Hello Masters,
only to share with you a link with a text how we are managing let’s encrypt inside of our DMZ.
Hope that it will util for you.
salu2
Hello Masters,
only to share with you a link with a text how we are managing let’s encrypt inside of our DMZ.
Hope that it will util for you.
salu2
I hope you realize that anyone with any tech savvy can use your reverse proxy to hit any web enabled server that is resolvable by your internal DNS system directly from anywhere on the Internet.
I like the idea, the simplicity of it.
But you need to apply some well thought security to it.
Like maybe:
Just my very old two cents.
hello @rg305,
the reverse proxy only forward requests that contain the “./well-know/acme-challenge”, so the access from internet servers.
and yes, you can include IDS/IPS/W2F and a lot of other 3 letters tools here to restrict and protect the systems a bit more, but that wasn’t the idea of the article.
PS: I still think that we should have a whitelist of IPs from letsencrypt validations servers.
thanks for your 2 cents !!!
salu2
Is it true that your code only shows the ./well-known/acme-challenge/
location:
But it doesn't cover any other location and thus leaves room for circumvention.
Maybe you could include the missing explicit deny (in both :80 and :443 sections):
location / {
return 404;
}#location
And you have also overlooked the possibility of accessing IPs that are NOT included in the external DNS zone. That can only be accomplished by excluding the proxy form the internal DNS zone.
For that you can use a third DNS zone or local hosts file entries.
Just my very old two dollars worth of free info.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.