Back to Documentation
Security

Technical Deep Dive: HEP over TLS via Nginx Proxy

Utilizing Nginx Stream module to provide native TLS encryption for CXMind Ingestion.

This document details the configuration of the Nginx stream module as a reverse proxy to provide native HEP (Homer Encapsulation Protocol) TLS encryption support for the CXMind Ingestion Engine (IE).

1. Architecture Topology

By deploying Nginx at the edge, Nginx handles TLS termination (decryption) and subsequently forwards the plaintext HEP traffic to the IE service via an internal network or local loopback using standard TCP.

vpn_keyFrontend Isolation / DMZ

Nginx acts as the sole encrypted entry point, shielding the core infrastructure from direct public exposure via TLS termination.

Plaintext TCParrow_downward
lockInternal Secure Network

The Ingestion Engine (IE) resides here, receiving trusted plaintext streams exclusively from the internal proxy.

2. Nginx Configuration

Since HEP functions at Layer 4 (Transport Layer) rather than Layer 7 (Application Layer), the Nginx stream module must be utilized for L4 proxying and SSL/TLS offloading. Add the following to your Nginx config (typically located at /etc/nginx/nginx.conf):

stream {
    # CXMind Ingestion Engine Upstream (Cleartext TCP)
    upstream cxmind_ie {
        server 127.0.0.1:9060; # Or your internal IE IP
    }

    # TLS Listener for incoming HEP traffic
    server {
        listen 9061 ssl;
        proxy_pass cxmind_ie;
        
        # TLS Configuration
        ssl_certificate     /etc/nginx/ssl/cxmind.crt;
        ssl_certificate_key /etc/nginx/ssl/cxmind.key;
        
        # SSL Optimization (Recommended)
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!MD5;
    }
}

3. Ingestion Engine Configuration

In this setup, the IE processes plaintext HEP TCP traffic as usual and remains completely agnostic of the TLS layer. We recommend binding the IE to the loopback address for maximum security.

lightbulbKey Note: Packet Origin Tracking

Although L4 proxies do not inject X-Forwarded-For headers, the HEP encapsulation itself contains the original Source and Destination IP metadata inside the capsule body. Therefore, the system loses no tracking or monitoring information required for business logic even behind the proxy.

4. Core Advantages

code_blocks
Zero Code Change

No modifications are required for the Go-based backend or React frontend, allowing for seamless integration with stable releases.

speed
High Performance

TLS handshakes are CPU-intensive. Offloading these to Nginx (C-level optimizations and AES-NI) allows IE goroutines to focus entirely on packet parsing.

verified
Standardized Ops

Integrates intuitively with automation tools like Certbot. Follow existing enterprise cert rotation policies without exposing private keys to the web UI.

Need more help or have a specific architecture question?

Contact Engineering Support