如何配置代理

为了确保您的 HAP 系统不直接暴露服务端口至外网，我们强烈建议您在部署 HAP 系统后，进一步配置 Nginx 代理。这一步骤不仅可以大大提高系统的安全性，还可以满足那些有证书需求的用户，他们可以参考相关文档进行配置。此外，Nginx 代理还能提供负载均衡和反向代理的功能，从而提升系统的可用性和稳定性。

Nginx 部署

下载 nginx 安装包

Linux amd64
Linux arm64

wget https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.30.2-glibc2.17-amd64.tar.gz

wget https://pdpublic.mingdao.com/private-deployment/offline/common/arm64/nginx-1.30.2-glibc2.17-arm64.tar.gz

解压 nginx 到安装目录

Linux amd64
Linux arm64

tar -zxvf nginx-1.30.2-glibc2.17-amd64.tar.gz -C /usr/local/

tar -zxvf nginx-1.30.2-glibc2.17-arm64.tar.gz -C /usr/local/

创建 nginx 系统用户与目录

useradd -r -s /usr/sbin/nologin nginx
mkdir -p /usr/local/nginx/conf/conf.d /data/logs/weblogs/
chown -R nginx:nginx /data/logs/weblogs

写入 nginx 主配置文件

cat > /usr/local/nginx/conf/nginx.conf <<\EOF
user  nginx;
worker_processes  auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 204800;
pid        nginx.pid;
events {
    use epoll;
    worker_connections 20480;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    log_format main "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "
                "$request_body | $content_length | $http_referer | $http_user_agent | "
                "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";

    server_names_hash_bucket_size 128;
    client_header_buffer_size 8k;
    client_max_body_size 10M;
    large_client_header_buffers 4 32k;
    sendfile       on;
    tcp_nopush     on;
    tcp_nodelay    on;
    proxy_buffer_size     64k;
    proxy_buffers         4 128k;
    keepalive_timeout  10;
    open_file_cache max=102400 inactive=60s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 1;
    resolver_timeout     10s;
    underscores_in_headers on;

    gzip  on;
    gzip_proxied any;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 1024;
    gzip_comp_level 8;
    gzip_buffers 16 8k;
    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
    proxy_http_version 1.1;
    include conf.d/*.conf;
}
EOF

配置业务代理规则

在 /usr/local/nginx/conf/conf.d/ 目录下创建具体的代理配置文件（例如 hap.conf）。您可以执行以下命令开始编写配置：
```
vi /usr/local/nginx/conf/conf.d/hap.conf
```
请根据您的业务需求（HTTP 或 HTTPS）参考相应的配置示例：
- HTTP 代理配置参考
- HTTPS 代理配置参考
检查 nginx 配置文件格式
```
/usr/local/nginx/sbin/nginx -t
```

写入 nginx 的 systemd 服务文件

cat > /etc/systemd/system/nginx.service  <<'EOF'
[Unit]
Description=NGINX HTTP and reverse proxy server
After=network.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/usr/local/nginx/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -q
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit

Restart=on-failure
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
EOF

启动 nginx 并配置开机自启动

systemctl daemon-reload
systemctl enable nginx
systemctl start nginx

Nginx 日志定时切割

为防止 Nginx 产生的请求日志因长期积累而占用过大的磁盘空间，建议配置日志的自动切割与清理机制。

创建所需的配置与日志存储目录

mkdir -p /usr/local/logrotate-config
mkdir -p /data/logs/weblogs/oldlogs
chown -R nginx:nginx /data/logs/weblogs

编写 logrotate 切割规则

cat > /usr/local/logrotate-config/nginx <<\EOF
/data/logs/weblogs/*.log {
create 0640 nginx nginx
daily
dateext
dateformat -%Y-%m-%d
dateyesterday
rotate 180
missingok
ifempty
compress
delaycompress
olddir /data/logs/weblogs/oldlogs
sharedscripts
postrotate
    /bin/kill -USR1 `cat /usr/local/nginx/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}
EOF

手动验证配置是否生效
```
logrotate -d -f /usr/local/logrotate-config/nginx
```
- 注意查看 debug 输出，如遇到 error 则需要进一步处理

配置 crontab 定时自动执行任务

( crontab -l 2>/dev/null; echo '0 0 * * * /usr/sbin/logrotate -f /usr/local/logrotate-config/nginx >/dev/null 2>&1' ) | crontab -

Nginx 部署​

Nginx 日志定时切割​

Nginx 部署

Nginx 日志定时切割