WPCloudDeploy Documentation

Technical Upgrade Notes For V 4.6.x

Introduction

Version 4.6.x of WPCloudDeploy will need to update the configuration of existing servers.  This upgrade will need to be done in two parts.

  • Part 1: Upgrade NGINX configurations
  • Part 2: Upgrade CERTBOT to use SNAP images
  • Part 3: Add files for 7G firewall

The majority of the rest of this document will outline how to perform the part 1 upgrade manually for users who cannot use the automatic upgrade routine.  Instructions for part 2 and part 3 of the upgrade is at the very bottom.

Please make sure that, after you perform the first part of the upgrade, you continue and perform the second and third parts as well – it will be easy to forget to do the other parts if you perform the first part manually.


Part 1: Upgrade NGINX configurations – Automatic Upgrade

Version 4.6.0 of WPCD includes updated default configurations for servers and sites.  The first part of the upgrade process will modify your existing files so that they match our new default configuration.

For the new default configurations we have added:

  • Browser caching of image and media files
  • Browser caching of js and css files
  • Compression of certain file types before transfer between server and browser (gzip)
  • Larger defaults for number of user connections on the web server
  • Turn on HSTS as a default protocol
  • Some additional multi-threading options for the web server.
  • Using the PHP OPCACHE

You can start the automatic upgrade process under the UPGRADES tab for each affected server.

 


Part 1: Upgrade NGINX configurations – Manual Upgrades

As you can see from the above image, you cannot use the automatic upgrade process if you have already added similar rules to your NGINX configuration files.

You cannot use the automatic upgrade process if any of the following is true:

1. If you have manually added or updated any of the following directives to your NGINX configuration files:

worker_cpu_affinity
worker_rlimit_nofile
pcre_jit
multi_accept
worker_connections
accept_mutex
use epoll;
reset_timedout_connection
keepalive_timeout
variables_hash_max_size 
variables_hash_bucket_size 
server_names_hash_bucket_size 
aio threads;

add_header X-Frame-Options
add_header X-XSS-Protection
add_header X-Content-Type-Options
add_header Referrer-Policy 
add_header X-Download-Options

add_header Strict-Transport-Security
ssl_stapling 
ssl_stapling_verify on;

2. You also cannot use the automatic upgrade process if you have:

  • Added or modified Gzip Settings
  • Added or modified cache-control settings

If you cannot use the automatic update for your server, you can manually update them as described in the next few sections.

If you manually update your configurations then you will need to use the DO NOT UPGRADE button in the UPGRADES tab to proceed to the 2nd part of the upgrade process!


New Directives in NGINX.CONF

For servers, we are now adding new directives.  You can add these to your existing servers if you wish:

At the top

worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pcre_jit on;

In the EVENTS block

Replace the entire block with this:

multi_accept on;
worker_connections 50000;
accept_mutex on;
use epoll;

In the HTTP block

reset_timedout_connection on;
keepalive_timeout 8;
variables_hash_max_size 4096;
variables_hash_bucket_size 512;
server_names_hash_bucket_size 128;
aio threads;

All of these items are optional and the absence of them will not affect the normal functioning of your site.  If you apply all of these changes, the beginning of your revised nginx.conf file will look similar to the following:

Note that in the image above we have we’ve added some spacing between the directives as well as added a few comments.  That’s merely an aesthetic difference though.


Gzip

We created a new file called gzip.conf in /etc/nginx/common/.

This file is now automatically included in all new site level configuration files located in /etc/nginx/sites-enabled.

After running the server upgrade script, you can manually add in the following line to each of the site configurations:

# Compress certain files with gzip.
include /etc/nginx/common/gzip[.]conf;

This is optional and the absence of these items will not affect the normal functioning of your site.  But if you do not add them it will prevent you from using the WPCD console to reliably adjust certain options related to Gzip and performance.


Browser Caching

We created a new file called browsercache.conf in /etc/nginx/common/.

This file is now automatically included in all new site level configuration files located in /etc/nginx/sites-enabled.

After running the server upgrade script, you can manually add in the following line to each of the site configurations:

# Cache certain filetypes in the browser
include /etc/nginx/common/browsercache[.]conf;

This is optional and the absence of these items will not affect the normal functioning of your site. But if you do not add them it will prevent you from using the WPCD console to reliably adjust items related to these options.


We added new default security headers to the site configuration files in /etc/nginx/common/.

In the server block we added:

# Security Headers 
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin" always;
add_header X-Download-Options "noopen";
add_header Strict-Transport-Security "max-age=30000000; includeSubDomains; preload" always;

# OSCP Settings
ssl_stapling on;
ssl_stapling_verify on;

This is optional and the absence of these items will not affect the normal functioning of your site. But if you do not add them it will prevent you from using the WPCD console to reliably adjust items related to these options.


Final Notes

After making changes to your configuration files, please make sure you restart your PHP and NGINX services:

systemctl restart php5.6-fpm
systemctl restart php7.1-fpm
systemctl restart php7.2-fpm
systemctl restart php7.3-fpm
systemctl restart php7.4-fpm
systemctl restart php8.0-fpm

service NGINX restart


Part 2: Upgrade CERTBOT to use SNAP images

After you have completed the first part of the upgrade process you will see a new option under the server UPGRADES tab.  Just click the button to upgrade the CERTBOT service to use the new SNAP modules.  With this update we’ll be able to support wildcard DNS for Multisite and do so using multiple DNS providers.


Part 3: Upgrade For 7G Firewall Files

After you have completed the second part of the upgrade process you will see a new option under the server UPGRADES tab.  Just click the button to add the 7G firewall files that we will be using in future versions of WPCD.


 

Share: