How to Configure Proxy

To ensure your HAP system does not directly expose service ports to the external network, we strongly recommend configuring an Nginx proxy after deploying the HAP system. This step not only significantly enhances system security but also meets the needs of users requiring certificates, who can refer to the relevant documentation for configuration. Additionally, the Nginx proxy can provide load balancing and reverse proxy functionality, thereby improving the system's availability and stability.

1. Download the Nginx installation package

   Server Supports Internet Access

   wget https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.0-glibc2.17-amd64.tar.gz

   Server Does Not Support Internet Access

   # Nginx installation package download link, upload to the deployment server after downloading
   https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.0-glibc2.17-amd64.tar.gz

2. Extract Nginx to the installation directory

   tar -zxvf nginx-1.28.0-glibc2.17-amd64.tar.gz -C /usr/local/

3. Create Nginx system user and directory

   useradd -r -s /usr/sbin/nologin nginx
   mkdir -p /usr/local/nginx/conf/conf.d /data/logs/weblogs/
   chown -R nginx:nginx /data/logs/weblogs

4. Write the Nginx main configuration file

   cat > /usr/local/nginx/conf/nginx.conf <<\EOF
   user  nginx;
   worker_processes  auto;
   worker_cpu_affinity auto;
   worker_rlimit_nofile 204800;
   pid        nginx.pid;
   events {
       use epoll;
       worker_connections 20480;
   }
   http {
       include       mime.types;
       default_type  application/octet-stream;
       server_tokens off;
   
       log_format main "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "
                   "$request_body | $content_length | $http_referer | $http_user_agent | "
                   "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";
   
       server_names_hash_bucket_size 128;
       client_header_buffer_size 8k;
       client_max_body_size 10M;
       large_client_header_buffers 4 32k;
       sendfile       on;
       tcp_nopush     on;
       tcp_nodelay    on;
       proxy_buffer_size     64k;
       proxy_buffers         4 128k;
       keepalive_timeout  10;
       open_file_cache max=102400 inactive=60s;
       open_file_cache_valid 30s;
       open_file_cache_min_uses 1;
       resolver_timeout     10s;
       underscores_in_headers on;
   
       gzip  on;
       gzip_proxied any;
       gzip_disable "msie6";
       gzip_vary on;
       gzip_min_length 1024;
       gzip_comp_level 8;
       gzip_buffers 16 8k;
       gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
       proxy_http_version 1.1;
       include conf.d/*.conf;
   }
   EOF

5. Configure the host's proxy file (place the following configuration files in the directory /usr/local/nginx/conf/conf.d/)

   HTTP Configuration File Reference

   HTTPS Configuration File Reference

6. Check the Nginx configuration file format

   /usr/local/nginx/sbin/nginx -t

7. Write the systemd service file for Nginx

   cat > /etc/systemd/system/nginx.service  <<'EOF'
   [Unit]
   Description=NGINX HTTP and reverse proxy server
   After=network.target
   Wants=network-online.target
   
   [Service]
   Type=forking
   PIDFile=/usr/local/nginx/nginx.pid
   ExecStartPre=/usr/local/nginx/sbin/nginx -t -q
   ExecStart=/usr/local/nginx/sbin/nginx
   ExecReload=/usr/local/nginx/sbin/nginx -s reload
   ExecStop=/usr/local/nginx/sbin/nginx -s quit
   
   Restart=on-failure
   LimitNOFILE=65535
   
   [Install]
   WantedBy=multi-user.target
   EOF

8. Start Nginx

   systemctl daemon-reload
   systemctl enable nginx
   systemctl start nginx

Scheduled Nginx Log Rotation

1. Create directories for storing configuration files and old logs

   mkdir -p /usr/local/logrotate-config
   mkdir -p /data/logs/weblogs/oldlogs
   chown -R nginx:nginx /data/logs/weblogs

2. Create the configuration file

   cat > /usr/local/logrotate-config/nginx <<\EOF
   /data/logs/weblogs/*.log {
   create 0640 nginx nginx
   daily
   dateext
   dateformat -%Y-%m-%d
   dateyesterday
   rotate 180
   missingok
   ifempty
   compress
   delaycompress
   olddir /data/logs/weblogs/oldlogs
   sharedscripts
   postrotate
       /bin/kill -USR1 `cat /usr/local/nginx/nginx.pid 2>/dev/null` 2>/dev/null || true
   endscript
   }
   EOF

3. Check the configuration file

   logrotate -d -f /usr/local/logrotate-config/nginx
   • Be sure to check the debug output. If you encounter any errors, further handling is required.

4. Add to cron jobs

   ( crontab -l 2>/dev/null; echo '0 0 * * * /usr/sbin/logrotate -f /usr/local/logrotate-config/nginx >/dev/null 2>&1' ) | crontab -