Deploying certificates to DMZ servers

Hello Masters,

only to share with you a link with a text how we are managing let’s encrypt inside of our DMZ.

Hope that it will util for you.

salu2

I hope you realize that anyone with any tech savvy can use your reverse proxy to hit any web enabled server that is resolvable by your internal DNS system directly from anywhere on the Internet.

I like the idea, the simplicity of it.
But you need to apply some well thought security to it.
Like maybe:

  • splitting DNS into more than two zones.
  • applying inline IPS protections that can perform SSL inspection.
  • applying basic firewall rules (behind the proxy) to restrict the IPs that can be accessed by the proxy.

Just my very old two cents.

2 Likes

hello @rg305,

the reverse proxy only forward requests that contain the “./well-know/acme-challenge”, so the access from internet servers.

and yes, you can include IDS/IPS/W2F and a lot of other 3 letters tools here to restrict and protect the systems a bit more, but that wasn’t the idea of the article.

PS: I still think that we should have a whitelist of IPs from letsencrypt validations servers.

thanks for your 2 cents !!! :smiley:

salu2

1 Like

Is it true that your code only shows the ./well-known/acme-challenge/ location:

But it doesn’t cover any other location and thus leaves room for circumvention.

Maybe you could include the missing explicit deny (in both :80 and :443 sections):

location / {
    return 404;
}#location

And you have also overlooked the possibility of accessing IPs that are NOT included in the external DNS zone. That can only be accomplished by excluding the proxy form the internal DNS zone.
For that you can use a third DNS zone or local hosts file entries.

Just my very old two dollars worth of free info.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.