Skip to main content

HTTPS

note

Due to the characteristics of HAP service, the configuration file docker-compose.yaml needs to be modified additionally after the access address of the system is changed.

As shown below, change the environment variable value of ENV_ADDRESS_MAIN to the actual access address of HAP service, and restart HAP service to take effect.

If your environment was deployed earlier, there may not be the ENV_ADDRESS_MAIN. Similarly, changing the environment variable values of ENV_MINGDAO_PROTO, ENV_MINGDAO_HOST, and ENV_MINGDAO_PORT is the same.

If you want to configure https domain access, you need to add another layer of proxy ( like nginx ) and configure the certificate, and then proxy to the intranet address of the back-end HAP service.

For reference, the following is an example of nginx, configuring an https reverse proxy.

upstream hap {
    server Server IP:8880; # Modify it to the intranet IP and port of your HAP system
}

# Force jump to https access
server {
    listen 80;
    server_name hap.domain.com; # Modify it to your HAP system access address
    rewrite ^(.*)$  https://$host$1 permanent;
}

server {
    listen 443 ssl;
    server_name hap.domain.com; # Modify it to your HAP system access address
    access_log /data/logs/weblogs/hap.domain.com.log main; # Customizable log path
    error_log /data/logs/weblogs/hap.domain.com.error.log; # Customizable log path

    ssl_certificate         /etc/cert/fullchain.pem; # Modify it to the file path of SSL certificate
    ssl_certificate_key     /etc/cert/privkey.pem; # Modify it to the file path of the SSL certificate private key

    underscores_in_headers on;

    # Size limit for uploading files
    client_max_body_size    2048m;

    # Enable browser compression to speed up requests
    gzip  on;
    gzip_proxied any;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 512;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_types text/plain text/css application/json application/x-javascript application/javascript application/octet-stream text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;

    location / {
        set $real_ip '';
        if ($http_x_real_ip) {
            set $real_ip $http_x_real_ip;
        }
        if ($http_x_real_ip = '') {
            set $real_ip $remote_addr;
        }
        proxy_set_header X-Real-IP $real_ip;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://hap;
    }

    # IM Requirements
    location ~ /mds2 {
        proxy_set_header Host $http_host;
        proxy_hide_header X-Powered-By;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://hap;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
    }
}

If you need to keep the original access to the system and expect it to be accessible via the new address as well, refer to Multiple Access Address Configuration.