How to set up a WordPress site with LetsEncrypt and MariaDB on Unraid


How to set up a WordPress site with LetsEncrypt and MariaDB on Unraid

I thought I’d make a quick guide on how to setup a WordPress site with MariaDB and Letsencrypt on Unraid.

MariaDB

Installation

Installing MariaDB is pretty straight forward. Im using the linuxserver container.

Choose your host port and your MYSQL Root password.

I changed the default name and the host port as I already have a MariaDB container running and this container will only be for demonstration purposes.

Create the WordPress database

This is pretty much copy paste from the linuxserver.io guide. No reason to invent the wheel again.

  1. SSH into the container with docker exec -it mariadb bash
  2. Log into mysql with user root and the password you chose. mysql -uroot -p enter your password.

The output will look like this:


[email protected]:~# docker exec -it mariadb bash
[email protected]:/# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.30-MariaDB-1~xenial mariadb.org binary distribution

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]
 

Next up is creating the database.

  1. Start with creating a user for the database. CREATE USER 'user' IDENTIFIED by 'password'; Where ‘user’ is your username and ‘password’ is the password you want for the new user. The ouput will be like this.
    MariaDB [(none)]> CREATE USER 'weyland' IDENTIFIED by 'password';
    Query OK, 0 rows affected (0.01 sec)
  2. Create the database with CREATE DATABASE IF NOT EXISTS wordpress;
    MariaDB [(none)]> CREATE DATABASE IF NOT EXISTS wordpress;
    Query OK, 1 row affected (0.00 sec)
  3. Give the user permissions to the database with GRANT ALL PRIVILEGES ON wordpress.* TO 'user' IDENTIFIED BY 'password';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON wordpress.* TO 'weyland' IDENTIFIED BY 'password';
    Query OK, 0 rows affected (0.00 sec)

Then quit mysql with quit and exit from the container by issuing the command exit


Letsencrypt

Installation

Forward your domain to your public IP address. After you’ve done that add your different ANAME/CNAME records e.g www.yourdomain.com or blog.yourdomain.com

  1. Container Port: 80 – Choose your desired host port. e.g 81 (You can’t set this to 80 as the unRAID web GUI uses that. )
  2. Container Port: 443 – Set this to 444 or something else (On update 6.4 unraid will use port 443 and it’s better to be ahead of time so it won’t cause any issues)
  3. Enter you email
  4. Add you domain e.g yourdomain.com
  5. Add your different sub domains e.g www,blog,plex ect
  6. Container Path: /config Install the container config to your desired location.

Next is portforwarding. This is done on your router and you need to forward port 80 to the port you chose in step 1. You also need to forward port 443 to 444 or the one you chose.

So if your servers ip is 192.168.1.2 and you have chosen that the container is on port 81, you need to forward all traffic on port 80 to port 81 on ip 192.168.1.2 And do the same for port 443.

If you’re unsure how to do this on your router check out: Portforward.com

Next go to https://yourserverip:444 or http://yourserverip:81 If you now see the Nginx welcome page, it works. Also test if yourdomain.com redirects you to the nginx welcome page.

Note: TTL differs from each provider, some has a minimum 60 minutes before DNS propagates and others have 1 minute. So it might take a while before https://yourdomain.com works.

If you already have letsencrypt setup and working with a domain and want to use another domain for your wordpress site you can do that by using the EXTRA_DOMAINS variable.

  1. Click on + Add another Path, Port or Variable
  2. Add these values.
    Config Type: Variable
    Name: Extra domain
    Key: EXTRA_DOMAINS
    Value: yourdomain.com, www.yourdomain.com


Nginx

Go to the letsencrypt appdata location. Find the nginx folder and then edit the file called “default” in the “site-conf” folder. I recommend using notepad++

Below is my server block that I use for https://technicalramblings.com

As you can see I have commented #location /wp-admin

The #location /wp-admin is for stopping any bruteforce attempts on logging into the admin page of the site. Read more here

If you want to Geo block your site read more here

Replace/add the contents of the default file with the server block below. Modifying it to use your domain of course.

# REDIRECT WWW TO https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.technicalramblings.com; 
 return 301 https://technicalramblings.com$request_uri;
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
 	listen 80;
 	server_name technicalramblings.com; 
 	return 301 https://technicalramblings.com$request_uri;
}

# BLOG SITE
server {
 listen 443 ssl http2;
 server_name technicalramblings.com;

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag index; #SET THIS TO none IF YOU DONT WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*. https://"; ## Use *.domain.com, not *.sub.domain.com
add_header X-Frame-Options "ALLOW-FROM https://*." always; ## Use *.domain.com, not *.sub.domain.com
add_header Referrer-Policy "strict-origin"; #TRY "strict-origin-when-cross-origin" IF YOU GET ERRORS ON YOUR REVERSE PROXY
proxy_cookie_path / "/; HTTPOnly; Secure";
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';
 
 client_max_body_size 0; 
 
 root /config/www/wordpress/;
 index index.html index.php;
  
 location ~ /\. {
 deny all;
 }
 
 location / {
 try_files $uri $uri/ /index.php?_url=$uri&$query_string;
 }
 
 #location /wp-admin {
 #try_files $uri $uri/ /index.php?_url=$uri&$query_string;
 #auth_basic "Restricted";
 #auth_basic_user_file /config/nginx/.htpasswd;
 #}
 
# PHP
 location ~ \.php$ {
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
 # With php7-cgi alone:
 fastcgi_pass 127.0.0.1:9000;
 # With php7-fpm:
 #fastcgi_pass unix:/var/run/php7-fpm.sock;
 fastcgi_index index.php;
 include /etc/nginx/fastcgi_params;
 }
 
 fastcgi_buffer_size 4K;
 fastcgi_buffers 64 4k; 
}

Modifying the nginx.conf file

You also need to make some changes to the nginx.conf file in the nginx folder. Especially if you want google to index your site.

For letting a search engine be able to index your site you need to comment the add_header X-Robots-Tag none; line by adding # infront

 # add_header X-Robots-Tag none; 

Another tip is to uncomment the Gzip Settings. This will help with page loading times. And make sure you have all the gzip_types you need.

I have also added caching below the gzip lines.

 ##
 # Gzip Settings
 ##

gzip on;
 gzip_disable "msie6";

gzip_vary on;
 gzip_proxied any;
 gzip_comp_level 6;
 gzip_buffers 16 8k;
 gzip_http_version 1.1;
 gzip_min_length 256;
 gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

#CACHE STATIC CONTENT
# Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

# Enable browser caching
 expires $expires;

Remember to restart the container after you have made any changes to any config files.


WordPress

Download the latest stable release of WordPress here: https://wordpress.org/download/

Go to your letsencrypt appdata location and copy the wordpress folder into the /www folder e.g appdata/letsencrypt/www/wordpress if you choose another name for the wordpress folder you need to remember to edit the root location in the server block: root /config/www/wordpress/;

First time setup

By going to yourdomain.com you should be greeted with the WordPress setup page.

  1. Choose your language
  2. Read through the next prompt. Click Let's go!
  3. Enter your database connection details
    Database Name: wordpress
    Username: weyland
    Password: password
    Database Host: 192.168.1.34:3307 (This is your Unraid-IP and port to MariaDB)
    Table Prefix: wp_ (Leave it as is)

  4. Click Submit
  5. Click run installer
    Enter your Site Title, username, password and email.
  6. Click Install WordPress
  7. Login with your credentials and you should now see the WordPress Admin dashboard 🙂

Plugins

The plugins I use are:

  • Disqus Comment System
  • Jetpack by WordPress.com
  • UpdraftPlus – Backup/Restore
  • WP Code Highlight.js
  • WP Featherlight
  • WP Robots Txt
  • WP Super Cache
  • Yoast SEO

 W.

Source:

https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

Weyland

Share

%d bloggers like this: