root@botao:~# apt update 
root@botao:~# apt install certbot

申请单域名证书

• 注意：需要关闭80端口，否则会报错。如遇未关闭80端口的报错，只需关闭后再次执行申请证书的命令即可。

root@botao:~# certbot certonly --standalone -d www.linuxopen.com --http-01-address 0.0.0.0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): botao@linuxopen.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.linuxopen.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.linuxopen.com/privkey.pem
   Your certificate will expire on 2025-06-09. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置证书自动续期

• 证书有效期3个月，可以用脚本+计划任务自动续期。

自动续期脚本

• 检查证书过期时间小于15天执行证书续期命令

root@botao:~# cat /scripts/letsencript/ssl_renew.sh 
#!/bin/bash

daynum=`/usr/bin/certbot certificates | grep days| awk '{print $6}'`
realtime=`date +%Y-%m-%d+%H:%M:%S`

for day in $daynum
do
    if (( $day <= 15 ));
    then
        /usr/bin/systemctl stop nginx && /usr/bin/certbot renew > /scripts/letsencrypt/certbot-renew.log && /usr/bin/systemctl start nginx && echo "$realtime certbot ok" >> /scripts/letsencrypt/end-renew.log
break
    fi
done

计划任务

• 每周三早上10点17分执行证书续期脚本

root@botao:~# crontab -l
#Name: letsencrypt SSL自动续期
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
HOME=/scripts/letsencrypt
SHELL=/bin/bash
17 10 * * 3 ./ssl_renew.sh

nginx配置文件

• 主要是写清楚证书文件位置和代理端口

root@botao:/etc/nginx/conf.d# vim ssl_botao.conf 
server {
    listen 443 ssl;
    server_name linuxopen.com www.linuxopen.com;
    access_log /var/log/nginx/http443.access.log;
    error_log /var/log/nginx/http443.error.log;

        ssl_certificate   /etc/letsencrypt/live/www.linuxopen.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/www.linuxopen.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        add_header Cache-Control no-cache;
        add_header Cache-Control private;

    location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

开通SSL域名证书并配置自动续期最先出现在博韬。

做Markdown图床方法说明

第一次用 ‘Typora + gitee + PicGo’的方式，两个问题

1. Typora收费了，最后不收费的版本有很多bug。
2. Gitee保存的图片不能在CSDN上显示。原因是Gitee开启了防盗链：https://blog.csdn.net/qq_42951560/article/details/123808036
   

   第二次用‘MarkText + 七牛云存储 + PicGo’的方式，还是两个问题

3. MarkText导出的文件到CSDN、简书等平台乱序，需要重新排版。
4. 七牛云存储的图片不能在CSDN上显示
   

   最终决定使用‘VSCode + Github + PicGo’的方式，目前没有遇到任何问题，搭建方式直接参考：https://blog.csdn.net/qq_44314954/article/details/122951033

   • Windows下VSCode上传图片的快捷方式：
5. 【ctrl+alt+U】从剪贴板粘贴图片
   2.【ctrl+alt+E】打开资源管理器，选择图片

VSCode + Github + PicGo 搭建 Markdown 图床最先出现在博韬。

Wordfence 包括一个端点防火墙和恶意软件扫描程序，它们是从头开始构建的，用于保护 WordPress。我们的 Threat Defense Feed 为 Wordfence 提供了确保您的网站安全所需的最新防火墙规则、恶意软件签名和恶意 IP 地址。 Wordfence 由 2FA 和一系列附加功能完善，是可用的最全面的 WordPress 安全解决方案。

开启wordfence后遇到问题

问题：Docker安装的WordPress没有php.ini文件

开启wordfence后在wordpress后台看到wordfence的配置提醒。

选择默认安装配置会提示无法安装，所以选择手动配置

需要向php.ini文件插入数据

未在Docker安装的WordPress上发现“php.ini”文件

解决

网上查阅资料得知“在docker官方PHP镜像的配置文件路径在：/usr/local/etc/php/conf.d 文件夹，严格意义上讲，并没有php.ini，而是把配置打散在该文件夹里的各个文件里。”
参考：http://t.zoukankan.com/setevn-p-13541853.html

添加新的php配置文件docker-php-ext-wordfence.ini

# Docker内没装vi编辑器，在宿主机新编配置文件
root@botao:/script/docker/conf# vim docker-php-ext-wordfence.ini
auto_prepend_file = '/var/www/html/wordfence-waf.php'

# 将配置文件放入容器内的指定位置
root@botao:/script/docker/conf# docker cp docker-php-ext-wordfence.ini wordpress:/usr/local/etc/php/conf.d/

# 在容器内查看文件已存在
root@959f840068fb:/var/www/html# ls -alh /usr/local/etc/php/conf.d/docker-php-ext-wordfence.ini 
-rw-r--r-- 1 root root 54 Sep  8 01:49 /usr/local/etc/php/conf.d/docker-php-ext-wordfence.ini

# 重启wordpress容器
root@botao:/script/docker/conf# docker restart wordpress
wordpress
root@botao:/script/docker/conf# docker ps
CONTAINER ID   IMAGE       COMMAND                  CREATED      STATUS         PORTS                                     NAMES
959f840068fb   wordpress   "docker-entrypoint.s…"   6 days ago   Up 5 seconds   0.0.0.0:30080->80/tcp, :::30080->80/tcp   wordpress

至此就配置好了，在WordPress后台也没有wordfence的配置提示了。

Wordfence插件：Docker安装的wordpress配置Wordfence最先出现在博韬。

准备

服务器

• 选择了阿里云的服务器，配置是1C2G。之前用1C1G的服务器搭建过，会非常卡。

域名

• 建议采购一个域名，便宜的域名有.cn或者.top大概三四十一年，可以从阿里云或腾讯云上采购域名。

安装docker

• 参考：https://blog.csdn.net/qq_30818545/article/details/124514016

卸载docker历史版本

# 找不到文件说明之前没有装过docker

root@botao:~# apt-get remove docker docker-engine docker.io containerd runc
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package docker
E: Unable to locate package docker-engine
E: Unable to locate package docker.io
E: Couldn't find any package by glob 'docker.io'
E: Couldn't find any package by regex 'docker.io'
E: Unable to locate package containerd
E: Unable to locate package runc

root@botao:~# apt-get purge docker-ce docker-ce-cli containerd.io docker-conmpose-pluigin
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package docker-ce
E: Unable to locate package docker-ce-cli
E: Unable to locate package containerd.io
E: Couldn't find any package by glob 'containerd.io'
E: Couldn't find any package by regex 'containerd.io'
E: Unable to locate package docker-conmpose-pluigin

root@botao:~# rm -rf /var/lib/docker
root@botao:~# rm -rf /var/lib/containerd

安装支持库

root@botao:~# apt-get update
# 安装依赖包
root@botao:~# apt-get install ca-certificates curl gnupg lsb-release nginx -y
root@botao:~# curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
root@botao:~# chmod a+r /usr/share/keyrings/docker-archive-keyring.gpg
# 写入软件源信息
root@botao:~# echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] http://mirrors.aliyun.com/docker-ce/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# 更新apt库
root@botao:~# apt-get update
# 查询储存库可用版本
root@botao:~# apt-cache madison docker-ce
 docker-ce | 5:20.10.17~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.16~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.15~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.14~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.13~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.12~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.11~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.10~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.9~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.8~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.7~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages
 docker-ce | 5:20.10.6~3-0~debian-bullseye | http://mirrors.aliyun.com/docker-ce/linux/debian bullseye/stable amd64 Packages

安装docker

root@botao:~# apt-get install docker-ce docker-ce-cli containerd.io docker-compose docker-compose-plugin -y
# 配置开机自启动
root@botao:~# systemctl start docker && systemctl enable docker

检查docker

root@botao:~# systemctl status docker
root@botao:~# docker --version
Docker version 20.10.17, build 100c701

Docker安装wordpress

Docker下载MySQL和WordPress镜像

root@botao:~# docker pull mysql
root@botao:~# docker pull wordpress

启动MySQL并配置数据库

root@botao:~# docker run --privileged=true --restart=always --name mysql -v /data/mysql:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=password -d mysql
# 配置MySQL，创建wordpress数据库
root@botao:~# docker exec -it mysql bash
bash-4.4# mysql -uroot -pbotao0705
mysql> create database wordpress;
mysql> flush privileges;

启动WordPress

root@botao:~# docker run --restart=always --name wordpress -p 30080:80 --link mysql:mysql -d wordpress

安装配置nginx

# 注释nginx默认80端口服务
root@botao:~# vim /etc/nginx/sites-enabled/default
# 配置wordpress的nginx代理
root@botao:~# vim /etc/nginx/conf.d/wordpress.conf
server {
    listen 80;
# listen [::]:80;
    server_name _;
#    root /var/www/;
#    index index.php index.html index.htm;
    access_log /var/log/nginx/http80.access.log;
    error_log /var/log/nginx/http80.error.log;

    location / {
            proxy_pass http://127.0.0.1:30080;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

root@botao:~# systemctl start nginx && systemctl enable nginx

配置域名解析

• 将域名解析到服务器

配置WordPress

• 选择语言

• 开始配置

• 配置MySQL

• 安装程序

• 网站信息

• 完成

Debian11利用docker安装wordpress最先出现在博韬。