There are two main options for authentication with Event Store. You secure Event Store itself, or you can use per-stream Access Control Lists to give more fine-grained control on which users can access which data. You can also take a hybrid approach that mixes the two.
To secure Event Store, you bind the server to the localhost (127.0.0.1) interface and then install a reverse proxy such as nginx or Varnish on the public IP. You can find an example of setting up Event Store with Varnish here.
The reverse proxy will be your public interface. Internally it will handle the authentication and route requests to Event Store. Event Store is only accessible through the localhost adapter and is not exposed publicly. The locally running reverse proxy will be allowed to cache responses, and because of this, reverse proxies will be more performant than calling Event Store directly.
Event Store supports internal authentication, you can expose Event Store directly on a port, and Event Store handles all authentication.
As Event Store is handling all security requests it will have all information about users. Event Store uses this information to check the Access Control Lists of streams and allows for fine-grained control of security. This will cause more internal requests served by Event Store and thus will be less performant.
Per-stream access control lists require setting caching to private to ensure data is not cached in a shared cache, read this article for more information
Even if you use a reverse proxy as above, you can support external authentication from Event Store itself. You do this by enabling the trusted intermediary option in your configuration. This allows the intermediary to write a header with the user information that Event Store will use. You can find how to do this in the HTTP headers section.
Setting up SSL in Windows is the same as setting up any
httplistener in Windows for SSL. You can find many examples of this can online, and we recommend this guide from Damir Dobric
Setting up SSL in Linux is the same as setting up any mono
httplistener in Linux for SSL. You can find many examples of this can online, and we recommend this guide from Joshua Perina. This method will likely work for other systems such as OpenBSD as well.