Nginx SSL Passthrough Guide - Storm Streaming Server

To improve WebSocket/HTTP performance, a NGINX passthrough is recommended for the Storm Streaming Server.

Configuration

In order for the passthrough to work, please set HTTP/WebSockets ports in the server config to e.g. 8080 and disable internal SSL configuration. Example:

                                
<VHosts>
    <VHost host="127.0.0.1" port="8080" isSSL="false">
        <Protocols>HTTP, WEBSOCKETS</Protocols>
    </VHosts>
</VHosts>
                            

All the connections will go through NGINX and its SSL Layer first. Then packets will be sent over to the server. Below you’ll find a sample NGINX configuration.

                    
upstream storm {
        #storm internal non-ssl server ip and port
        server 0.0.0.0:8080;
}

server {
        # depending on your server network configuration you’ll have to modify IP address
        listen 0.0.0.0:80;

        # server domain is added here
        server_name mydomain.com;

        # these are default folder for nginx logs
        access_log /var/log/nginx/mydomain.com-access.log combined;
        error_log /var/log/nginx/mydomain.com-error.log error;

        # this line will re-direct all non-SSL calls to https
        return 301 https://mydomain.com $request_uri;
}

server {
        # depending on your server network configuration you’ll have to modify IP address
        listen 0.0.0.0:443 ssl http2;

        # server domain is added here
        server_name mydomain.com;

        #t this command limits each user to 10 connections
        limit_conn conn_limit_per_ip 10;

        # these are default folder for nginx logs
        access_log /var/log/nginx/mydomain.com-access.log combined;
        error_log /var/log/nginx/mydomain.com-error.log error;

        # SSL
        ssl_stapling on;
        ssl_stapling_verify on;

        # SSL certificates files
        ssl_trusted_certificate /etc/ssl/certs/mydomain.com.ca;
        ssl_certificate /etc/ssl/certs/mydomain.crt;
        ssl_certificate_key /etc/ssl/certs/mydomain.key;

        # SSL settings
        ssl_session_timeout 1d;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:50m;

        location / {

           # Pushing packets to the storm server
                proxy_pass http://storm;

           # Restoring ip, host and forwarded-for paramters
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Accept $http_accept;
                proxy_set_header Authorization $http_authorization;
                proxy_set_header User-Agent $http_user_agent;

           # WebSocket support
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_redirect off;
        }
}
                            
Support Needed?

Create a free ticket and our support team will provide you necessary assistance.