One of the secret projects currently in development here relies on TLS to maintain a secure connection with every player client. Because I am very excited about the project I didn’t plan too much and jumped in head first and started typing some code. I used OpenSSL to establish a secure session on each incoming connection. So the system looked something like this:


Fast forward a month of working on a few other projects I came across the idea of an SSL/TLS termination proxy. It is a proxy server that accepts SSL/TLS connections, removes the encryption, and passes the unencrypted data on to another server. With this in mind I went in and ripped out roughly half of the client handling code that dealt with OpenSSL and replaced it with a simple send/recv. Then I installed NGINX and configured it as a stream proxy. The whole setup now looks like this:


Overall I think this was a good move because it simplified my code while maintaining the same functionality. It also feels better to have a well tested piece of software handling the encryption layer.

The server configuration for the proxy server is as follows:

stream {
       upstream stream_backend {
                # Address of the destination server.
                server localhost:5555;

       server {
              # Port on which NGINX will listen to connections.
              listen 25555 ssl;
              proxy_pass stream_backend;

              ssl_certificate /path/to/cert.pem;
              ssl_certificate_key /path/to/key.pem;

              ssl_protocols TLSv1.2;

              # Don't wait for data before sending.
              tcp_nodelay on;

One thing to keep in mind is that you can’t just place this in the sites-available or sites-enabled directories because nginx.conf includes those files under the http context. One solution is to include the files manually in nginx.conf in the main context.