Debian LXC + WordPress + Nginx for SSL

by Posted on

Recently, I just want to build up a WordPress site with my home lab Proxmox server and try avoid to pay WordPress service providers. Also, with self-host, you can get your own domain then link to your own server.

Here is the server system:

Debian 10 (don’t ask me why not to use 11…because Proxmox LXC templates are still 10)

MariaDB as SQL server

PHP to provide PHP support

Nginx everyone know it’s a great web server app, but need to learn more for reverse proxy/load balancer

Ok, for all the application installations are simply and straight forward…just write down the WordPress db user name/password for later WordPress setting. 🙂

We also need to trick some PHP settings as below:

PHP config file path: /etc/php/7.3/fpm/php.ini (depending version different, you might have different number for directory)

Change below settings:
post_max_size = 64M
memory_limit = 256M
max_execution_time = 300
upload_max_filesize = 32M

Now, download WordPress then config wp-config.php for fitting your own server.

Next, we need to get self signed SSL cert for SSL connections; as it’s barebone LXC server, we need install openssl to it. After installation is done, launch below command to generate SSL cert:

1. Create KEY for the server, save name as mydomain.key(you can change it to the file name you like):
genrsa -out mydomain.key 2048

2. Use the key you generated to create certification request csr file(in this step you need input a your personal information):
req -new -key mydomain.key -out mydomain.csr

3. Alright, we have the key and csr and we could generate our own self signed cert:
x509 -req -days 1825 -in mydomain.csr -signkey mydomain.key -out mydomain.crt

4. create PEM certificate from generated crt that can be used for Nginx:
cat mydomain.key mydomain.crt >> mylabs.com.pem

5. After pem file created, I suggest put both pem and key files to same directory and remember the path.

Let’s set up Nginx for SSL connection:

1. Create a config file for WordPress (I suggested to use existing Nginx directory):
nano /etc/nginx/sites-available/wordpress.conf 

2. As we need redirect non-secure http(port 80) to https(port 443), so here is what my virtual block setting for WordPress(change www.example.com to your site):
server { #Redirect non-https to https - match both www and non-www
    listen 80;
    server_name  www.example.com example.com;
    return 301 https://www.example.com$request_uri;
}

server { #Main server block
    listen 443 ssl spdy;
    server_name www.example.com;
    ssl_certificate /etc/ssl/certs/www.example.com.certchain.crt;
    ssl_certificate_key /etc/ssl/private/www.example.com.key;
    root /var/www/html/wordpress;
    index index.php index.html index.htm;

    access_log /var/log/nginx/wordpress_access.log;
    error_log /var/log/nginx/wordpress_error.log;

    client_max_body_size 64M;

location / {
    try_files $uri $uri/ /index.php?$args;
    }

location ~ \.php$ {
    try_files $uri =404;
    include /etc/nginx/fastcgi_params;
    fastcgi_read_timeout 3600s;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 128k;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    fastcgi_index index.php;
    }
}

3. You need push virtual block setting to Nginx service:
ln -sf /etc/nginx/sites-available/wordpress.conf /etc/nginx/sites-enabled/

OK, all settings are done; you should either restart both Nginx/PHP services or reboot the server:

systemctl restart nginx
systemctl restart php7.3-fpm

Congratulation, WordPress with secure HTTPS connection is done and it ready for using!

Jason Ding

Published by Jason Ding