如何配置代理

为了确保您的 HAP 系统不直接暴露服务端口至外网，我们强烈建议您在部署 HAP 系统后，进一步配置 Nginx 代理。这一步骤不仅可以大大提高系统的安全性，还可以满足那些有证书需求的用户，他们可以参考相关文档进行配置。此外，Nginx 代理还能提供负载均衡和反向代理的功能，从而提升系统的可用性和稳定性。

1. 下载 nginx 安装包

   服务器支持访问互联网

   wget https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.0-glibc2.17-amd64.tar.gz

   服务器不支持访问互联网

   # nginx 安装包文件下载链接，下载完成后上传到部署服务器
   https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.0-glibc2.17-amd64.tar.gz

2. 解压 nginx 到安装目录

   tar -zxvf nginx-1.28.0-glibc2.17-amd64.tar.gz -C /usr/local/

3. 创建 nginx 系统用户与目录

   useradd -r -s /usr/sbin/nologin nginx
   mkdir -p /usr/local/nginx/conf/conf.d /data/logs/weblogs/
   chown -R nginx:nginx /data/logs/weblogs

4. 写入 nginx 主配置文件

   cat > /usr/local/nginx/conf/nginx.conf <<\EOF
   user  nginx;
   worker_processes  auto;
   worker_cpu_affinity auto;
   worker_rlimit_nofile 204800;
   pid        nginx.pid;
   events {
       use epoll;
       worker_connections 20480;
   }
   http {
       include       mime.types;
       default_type  application/octet-stream;
       server_tokens off;
   
       log_format main "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "
                   "$request_body | $content_length | $http_referer | $http_user_agent | "
                   "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";
   
       server_names_hash_bucket_size 128;
       client_header_buffer_size 8k;
       client_max_body_size 10M;
       large_client_header_buffers 4 32k;
       sendfile       on;
       tcp_nopush     on;
       tcp_nodelay    on;
       proxy_buffer_size     64k;
       proxy_buffers         4 128k;
       keepalive_timeout  10;
       open_file_cache max=102400 inactive=60s;
       open_file_cache_valid 30s;
       open_file_cache_min_uses 1;
       resolver_timeout     10s;
       underscores_in_headers on;
   
       gzip  on;
       gzip_proxied any;
       gzip_disable "msie6";
       gzip_vary on;
       gzip_min_length 1024;
       gzip_comp_level 8;
       gzip_buffers 16 8k;
       gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
       proxy_http_version 1.1;
       include conf.d/*.conf;
   }
   EOF

5. 配置主机代理文件（以下配置文件放置目录/usr/local/nginx/conf/conf.d/）

   HTTP配置文件参考

   HTTPS配置文件参考

6. 检查 nginx 配置文件格式

   /usr/local/nginx/sbin/nginx -t

7. 写入 nginx 的 systemd 服务文件

   cat > /etc/systemd/system/nginx.service  <<'EOF'
   [Unit]
   Description=NGINX HTTP and reverse proxy server
   After=network.target
   Wants=network-online.target
   
   [Service]
   Type=forking
   PIDFile=/usr/local/nginx/nginx.pid
   ExecStartPre=/usr/local/nginx/sbin/nginx -t -q
   ExecStart=/usr/local/nginx/sbin/nginx
   ExecReload=/usr/local/nginx/sbin/nginx -s reload
   ExecStop=/usr/local/nginx/sbin/nginx -s quit
   
   Restart=on-failure
   LimitNOFILE=65535
   
   [Install]
   WantedBy=multi-user.target
   EOF

8. 启动 nginx

   systemctl daemon-reload
   systemctl enable nginx
   systemctl start nginx

nginx 日志定时切割

1. 创建存放配置文件与存放旧日志的目录

   mkdir -p /usr/local/logrotate-config
   mkdir -p /data/logs/weblogs/oldlogs
   chown -R nginx:nginx /data/logs/weblogs

2. 创建配置文件

   cat > /usr/local/logrotate-config/nginx <<\EOF
   /data/logs/weblogs/*.log {
   create 0640 nginx nginx
   daily
   dateext
   dateformat -%Y-%m-%d
   dateyesterday
   rotate 180
   missingok
   ifempty
   compress
   delaycompress
   olddir /data/logs/weblogs/oldlogs
   sharedscripts
   postrotate
       /bin/kill -USR1 `cat /usr/local/nginx/nginx.pid 2>/dev/null` 2>/dev/null || true
   endscript
   }
   EOF

3. 检查配置文件

   logrotate -d -f /usr/local/logrotate-config/nginx
   • 注意查看 debug 输出，如遇到 error 则需要进一步处理

4. 加入定时任务

   ( crontab -l 2>/dev/null; echo '0 0 * * * /usr/sbin/logrotate -f /usr/local/logrotate-config/nginx >/dev/null 2>&1' ) | crontab -