Features: - PHP 8.4 support (from 8.3) - WordPress 7.0 (auto-update via WP-CLI) - Modern TLS 1.3 cipher suites (2026 best practices) - Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive) - Auto-update cron job for WordPress (weekly Minor updates) - Debian 14 Forky support (testing) - Ubuntu 25.04 support - Python 3.12 in GitHub Actions Security: - Fail2Ban with SSH brute force protection (24h ban) - WordPress wp-login.php protection (2h ban) - Nginx bot scanner protection - Recidive jail for repeat offenders (1 week ban) - Modern TLS ciphers (AEAD only) - HSTS 2 years for preload Documentation: - docs/autoupdate.md - WordPress auto-update guide - docs/fail2ban.md - Fail2Ban configuration guide - docs/troubleshooting.md - Updated with php_version variable Breaking changes: - PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
2.3 KiB
Executable File
2.3 KiB
Executable File
SSL/HTTPS Setup Guide
This guide explains how to set up SSL certificates for your WordPress installation using the integrated SSL support.
Automatic SSL Setup (Recommended)
Prerequisites
- Domain name pointing to your server
- Ports 80 and 443 open in firewall
- Valid email address for Let's Encrypt
Method 1: Enable SSL in Inventory
Edit your inventory/production.yml:
wordpress_servers:
hosts:
your-domain.com:
# ... other settings ...
# SSL Configuration
ssl_enabled: true # Enable SSL
ssl_email: admin@your-domain.com # Required for Let's Encrypt
domain_name: your-domain.com # Your domain
Deploy with SSL:
# Basic LEMP with SSL
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml
# Ultimate Performance with SSL
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.yml
Method 2: Enable SSL via Command Line
# Enable SSL during deployment
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml \
-e "ssl_enabled=true" \
-e "ssl_email=admin@your-domain.com"
Manual SSL Setup
If you prefer manual setup or have your own certificates:
-
Install Certbot:
sudo apt update sudo apt install certbot python3-certbot-nginx -
Generate Certificate:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -
Auto-renewal:
sudo crontab -e # Add: 0 12 * * * /usr/bin/certbot renew --quiet
SSL Configuration
The SSL-enabled Nginx configuration includes:
- HTTP to HTTPS redirect
- Strong SSL ciphers
- HSTS headers
- OCSP stapling
Troubleshooting SSL
Certificate not found:
- Verify domain DNS points to server
- Check firewall allows ports 80/443
- Ensure Nginx is running
Mixed content warnings:
- Update WordPress site URL in database
- Check for hardcoded HTTP links
- Use SSL-aware plugins
Certificate renewal fails:
- Check Nginx configuration syntax
- Verify webroot path permissions
- Review certbot logs:
/var/log/letsencrypt/
Custom Certificates
To use your own SSL certificates:
- Copy certificates to
/etc/ssl/certs/ - Update Nginx configuration
- Restart Nginx service
See templates/wordpress-ssl.nginx.j2 for the SSL template.