Skip to content

NGINX configuration

We recommend to use a dedicated virtual server in the NGINX for Receiver respectively communication links from Collector to the Receiver.

This server shares the NGINX server process and the IP address and it is operated on the dedicated DNS domain, different to the Web UI. For example, the Web UI runs on and the receiver is available at In this example and can resolve to the same IP address(es).

Multiple NGINX servers can be configured on different cluster nodes to handle incoming connections from collectors, sharing the same DNS name. We recommend to implement this option for high availability clusters.

upstream lmio-receiver-upstream {
    proxy_pass; # (1)

    proxy_pass http://node-2:3080 backup; # (2)
    proxy_pass http://node-3:3080 backup;

server {
    listen 443 ssl; # (3)

    ssl_certificate recv-cert.pem;  # (4)
    ssl_certificate_key recv-key.pem;

    ssl_client_certificate conf.d/receiver/client-ca-cert.pem;  # (5)
    ssl_verify_client optional;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+AESGCM:EECDH+AES;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;

    server_tokens off;

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    location / {  # (8)
        proxy_pass http://lmio-receiver-upstream;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;

        proxy_set_header X-SSL-Verify $ssl_client_verify;  # (6)
        proxy_set_header X-SSL-Cert $ssl_client_escaped_cert;

        client_max_body_size 500M;  # (7)

  1. Points to a locally running lmio-receiver, public Web API port. This is a primary destination since it saves a network traffic.

  2. Backup links to receivers run on other cluster nodes that runs lmio-receiver. Backups will be used when the locally running instance is not available

  3. This is a dedicated HTTPS server running on

  4. You need to provide SSL server key and certificate. You can use a self-signed certificate or a certificate provide by a Certificate Authority.

  5. The certificate client-ca-cert.pemis automatically created by the lmio-receiver. See "Client CA certificate" section.

  6. This verifies the SSL certificate of the client (lmio-collector) and pass that info to lmio-receiver.

  7. lmio-collector may upload chunks of buffered logs.

  8. A URL location path where the lmio-collector API is exposed.

Verify the SSL web server

After NGINX configuration is completed, always verify the SSL configuration quality using ie. Qualsys SSL Server test. You should get "A+" overall rating.

Client CA certificate

The NGINX needs a client-ca-cert.pem file for ssl_client_certificate option. This file is generated by the lmio-receiver during the first launch, it is the export of the client CA certificate from the Zookeeper from lmio/receiver/ca/cert.der. For this reason lmio-receiver needs to be started before this NGINX virtual server configuration is created.

The lmio-receiver generates this file into ./var/ca/client-ca-cert.pem folder.


    - ./nginx/conf.d/receiver:/app/lmio-receiver/var/ca

    - ./nginx/conf.d:/etc/nginx/conf.d

Single DNS domain

The lmio-receiver can be alternativelly collocated on the same domain (and port) with the Web IU. In this case, the lmio-receiver API is exposed on the subpath:

Snipplet from the NGINX configuration for "" HTTPS server.

server {
    listen 443 ssl;


    ssl_client_certificate conf.d/receiver/client-ca-cert.pem;
    ssl_verify_client optional;


    location /receiver {
        rewrite ^/receiver/(.*) /$1 break;

        proxy_pass http://lmio-receiver-upstream;