How to Configure Proxy
To ensure your HAP system does not directly expose service ports to the external network, we strongly recommend configuring an Nginx proxy after deploying the HAP system. This step not only significantly enhances system security but also meets the needs of users requiring certificates, who can refer to the relevant documentation for configuration. Additionally, the Nginx proxy can provide load balancing and reverse proxy functionality, thereby improving the system's availability and stability.
-
Download the Nginx installation package
- Server Supports Internet Access
- Server Does Not Support Internet Access
wget https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.0-glibc2.17-amd64.tar.gz
# Nginx installation package download link, upload to the deployment server after downloading
https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.0-glibc2.17-amd64.tar.gz -
Extract Nginx to the installation directory
tar -zxvf nginx-1.28.0-glibc2.17-amd64.tar.gz -C /usr/local/
-
Create Nginx system user and directory
useradd -r -s /usr/sbin/nologin nginx
mkdir -p /usr/local/nginx/conf/conf.d /data/logs/weblogs/
chown -R nginx:nginx /data/logs/weblogs -
Write the Nginx main configuration file
cat > /usr/local/nginx/conf/nginx.conf <<\EOF
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 204800;
pid nginx.pid;
events {
use epoll;
worker_connections 20480;
}
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
log_format main "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "
"$request_body | $content_length | $http_referer | $http_user_agent | "
"$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";
server_names_hash_bucket_size 128;
client_header_buffer_size 8k;
client_max_body_size 10M;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
proxy_buffer_size 64k;
proxy_buffers 4 128k;
keepalive_timeout 10;
open_file_cache max=102400 inactive=60s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
resolver_timeout 10s;
underscores_in_headers on;
gzip on;
gzip_proxied any;
gzip_disable "msie6";
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
proxy_http_version 1.1;
include conf.d/*.conf;
}
EOF -
Configure the host's proxy file (place the following configuration files in the directory /usr/local/nginx/conf/conf.d/)
-
Check the Nginx configuration file format
/usr/local/nginx/sbin/nginx -t
-
Write the systemd service file for Nginx
cat > /etc/systemd/system/nginx.service <<'EOF'
[Unit]
Description=NGINX HTTP and reverse proxy server
After=network.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -q
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
Restart=on-failure
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
EOF -
Start Nginx
systemctl daemon-reload
systemctl enable nginx
systemctl start nginx
Scheduled Nginx Log Rotation
-
Create directories for storing configuration files and old logs
mkdir -p /usr/local/logrotate-config
mkdir -p /data/logs/weblogs/oldlogs
chown -R nginx:nginx /data/logs/weblogs -
Create the configuration file
cat > /usr/local/logrotate-config/nginx <<\EOF
/data/logs/weblogs/*.log {
create 0640 nginx nginx
daily
dateext
dateformat -%Y-%m-%d
dateyesterday
rotate 180
missingok
ifempty
compress
delaycompress
olddir /data/logs/weblogs/oldlogs
sharedscripts
postrotate
/bin/kill -USR1 `cat /usr/local/nginx/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}
EOF -
Check the configuration file
logrotate -d -f /usr/local/logrotate-config/nginx
- Be sure to check the debug output. If you encounter any errors, further handling is required.
-
Add to cron jobs
( crontab -l 2>/dev/null; echo '0 0 * * * /usr/sbin/logrotate -f /usr/local/logrotate-config/nginx >/dev/null 2>&1' ) | crontab -