Case: customer want to have WordPress in docker container.
Solution: below. 🙂
Folder structure:
wp/
│
├── control_wp.sh
├── docker-compose.yml
├── activate_server.sh
├── renew.sh
├── certbot_etc/
└── nginx_conf/
└── nginx.conf
└── nginx.template1
└── nginx.template2
└── options-ssl-nginx.conf
└── nginx_logs/
└── wp_db/
└── wp_html/control script content (control_wp.sh)
#!/bin/bash
case "$1" in
start)
docker compose -f /opt/wp/docker-compose.yml up -d
;;
stop)
docker compose -f /opt/wp/docker-compose.yml down
;;
restart)
docker compose -f /opt/wp/docker-compose.yml down
docker compose -f /opt/wp/docker-compose.yml up -d
;;
*)
echo "Usage: ./control_wp.sh {start|stop|restart}"
exit 1
;;
esacdocker compose file
services:
wordpress:
image: wordpress:6.6.1-php8.1-fpm
restart: unless-stopped
environment:
WORDPRESS_DB_HOST: db
WORDPRESS_DB_USER: wp-user
WORDPRESS_DB_PASSWORD: put_you_BD_password_here
WORDPRESS_DB_NAME: wp-db
volumes:
- ./wp_html:/var/www/html
networks:
- inside
depends_on:
- db
db:
image: mariadb:10.6.18
restart: unless-stopped
environment:
MYSQL_DATABASE: wp-db
MYSQL_USER: wp-user
MYSQL_PASSWORD: put_you_BD_password_here
MYSQL_RANDOM_ROOT_PASSWORD: 'extra_difficult_password'
volumes:
- ./wp_db:/var/lib/mysql
networks:
- inside
nginx-proxy:
depends_on:
- wordpress
image: nginx:1.26.1-alpine
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./wp_html:/var/www/html
- ./nginx_conf:/etc/nginx/conf.d
- ./nginx_logs:/var/log/nginx
- ./certbot_etc:/etc/letsencrypt
networks:
- inside
certbot:
depends_on:
- nginx-proxy
image: certbot/certbot
volumes:
- ./certbot_etc:/etc/letsencrypt
- ./wp_html:/var/www/html
command: certonly --webroot --webroot-path=/var/www/html --email user@domain.ca --agree-tos --no-eff-email -d your_domain.ca
networks:
inside:
external: false
ipam:
config:
- subnet: 10.100.11.0/24nginx_conf/nginx.conf example:
server {
listen 80;
server_name your_domain.ca;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
server_name your_domain.ca;
index index.php index.html index.htm;
root /var/www/html;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/your_domain.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.ca/privkey.pem;
include /etc/nginx/conf.d/options-ssl-nginx.conf;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}nginx_conf/nginx.template1 example:
server {
listen 80;
server_name your_domain.ca;
index index.php index.html index.htm;
root /var/www/html;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}nginx_conf/nginx.template2 example:
server {
listen 80;
server_name your_domain.ca;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
server_name your_domain.ca;
index index.php index.html index.htm;
root /var/www/html;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/your_domain.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.ca/privkey.pem;
include /etc/nginx/conf.d/options-ssl-nginx.conf;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}search for “your_domain.ca” and replace with your values.
nginx_conf/options-ssl-nginx.conf example:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";activate_server.sh content:
# Start containers and obtain ssl certificate
cd /opt/wp
cp ./nginx_conf/nginx.template1 ./nginx_conf/nginx.conf
./control_wp.sh start
echo
echo Waiting for 60 sec to get new ssl cert
echo
sleep 60
cp ./nginx_conf/nginx.template2 ./nginx_conf/nginx.conf
./control_wp.sh restart
rm activate_server.shexecute following script to finalize installation
/opt/wp/activate_server.shGo to https://your-server-domain-name and follow on-screen instaructions to configure wordpress server.
Enjoy clean wordpress installation.
use following script to renew SSL certificate (renew.sh).
#!/bin/bash
COMPOSE="/usr/bin/docker compose --no-ansi"
DOCKER="/usr/bin/docker"
cd /opt/wp
$COMPOSE run certbot renew --dry-run && $COMPOSE kill -s SIGHUP nginx-proxy
$DOCKER system prune -af