How to Configure Proxy

To ensure that your HAP system does not directly expose server ports to the public network, we strongly recommend further configuring an Nginx proxy after deploying the HAP system. This step not only significantly enhances system security but also meets the needs of users requiring certificates, who can refer to related documentation for configuration. Additionally, the Nginx proxy provides load balancing and reverse proxy functions, improving the system's availability and stability.

Nginx Deployment

1. Download the Nginx installation package.

   AMD64

   wget https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.2-glibc2.17-amd64.tar.gz

   ARM64

   wget https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.2-glibc2.17-arm64.tar.gz

2. Extract Nginx into the installation directory.

   AMD64

   tar -zxvf nginx-1.28.2-glibc2.17-amd64.tar.gz -C /usr/local/

   ARM64

   tar -zxvf nginx-1.28.2-glibc2.17-arm64.tar.gz -C /usr/local/

3. Create the Nginx system user and directories.

   useradd -r -s /usr/sbin/nologin nginx
   mkdir -p /usr/local/nginx/conf/conf.d /data/logs/weblogs/
   chown -R nginx:nginx /data/logs/weblogs

4. Write the main Nginx configuration file.

   cat > /usr/local/nginx/conf/nginx.conf <<\EOF
   user  nginx;
   worker_processes  auto;
   worker_cpu_affinity auto;
   worker_rlimit_nofile 204800;
   pid        nginx.pid;
   events {
       use epoll;
       worker_connections 20480;
   }
   http {
       include       mime.types;
       default_type  application/octet-stream;
       server_tokens off;
   
       log_format main "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "
                   "$request_body | $content_length | $http_referer | $http_user_agent | "
                   "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";
   
       server_names_hash_bucket_size 128;
       client_header_buffer_size 8k;
       client_max_body_size 10M;
       large_client_header_buffers 4 32k;
       sendfile       on;
       tcp_nopush     on;
       tcp_nodelay    on;
       proxy_buffer_size     64k;
       proxy_buffers         4 128k;
       keepalive_timeout  10;
       open_file_cache max=102400 inactive=60s;
       open_file_cache_valid 30s;
       open_file_cache_min_uses 1;
       resolver_timeout     10s;
       underscores_in_headers on;
   
       gzip  on;
       gzip_proxied any;
       gzip_disable "msie6";
       gzip_vary on;
       gzip_min_length 1024;
       gzip_comp_level 8;
       gzip_buffers 16 8k;
       gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
       proxy_http_version 1.1;
       include conf.d/*.conf;
   }
   EOF

5. Configure business proxy rules.

   Create the specific proxy configuration file (e.g., hap.conf) under the directory /usr/local/nginx/conf/conf.d/. You can execute the following command to start writing the configuration:

   vi /usr/local/nginx/conf/conf.d/hap.conf

   Refer to the configuration examples based on your business needs (HTTP or HTTPS):

   • HTTP Proxy Configuration Reference
   • HTTPS Proxy Configuration Reference

6. Check the Nginx configuration file format.

   /usr/local/nginx/sbin/nginx -t

7. Write the systemd service file for Nginx.

   cat > /etc/systemd/system/nginx.service  <<'EOF'
   [Unit]
   Description=NGINX HTTP and reverse proxy server
   After=network.target
   Wants=network-online.target
   
   [Service]
   Type=forking
   PIDFile=/usr/local/nginx/nginx.pid
   ExecStartPre=/usr/local/nginx/sbin/nginx -t -q
   ExecStart=/usr/local/nginx/sbin/nginx
   ExecReload=/usr/local/nginx/sbin/nginx -s reload
   ExecStop=/usr/local/nginx/sbin/nginx -s quit
   
   Restart=on-failure
   LimitNOFILE=65535
   
   [Install]
   WantedBy=multi-user.target
   EOF

8. Start Nginx and configure it to start on boot.

   systemctl daemon-reload
   systemctl enable nginx
   systemctl start nginx

Nginx Log Scheduled Rotation

To prevent Nginx request logs from occupying excessive disk space due to long-term accumulation, it is recommended to configure automatic log rotation and cleanup mechanisms.

1. Create the required directories for configuration and log storage.

   mkdir -p /usr/local/logrotate-config
   mkdir -p /data/logs/weblogs/oldlogs
   chown -R nginx:nginx /data/logs/weblogs

2. Write the logrotate rotation rules.

   cat > /usr/local/logrotate-config/nginx <<\EOF
   /data/logs/weblogs/*.log {
   create 0640 nginx nginx
   daily
   dateext
   dateformat -%Y-%m-%d
   dateyesterday
   rotate 180
   missingok
   ifempty
   compress
   delaycompress
   olddir /data/logs/weblogs/oldlogs
   sharedscripts
   postrotate
       /bin/kill -USR1 `cat /usr/local/nginx/nginx.pid 2>/dev/null` 2>/dev/null || true
   endscript
   }
   EOF

3. Manually verify if the configuration is effective.

   logrotate -d -f /usr/local/logrotate-config/nginx
   • Pay attention to the debug output. If errors occur, further troubleshooting is required.

4. Configure crontab to automatically execute tasks at scheduled intervals.

   ( crontab -l 2>/dev/null; echo '0 0 * * * /usr/sbin/logrotate -f /usr/local/logrotate-config/nginx >/dev/null 2>&1' ) | crontab -