SSL Nginx passthrough - Storm Straming Server

To improve WebSocket / HTTP performance, a NGINX passthrough is recommended for the Storm Streaming Server. In order for the passthrough to work, please set HTTP/WebSockets ports in the server config to e.g. 8080 and disable internal SSL configuration. Example:

                                
<WebSockets host="*">
    <NonSSLServer enabled="true" port="8080" />
    <SSLServer enabled="false" port="443" />
</WebSockets>
<HTTP host="*">
    <NonSSLServer enabled="true" port="8080" />
    <SSLServer enabled="false" port="1630" />
</HTTP>
                            

All the connections will go through NGINX and its SSL Layer first. Then packets will be sent over to the server. Below you’ll find a sample NGINX configuration.

                                
upstream storm {
        #storm internal non-ssl server ip and port
        server 0.0.0.0:8080;
}

server {
        # depending on your server network configuration you’ll have to modify IP address
        listen 0.0.0.0:80;

        # server domain is added here
        server_name mydomain.com;

        # these are default folder for nginx logs
        access_log /var/log/nginx/mydomain.com-access.log combined;
        error_log /var/log/nginx/mydomain.com-error.log error;

        # this line will re-direct all non-SSL calls to https
        return 301 https://mydomain.com $request_uri;
}

server {
        # depending on your server network configuration you’ll have to modify IP address
        listen 0.0.0.0:443 ssl http2;

        # server domain is added here
        server_name mydomain.com;

        #t this command limits each user to 10 connections
        limit_conn conn_limit_per_ip 10;

        # these are default folder for nginx logs
        access_log /var/log/nginx/mydomain.com-access.log combined;
        error_log /var/log/nginx/mydomain.com-error.log error;

        # SSL
        ssl_stapling on;
        ssl_stapling_verify on;

        # SSL certificates files
        ssl_trusted_certificate /etc/ssl/certs/mydomain.com.ca;
        ssl_certificate /etc/ssl/certs/mydomain.crt;
        ssl_certificate_key /etc/ssl/certs/mydomain.key;

        # SSL settings
        ssl_session_timeout 1d;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:50m;

        location / {
                # Pushing packets to the internal server
                proxy_pass http://storm;

                # Restoring ip, host and forwarded-for paramters
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # WebSocket support
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_redirect off;
        }
}