Skip to main content

How to Configure Proxy

To ensure your HAP system does not directly expose service ports to the external network, we strongly recommend configuring an Nginx proxy after deploying the HAP system. This step not only significantly enhances system security but also meets the needs of users requiring certificates, who can refer to the relevant documentation for configuration. Additionally, the Nginx proxy can provide load balancing and reverse proxy functionality, thereby improving the system's availability and stability.

  1. Download the Nginx installation package

    wget https://pdpublic.mingdao.com/private-deployment/offline/common/nginx-1.28.0-glibc2.17-amd64.tar.gz
  2. Extract Nginx to the installation directory

    tar -zxvf nginx-1.28.0-glibc2.17-amd64.tar.gz -C /usr/local/
  3. Create Nginx system user and directory

    useradd -r -s /usr/sbin/nologin nginx
    mkdir -p /usr/local/nginx/conf/conf.d /data/logs/weblogs/
    chown -R nginx:nginx /data/logs/weblogs
  4. Write the Nginx main configuration file

    cat > /usr/local/nginx/conf/nginx.conf <<\EOF
    user nginx;
    worker_processes auto;
    worker_cpu_affinity auto;
    worker_rlimit_nofile 204800;
    pid nginx.pid;
    events {
    use epoll;
    worker_connections 20480;
    }
    http {
    include mime.types;
    default_type application/octet-stream;
    server_tokens off;

    log_format main "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "
    "$request_body | $content_length | $http_referer | $http_user_agent | "
    "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";

    server_names_hash_bucket_size 128;
    client_header_buffer_size 8k;
    client_max_body_size 10M;
    large_client_header_buffers 4 32k;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    proxy_buffer_size 64k;
    proxy_buffers 4 128k;
    keepalive_timeout 10;
    open_file_cache max=102400 inactive=60s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 1;
    resolver_timeout 10s;
    underscores_in_headers on;

    gzip on;
    gzip_proxied any;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 1024;
    gzip_comp_level 8;
    gzip_buffers 16 8k;
    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
    proxy_http_version 1.1;
    include conf.d/*.conf;
    }
    EOF
  5. Configure the host's proxy file (place the following configuration files in the directory /usr/local/nginx/conf/conf.d/)

    HTTP Configuration File Reference

    HTTPS Configuration File Reference

  6. Check the Nginx configuration file format

    /usr/local/nginx/sbin/nginx -t
  7. Write the systemd service file for Nginx

    cat > /etc/systemd/system/nginx.service  <<'EOF'
    [Unit]
    Description=NGINX HTTP and reverse proxy server
    After=network.target
    Wants=network-online.target

    [Service]
    Type=forking
    PIDFile=/usr/local/nginx/nginx.pid
    ExecStartPre=/usr/local/nginx/sbin/nginx -t -q
    ExecStart=/usr/local/nginx/sbin/nginx
    ExecReload=/usr/local/nginx/sbin/nginx -s reload
    ExecStop=/usr/local/nginx/sbin/nginx -s quit

    Restart=on-failure
    LimitNOFILE=65535

    [Install]
    WantedBy=multi-user.target
    EOF
  8. Start Nginx

    systemctl daemon-reload
    systemctl enable nginx
    systemctl start nginx

Scheduled Nginx Log Rotation

  1. Create directories for storing configuration files and old logs

    mkdir -p /usr/local/logrotate-config
    mkdir -p /data/logs/weblogs/oldlogs
    chown -R nginx:nginx /data/logs/weblogs
  2. Create the configuration file

    cat > /usr/local/logrotate-config/nginx <<\EOF
    /data/logs/weblogs/*.log {
    create 0640 nginx nginx
    daily
    dateext
    dateformat -%Y-%m-%d
    dateyesterday
    rotate 180
    missingok
    ifempty
    compress
    delaycompress
    olddir /data/logs/weblogs/oldlogs
    sharedscripts
    postrotate
    /bin/kill -USR1 `cat /usr/local/nginx/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
    }
    EOF
  3. Check the configuration file

    logrotate -d -f /usr/local/logrotate-config/nginx
    • Be sure to check the debug output. If you encounter any errors, further handling is required.
  4. Add to cron jobs

    ( crontab -l 2>/dev/null; echo '0 0 * * * /usr/sbin/logrotate -f /usr/local/logrotate-config/nginx >/dev/null 2>&1' ) | crontab -