Proxy Configuration
To ensure that your HAP system is not directly exposing service ports to the internet, we strongly recommend further configuring Nginx proxy after deploying the system. This can greatly enhance the security of the system and meet the needs of users requiring certificates, who can refer to relevant documentation for configuration. Additionally, Nginx proxy can also provide load balancing and reverse proxy, improving the system's availability and stability.
-
Download the Nginx installation package.
- Internet Access Available
- Internet Access Unavailable
wget https://pdpublic.mingdao.com/private-deployment/offline/common/Nginx1.22.0-glibc2.17.tar.gz# Download link for the Nginx installation package. Upload it to the deployment server after downloading.
https://pdpublic.mingdao.com/private-deployment/offline/common/Nginx1.22.0-glibc2.17.tar.gz -
Unpack the Nginx installation package to the installation directory.
tar -zxvf Nginx1.22.0-glibc2.17.tar.gz -C /usr/local/ -
Create storage directories for configuration and logs.
mkdir -p /usr/local/Nginx/conf/conf.d /data/logs/weblogs/ -
Write the main Nginx configuration file.
cat > /usr/local/Nginx/conf/Nginx.conf <<EOF
user nobody;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 204800;
pid Nginx.pid;
events {
use epoll;
worker_connections 20480;
}
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
log_format main "\$http_x_forwarded_for | \$time_local | \$request | \$status | \$body_bytes_sent | "
"\$request_body | \$content_length | \$http_referer | \$http_user_agent | "
"\$http_cookie | \$remote_addr | \$hostname | \$upstream_addr | \$upstream_response_time | \$request_time";
server_names_hash_bucket_size 128;
client_header_buffer_size 8k;
client_max_body_size 10M;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
proxy_buffer_size 64k;
proxy_buffers 4 128k;
keepalive_timeout 10;
open_file_cache max=102400 inactive=60s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
resolver_timeout 10s;
underscores_in_headers on;
gzip on;
gzip_proxied any;
gzip_disable "msie6";
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;
proxy_http_version 1.1;
include conf.d/*.conf;
}
EOF -
Configure the host proxy file.(Put the following configuration files in the directory /usr/local/Nginx/conf/conf.d/)
-
Start Nginx.
Check the format of the Nginx configuration file.
/usr/local/Nginx/sbin/Nginx -tStart Nginx.
/usr/local/Nginx/sbin/Nginx -
Set up auto-start on boot.
echo "/usr/local/Nginx/sbin/Nginx" >> /etc/rc.local
chmod +x /etc/rc.d/rc.local
Scheduled rotation of Nginx logs
-
Create directories for configuration files and old logs.
mkdir -p /usr/local/logrotate-config
mkdir -p /data/logs/weblogs/oldlogs -
Create a configuration file.
cat > /usr/local/logrotate-config/Nginx <<EOF
/data/logs/weblogs/*.log {
create 0664 nobody root
daily
dateext
dateformat -%Y-%m-%d
dateyesterday
rotate 180
missingok
ifempty
compress
delaycompress
olddir /data/logs/weblogs/oldlogs
sharedscripts
postrotate
/bin/kill -USR1 \`cat /usr/local/Nginx/Nginx.pid 2>/dev/null\` 2>/dev/null || true
endscript
}
EOF -
Check the configuration file.
logrotate -d -f /usr/local/logrotate-config/Nginx- Pay attention to debug outputs; further action is needed if errors are encountered.
-
Execute
crontab -eand add the following scheduled tasks to the configuration.# Use Logrotate Cut Nginx Logs
0 0 * * * /usr/sbin/logrotate -f /usr/local/logrotate-config/Nginx >/dev/null 2>&1