Create a free ticket and our support team will provide you necessary assistance.
Nginx SSL Passthrough Guide - Storm Streaming Server
To improve WebSocket/HTTP performance, a NGINX passthrough is recommended for the Storm Streaming Server.
Configuration
In order for the passthrough to work, please set HTTP/WebSockets ports in the server config to e.g. 8080 and disable internal SSL configuration. Example:
<VHosts>
<VHost host="127.0.0.1" port="8080" isSSL="false">
<Protocols>HTTP, WEBSOCKETS</Protocols>
</VHosts>
</VHosts>
All the connections will go through NGINX and its SSL Layer first. Then packets will be sent over to the server. Below you’ll find a sample NGINX configuration.
# Upstream - internal HTTP server (non-SSL)
upstream storm {
# storm internal non-ssl server ip and port (only loopback for security)
server 127.0.0.1:8080;
}
# HTTP -> HTTPS redirection block
server {
# Depending on your server network configuration you'll have to modify IP address
listen 0.0.0.0:80;
# Server domain is added here
server_name mydomain.com;
# Default folders for nginx logs
access_log /var/log/nginx/mydomain.com-access.log combined;
error_log /var/log/nginx/mydomain.com-error.log error;
# Redirect all non-SSL calls to https
add_header Strict-Transport-Security max-age=31536000 always;
return 301 https://mydomain.com$request_uri;
}
# HTTPS server block
server {
# Depending on your server network configuration you'll have to modify IP address
listen 0.0.0.0:443 ssl http2;
# Server domain is added here
server_name mydomain.com;
# This command limits each user to 10 concurrent connections
# limit_conn conn_limit_per_ip 10;
# Default folders for nginx logs
access_log /var/log/nginx/mydomain.com-access.log combined;
error_log /var/log/nginx/mydomain.com-error.log error;
# SSL settings
ssl_stapling on;
ssl_stapling_verify on;
# SSL certificates files
ssl_trusted_certificate /etc/ssl/certs/mydomain.com.ca;
ssl_certificate /etc/ssl/certs/mydomain.crt;
ssl_certificate_key /etc/ssl/certs/mydomain.key;
# SSL security hardening
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_ticket_key /etc/ssl/private/ticket.key; # Optional but improves session resumption
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:
DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# Always send HSTS header to enforce HTTPS on client side
add_header Strict-Transport-Security max-age=31536000 always;
# Optional: block non-standard HTTP methods
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location / {
# Pushing packets to the storm server
proxy_pass http://storm;
# Restoring IP, host and forwarded-for headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept $http_accept;
proxy_set_header Authorization $http_authorization;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Api-Key $http_x_api_key;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Don't rewrite Location headers
proxy_redirect off;
}
# Protect internal directories and sensitive paths
location ~ /\.ht {
deny all;
}
location /cron/ {
deny all;
}
location ~ /\.svn {
deny all;
}
location ~ /\.git {
deny all;
}
}
Useful Links
Support Needed?