php-xx'' so run the above command first and then the command below when those situations arise:
      
-  sudo apt-get install php8.2-{common,cgi,cli,zip,mysql,mbstring,intl,fpm,curl,gd,imagick,xml,xmlrpc,soap,opcache,apcu,bcmath}+  sudo apt-get install php8.4-{common,cgi,cli,zip,mysql,mbstring,intl,fpm,curl,gd,imagick,xml,xmlrpc,soap,opcache,apcu,bcmath}
      
 Apache2 will set up a 000-default.conf automatically and your host should now resolve. Be sure to set up TLS with certbot. Here's my preferred method: Apache2 will set up a 000-default.conf automatically and your host should now resolve. Be sure to set up TLS with certbot. Here's my preferred method:
Line 29: Line 29:
      
   sudo apt remove libapache2-mod-php* --purge   sudo apt remove libapache2-mod-php* --purge
-  sudo apt install php8.3-fpm php8.3-cgi+  sudo apt install php8.4-fpm php8.4-cgi
   sudo a2enmod ssl   sudo a2enmod ssl
   sudo a2enmod headers   sudo a2enmod headers
Line 42: Line 42:
   sudo a2enmod proxy   sudo a2enmod proxy
   sudo a2enmod proxy_fcgi   sudo a2enmod proxy_fcgi
-  sudo a2enconf php8.3-fpm +  sudo a2enconf php8.4-fpm 
-  sudo a2enconf php8.3-cgi+  sudo a2enconf php8.4-cgi
   sudo apache2ctl configtest     sudo apache2ctl configtest  
   sudo systemctl restart apache2   sudo systemctl restart apache2
-  sudo systemctl restart php8.3-fpm+  sudo systemctl restart php8.4-fpm
  
 There are two standard ways to configure php-fpm. One of those is to use ProxyPassReverse, however, this will disable the use of .htaccess in your WordPress root which is not ideal. The next common way which I prefer and use here, is to add a FilesMatch condition to your virtual host as follows. Within the <Include> and </Include> portion of your default-ssl.conf virtual host, add something like: There are two standard ways to configure php-fpm. One of those is to use ProxyPassReverse, however, this will disable the use of .htaccess in your WordPress root which is not ideal. The next common way which I prefer and use here, is to add a FilesMatch condition to your virtual host as follows. Within the <Include> and </Include> portion of your default-ssl.conf virtual host, add something like:
  
   <FilesMatch ".+\.ph(ar|p|tml)$">   <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost"+      SetHandler "proxy:unix:/run/php/php8.4-fpm.sock|fcgi://localhost"
   </FilesMatch>   </FilesMatch>
  
Line 140: Line 140:
 After isntalling memcached and enabling those modules, navigate to your web root and adjust your .htaccess as follows: After isntalling memcached and enabling those modules, navigate to your web root and adjust your .htaccess as follows:
  
-  <IfModule mod_expires.c> +<code> 
-          ExpiresActive On +<IfModule mod_expires.c> 
-          ExpiresByType image/jpg "access 1 year" +    ExpiresActive On 
-          ExpiresByType image/jpeg "access 1 year" +    ExpiresByType image/jpg "access 1 year" 
-          ExpiresByType image/gif "access 1 year" +    ExpiresByType image/jpeg "access 1 year" 
-          ExpiresByType image/png "access 1 year" +    ExpiresByType image/gif "access 1 year" 
-          ExpiresByType text/css "access 1 week" +    ExpiresByType image/png "access 1 year" 
-          ExpiresByType text/html "access 1 month" +    ExpiresByType text/css "access 1 week" 
-          ExpiresByType text/x-javascript "access 1 week" +    ExpiresByType text/html "access 1 month" 
-          ExpiresDefault "access 1 month" +    ExpiresByType text/x-javascript "access 1 week" 
-  </IfModule>+    ExpiresDefault "access 1 month" 
 +</IfModule
 +</code>
  
-  <IfModule mod_rewrite.c> +<code> 
-          RewriteEngine On +<IfModule mod_rewrite.c> 
-          RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] +    RewriteEngine On 
-          RewriteBase / +    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] 
-          RewriteRule ^index\.php$ - [L] +    RewriteBase / 
-          RewriteCond %{REQUEST_FILENAME} !-f +    RewriteRule ^index\.php$ - [L] 
-          RewriteCond %{REQUEST_FILENAME} !-d +    RewriteCond %{REQUEST_FILENAME} !-f 
-          RewriteRule . /index.php [L] +    RewriteCond %{REQUEST_FILENAME} !-d 
-          <FilesMatch "\.(js|css|jpe?g|png|gif|eot|otf|svg|ttf|woff2?)$"> +    RewriteRule . /index.php [L] 
-                  Header set Timing-Allow-Origin "*" +    <FilesMatch "\.(js|css|jpe?g|png|gif|eot|otf|svg|ttf|woff2?)$"> 
-          </FilesMatch> +        Header set Timing-Allow-Origin "*" 
-  </IfModule>+    </FilesMatch> 
 +</IfModule
 +</code> 
 + 
 +<code> 
 +<IfModule mod_headers.c> 
 +    # X-origin core security headers 
 +    Header always set X-Content-Type-Options "nosniff" 
 +    Header always set X-Frame-Options "SAMEORIGIN" 
 +    Header always set Referrer-Policy "strict-origin-when-cross-origin" 
 +    # HSTS 
 +    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS 
 +    # Feature Policy 
 +    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), fullscreen=*" 
 +    # Cross Origin Openerand Embedder policies permissive for Gutenberg/iframes 
 +    Header always set Cross-Origin-Opener-Policy "same-origin-allow-popups" 
 +    Header always set Cross-Origin-Embedder-Policy "unsafe-none" 
 +    # Cache and download protections; limited to dynamic files 
 +    <FilesMatch "\.(php|html)$"> 
 +        Header set X-Download-Options "noopen" 
 +        Header set X-Permitted-Cross-Domain-Policies "none" 
 +        Header set Pragma "no-cache" 
 +        Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0" 
 +    </FilesMatch> 
 +    # Safe CSP for WordPress + Gutenberg  
 +    <FilesMatch "\.(php|html)$"> 
 +        Header set Content-Security-Policy "default-src 'self' https: data: blob:; \ 
 +            script-src 'self' https: data: blob: 'unsafe-inline' 'unsafe-eval';
 +            style-src 'self' https: data: 'unsafe-inline';
 +            img-src 'self' https: data: blob:; \ 
 +            font-src 'self' https: data:; \ 
 +            connect-src 'self' https: data: blob:; \ 
 +            frame-src 'self' https: data: blob:; \ 
 +            media-src 'self' https: data: blob:; \ 
 +            object-src 'none';
 +            base-uri 'self';
 +            form-action 'self';
 +            upgrade-insecure-requests;" 
 +    </FilesMatch> 
 +</IfModule> 
 +</code> 
 + 
 +I was getting a stubborn TLS redirect error for images. To address this, I went into ''/wp-content/themes/mytheme/header.php'' and added: 
 + 
 +  /** added this to secure images **/ 
 +  <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
  
-  <IfModule mod_headers.c> 
-          Header always set X-Content-Type-Options "nosniff" 
-          <IfModule mod_setenvif.c> 
-                  SetEnvIf Origin "^(.+)$" CORS=$0 
-          </IfModule> 
-          Header set Access-Control-Allow-Origin %{CORS}e env=CORS 
-          Header set Access-Control-Allow-Credentials "true" env=CORS 
-          <FilesMatch "\.(php|html)$"> 
-                  Header set X-Frame-Options "ALLOW" 
-                  Header set X-XSS-Protection "0" 
-                  Header set X-Download-Options "noopen" 
-                  Header set X-Permitted-Cross-Domain-Policies "none" 
-                  Header set X-DNS-Prefetch-Control "on" 
-                  Header set Pragma "no-cache" 
-                  Header set Age "0" 
-                  Header set Cache-Control "" 
-                  Header set Strict-Transport-Security "max-age=0" env=HTTPS 
-                  Header set Referrer-Policy "" 
-                  Header set Cross-Origin-Embedder-Policy "unsafe-none" 
-                  Header set Cross-Origin-Opener-Policy "unsafe-none" 
-                  Header set Report-To '{"max_age": 0, "endpoints": [{"url": ""}]}' 
-                  Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'" 
-                  Header set Referrer-Policy "no-referrer-when-downgrade" 
-                  Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://plaza.pvpfrontier/*" 
-          </FilesMatch> 
-  </IfModule> 
  
-Personally, I don't think anyone should be using ftp. Sftp is fine, and if someone needs that, here's an example of a simple sftp server using proftp:+Personally, I don't think anyone should be using ftp. Sftp is fine, and if someone needs that, here's an example of a simple sftp server using proftp. Noteyou can also just use ssh nowadays as openssh-server includes a ready made sftp server. I retain this for historical knowledge.
  
   sudo apt install proftpd ftp ftp-ssl    sudo apt install proftpd ftp ftp-ssl 
Line 220: Line 241:
 Refresh WordPress and it should see the sftp server and allow you to make changes that way. Note: The sftp server is public and anyone can access this with proper credentials even if it not for WordPress so use a proper password and make sure your TLS configuration is working. Your instance should now be pretty solid. The only other thing you might want is more than one WordPress site subdomain, for example, site1.cooldomain.com, site2.cooldomain.com, etc. If that's the case, then hop on over to my [[https://wiki.haacksnetworking.com/doku.php?id=computing:wpmultisite|Word Press Multisite]] tutorial.  Refresh WordPress and it should see the sftp server and allow you to make changes that way. Note: The sftp server is public and anyone can access this with proper credentials even if it not for WordPress so use a proper password and make sure your TLS configuration is working. Your instance should now be pretty solid. The only other thing you might want is more than one WordPress site subdomain, for example, site1.cooldomain.com, site2.cooldomain.com, etc. If that's the case, then hop on over to my [[https://wiki.haacksnetworking.com/doku.php?id=computing:wpmultisite|Word Press Multisite]] tutorial. 
  
- --- //[[jonathan@haacksnetworking.org|oemb1905]] 2023/06/30 03:23//+ --- //[[alerts@haacksnetworking.org|oemb1905]] 2026/04/12 15:47//
computing/selfhostedwp.1702758808.txt.gz · Last modified: by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki