Docker container with nginx reverse proxy and letsencrypt proxy to other vms


#1

We have a public ip address. Requests are routed through the firewall to a VM with docker containers. On this VM is a container with an nginx reverse proxy. This will forward to the other VMs. Some VMs have dockercontainers but not every VM. The VM with the nginx reverse proxy is located in the dmz and forwards to the VMs in the server network. Now I want to encrypt the connection to the servers with a Lets encrypt certificate. My problem is that if I place the Letsencrypt container in the VM with the reverse proxy container it does not encrypt the vms in the server network. I need help…


#2

Do you really need to use Let’s Encrypt for this? (You can, I’m just not sure it’s worth the trouble). It might be simpler to use self-signed certificates or something like cfssl for the back-end servers, and use a Let’s Encrypt certificate only on the reverse proxy where a publicly trusted certificate is actually needed.


#3

If all the internal systems that need certs can find their way to LE[:443] and LE can find its’ way back to them[:80] (via: SNI proxy), then they can request, and validate, their own certificates directly from LE.

If this kind of outbound and inbound connectivity is not available to a system, it would either:

  • Have to rely on another system to get a cert on it’s behalf.
  • Use a common cert (wildcard)
    [Both of these methods, however, may require some sort of cert handoff/synchronization.]

They all also have the option of using DNS authentication.


#4

Thanks for your quick reply. No, actually, I do not necessarily have to get all the certificates from Lets encrypt. Could you give me a detailed description of your solution here?


#5

I’m not too familiar with nginx but apparently the relevant settings are proxy_ssl_verify and proxy_ssl_trusted_certificate - the former enables certificate checking and the latter instructs nginx to use your self-signed certificate (or the root from cfssl) to perform the verification. So you would use Let’s Encrypt as normal on your front-end nginx proxy. Then on each of the backend servers you would generate and install a self-signed cert, copy it to the nginx server and configure the reverse proxy settings for that backend to enable proxy_ssl_verify and set proxy_ssl_trusted_certificate to the cert you copied from the backend. Then just change the backend URL to https.

Or you could use cfssl to generate the certs instead of using self-signed certs; that way you just copy cfssl’s root cert and configure nginx to trust that, instead of copying and trusting each self-signed cert individually.

As I said I’m not too familiar with nginx so I may have some details wrong, but that’s the general idea; maybe someone that knows nginx well can fill in the gaps…

Or again, you can use Let’s Encrypt certs everywhere if you want to. Have a look at @rg305’s suggestions if you want to go that route.