I recently set up a new cloud server to host a WordPress website using a decoupled architecture. The goal was to separate the web and database servers, leverage Docker for containerization, and configure Nginx as a reverse proxy. On top of that, I enhanced security by deploying SafeLine WAF locally to filter and monitor all incoming traffic.
Architecture Overview
The setup is based on Docker, which provides isolated environments for the web service. I used Portainer for graphical management of Docker containers. Nginx, installed directly on the server, acts as a reverse proxy.
Traffic flow is structured as follows:
- The server listens on port 81 for internal web services.
- SafeLine WAF binds to the domain on port 80, intercepting and filtering incoming requests.
- WAF forwards traffic back to port 81, which is then routed to port 8080, finally reaching the WordPress container.
This configuration ensures that all external traffic passes through the WAF first, enhancing security while maintaining efficiency.
Technical Details
SSH Access to Ubuntu Server
The default username for Ubuntu is ubuntu, and the root account is not assigned a password during installation by default. Always ensure proper user and permission management for security.
Docker Mapping and Communication
You can define Docker volume mappings using the -v parameter. For example, to map a local hard drive /data to the WordPress container’s web directory:
docker run -v /data:/var/www/html <your_wordpress_image>
Configuring MySQL Container
After starting your MySQL container, external access must be configured:
docker exec -it mysql5.7 bash
mysql -u root -p
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
⚠️ Note: Granting full privileges to root is insecure for production. It’s recommended to create a dedicated MySQL user with a strong password for external access.
Connecting Docker to a Local Database Host
To connect a container to a local database host:
- Use
host.docker.internal(for Docker Desktop environments) - For Dockerized MySQL, find the container’s IP with:
docker inspect <mysql-container-name> | grep IPAddress
Nginx Reverse Proxy Configuration
While setting up Nginx as a reverse proxy, I encountered two common issues:
-
Redirection Loop
Simply using
proxy_pass http://<host_ip>:8080;can trigger a redirect loop. Fix it by adding:
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- WAF Bypass by Port Redirection Users clicking certain links or buttons may bypass the WAF if redirected to another port. This can be temporarily mitigated with proper Nginx configuration (screenshot or config snippet can be added here).
Conclusion
By carefully configuring Docker, Nginx, and SafeLine WAF, I successfully built a secure and efficient WordPress environment. This setup ensures:
- All web traffic is filtered and monitored by WAF
- Internal services remain isolated and efficient
- Security and performance are balanced
These steps provide a practical blueprint for anyone looking to deploy a secure WordPress site using containerization and a robust WAF layer.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)