It’s 2017 and search engines penalize sites that are NOT ‘fast‘ (varnish) and ‘secure‘ (ssl)…
As such, I’ve decided to make this blog fast and secure, by employing the standard technologies (Varnish Cache and free LetsEncrypt.org SSL certificates).
Here’s the architecture I’ve chosen:
- bottom layer: PHP-FPM running on unix sockets instead of touching the network stack (which is arguably slower and I don’t like having an extra open port exposed);
- middle layer: NginX webserver and reverse-proxy. This is what serves the actual content, HTTP only (no SSL at this stage)
- caching layer (internet facing): Varnish Cache
- SSL layer: Nginx
Alright, let’s look at each and every one of these layers, in a from-zero-to-hero fashion. All this assumes a Debian Linux or derivative box (be it a virtual machine, a VPS/VDS, dedicated physical server in some datacenter, or your basement, your development machine, docker containers… whatever).
And another assumption is that you need root (sudo) access to said box, and are comfortable with the Linux command line lingo and basic commands.
1. PHP (feel free to skip this if your site doesn’t use this archaic programming language)
sudo apt-get install php7.0-fpm
You only need the php-fpm package, not all the fluff that you normally get when you generically install ‘php’.
After you install it, break out your favourite editor on that box (vim/nano/emacs/whatever-floats-your-boat), and go make the required modifications to php-fpm’s config file, (on my Ubuntu Xenial LTS [16.04.2] it’s at: /etc/php/7.0/fpm/pool.d/www.conf), and look for the ‘listen =’ stanza, change it if necessary to:
listen = /run/php/php7.0-fpm.sock
You’re free to choose a different path where to allow php to store its socket file, but the defaults are sane enough for me. On some older systems it prefers to create that file unde /var/run/…
Whatever, it doesn’t really matter where it is, as long as the user which runs php on your system has full read and write access to that file.
HTTP/1.1 403 Forbidden
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 29 Sep 2018 17:23:22 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
i get this response
would you mind posting both your NGINX configuration as well as your Varnish configuration? Also, please be specific as to your OS flavor and version.
1. Your tutorial works for me. But after I logged in with admin account, access any url with “/wp-admin/*”, results a 302 (see below). Any ideas?
162.158.90.189 – – [13/Dec/2018:15:48:34 +0000] “GET /home/wp-admin/post-new.php HTTP/1.1” 302 0 “https://tapchiamnhac.net/home/” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36”
2. In some tutorial, they added the following configs. Do we need them?
define( ‘WP_HOME’, ‘https://your-site’ );
define( ‘WP_SITEURL’, ‘https://your-site’ );
define(‘FORCE_SSL_ADMIN’, true);
define(‘FORCE_SSL_LOGIN’, true);
Keep this going please, great job!
thank you! will do, keep eyes peeled for more tech articles 🙂