跳到主要内容

如何配置代理

为了确保您的 HAP 系统不直接暴露服务端口至外网,我们强烈建议您在部署 HAP 系统后,进一步配置 Nginx 代理。这一步骤不仅可以大大提高系统的安全性,还可以满足那些有证书需求的用户,他们可以参考相关文档进行配置。此外,Nginx 代理还能提供负载均衡和反向代理的功能,从而提升系统的可用性和稳定性。

  1. 下载 nginx 安装包

    wget https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.0-glibc2.17-amd64.tar.gz
  2. 解压 nginx 到安装目录

    tar -zxvf nginx-1.28.0-glibc2.17-amd64.tar.gz -C /usr/local/
  3. 创建 nginx 系统用户与目录

    useradd -r -s /usr/sbin/nologin nginx
    mkdir -p /usr/local/nginx/conf/conf.d /data/logs/weblogs/
    chown -R nginx:nginx /data/logs/weblogs
  4. 写入 nginx 主配置文件

    cat > /usr/local/nginx/conf/nginx.conf <<\EOF
    user nginx;
    worker_processes auto;
    worker_cpu_affinity auto;
    worker_rlimit_nofile 204800;
    pid nginx.pid;
    events {
    use epoll;
    worker_connections 20480;
    }
    http {
    include mime.types;
    default_type application/octet-stream;
    server_tokens off;

    log_format main "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "
    "$request_body | $content_length | $http_referer | $http_user_agent | "
    "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";

    server_names_hash_bucket_size 128;
    client_header_buffer_size 8k;
    client_max_body_size 10M;
    large_client_header_buffers 4 32k;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    proxy_buffer_size 64k;
    proxy_buffers 4 128k;
    keepalive_timeout 10;
    open_file_cache max=102400 inactive=60s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 1;
    resolver_timeout 10s;
    underscores_in_headers on;

    gzip on;
    gzip_proxied any;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 1024;
    gzip_comp_level 8;
    gzip_buffers 16 8k;
    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
    proxy_http_version 1.1;
    include conf.d/*.conf;
    }
    EOF
  5. 配置主机代理文件(以下配置文件放置目录/usr/local/nginx/conf/conf.d/)

    HTTP配置文件参考

    HTTPS配置文件参考

  6. 检查 nginx 配置文件格式

    /usr/local/nginx/sbin/nginx -t
  7. 写入 nginx 的 systemd 服务文件

    cat > /etc/systemd/system/nginx.service  <<'EOF'
    [Unit]
    Description=NGINX HTTP and reverse proxy server
    After=network.target
    Wants=network-online.target

    [Service]
    Type=forking
    PIDFile=/usr/local/nginx/nginx.pid
    ExecStartPre=/usr/local/nginx/sbin/nginx -t -q
    ExecStart=/usr/local/nginx/sbin/nginx
    ExecReload=/usr/local/nginx/sbin/nginx -s reload
    ExecStop=/usr/local/nginx/sbin/nginx -s quit

    Restart=on-failure
    LimitNOFILE=65535

    [Install]
    WantedBy=multi-user.target
    EOF
  8. 启动 nginx

    systemctl daemon-reload
    systemctl enable nginx
    systemctl start nginx

nginx 日志定时切割

  1. 创建存放配置文件与存放旧日志的目录

    mkdir -p /usr/local/logrotate-config
    mkdir -p /data/logs/weblogs/oldlogs
    chown -R nginx:nginx /data/logs/weblogs
  2. 创建配置文件

    cat > /usr/local/logrotate-config/nginx <<\EOF
    /data/logs/weblogs/*.log {
    create 0640 nginx nginx
    daily
    dateext
    dateformat -%Y-%m-%d
    dateyesterday
    rotate 180
    missingok
    ifempty
    compress
    delaycompress
    olddir /data/logs/weblogs/oldlogs
    sharedscripts
    postrotate
    /bin/kill -USR1 `cat /usr/local/nginx/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
    }
    EOF
  3. 检查配置文件

    logrotate -d -f /usr/local/logrotate-config/nginx
    • 注意查看 debug 输出,如遇到 error 则需要进一步处理
  4. 加入定时任务

    ( crontab -l 2>/dev/null; echo '0 0 * * * /usr/sbin/logrotate -f /usr/local/logrotate-config/nginx >/dev/null 2>&1' ) | crontab -