SSL & Reverse Proxy
Most production deployments run Strata behind a reverse proxy (Nginx, Caddy, Apache, AWS ALB, Traefik, etc.) that terminates SSL. Strata itself listens on plain HTTP inside its container (default: port 80; configurable with STRATA_CONTAINER_PORT) — the proxy handles HTTPS on port 443 and forwards requests to Strata over HTTP.
SSL certificates are your responsibility. Strata does not ship with or manage certificates. You obtain a certificate (e.g. from Let's Encrypt, your organization's internal CA, or a commercial provider) and configure it on your proxy.
How Strata Handles SSL
Strata uses two environment variables to control SSL behavior:
| Variable | Default | What it does |
|---|---|---|
ASSUME_SSL | false | Trusts the X-Forwarded-Proto header from your proxy. When a proxy sends X-Forwarded-Proto: https, Strata treats the request as HTTPS even though it arrived over HTTP. |
FORCE_SSL | false | Redirects any HTTP request to HTTPS and sets Strict-Transport-Security (HSTS) headers. |
These settings control how Strata handles proxy-forwarded HTTPS traffic.
When to use which setting
| Scenario | ASSUME_SSL | FORCE_SSL |
|---|---|---|
| Behind an SSL-terminating proxy (most common) | true | true |
| No SSL — internal network or evaluation | false | false |
| SSL terminated at Strata itself (rare) | false | true |
If your proxy terminates SSL but you leave ASSUME_SSL=false, Strata won't know requests are HTTPS. This causes redirect loops, mixed-content warnings, and broken WebSocket connections.
Standard Setup: Proxy Terminates SSL
This is the most common approach. Your proxy handles HTTPS and forwards plain HTTP to Strata.
What your proxy must do
- Listen on port 443 with your SSL certificate
- Forward requests to Strata on its host port (
PORT, default3000) - Set the
X-Forwarded-Protoheader so Strata knows the original request was HTTPS - Set the
X-Forwarded-Forheader so Strata can log the real client IP - Pass WebSocket upgrades (for live query results)
Strata configuration
ASSUME_SSL=true
FORCE_SSL=true
APP_HOST=strata.yourcompany.com
APP_PROTOCOL=https
Proxy and certificate setup (external docs)
We don't maintain step-by-step proxy or certificate instructions. Use official documentation for your stack:
| Stack | What to look up |
|---|---|
| Nginx | Nginx reverse proxy and SSL. For Let's Encrypt: Certbot. |
| Caddy | Caddy reverse proxy and automatic HTTPS. |
| Apache | mod_proxy and SSL with mod_ssl. Certbot: certbot.eff.org. |
| AWS ALB | Application Load Balancer and HTTPS listeners. ALB sets X-Forwarded-Proto and X-Forwarded-For by default. |
| Traefik | Traefik HTTPS and routers. |
When following those guides, ensure your proxy forwards to Strata's host port (PORT) and sets the headers listed above.
No SSL (Evaluation or Internal Network)
If you're evaluating Strata or running it on a trusted internal network without SSL:
ASSUME_SSL=false
FORCE_SSL=false
APP_PROTOCOL=http
The install script defaults to these values for quick evaluation setups.
Troubleshooting
Redirect loop (ERR_TOO_MANY_REDIRECTS)
Your proxy sends requests over HTTP, but FORCE_SSL=true tells Strata to redirect to HTTPS, which hits the proxy again as HTTP.
Fix: Set ASSUME_SSL=true so Strata trusts the X-Forwarded-Proto: https header from your proxy. Make sure your proxy actually sends this header.
Mixed content warnings
The browser loads the page over HTTPS but some resources (CSS, JS, WebSocket) use HTTP URLs.
Fix: Set APP_PROTOCOL=https and ASSUME_SSL=true. Strata uses these to generate correct HTTPS URLs.
WebSocket connection fails
Live query results use WebSockets. If your proxy doesn't pass WebSocket upgrades, queries will still work but results won't update in real time.
Fix: Ensure your proxy passes Upgrade and Connection headers. Most modern proxies handle this by default.
Health check fails behind proxy
The /up health check endpoint works over plain HTTP. If your monitoring tool checks health directly (bypassing the proxy), it will get an HTTPS redirect when FORCE_SSL=true.
Fix: Have your monitoring tool either follow redirects, check via the proxy, or check the container directly on STRATA_CONTAINER_PORT (default 80).