Https internally (between rev proxy and web server)

I’m seeking advice before I try setting this up as I’ve searched the forums and not managed to find a firm answer.

I plan to use the LetsEncrypt docker image (linuxserver/letsencrypt) as a reverse proxy for multiple websites we host (on different domains). I’m ok with the configuration except one part of it.

For security reasons one of the websites needs to be https end-2-end hence traffic internally (from nginx to web server) needs to be also encrypted.

Whats the easiest way to achieve this?
My thoughts…

  1. Copy the letsencrypt certificate/private key from the docker image to the web server and use the same cert/key ?
  2. Use a self sign cert internally on the web server (but how do I get nginx to trust this even after a reboot)?

Thanks in advance for any suggestions.

It can be encrypted without being end2end. End2end means that the traffic does not get decrypted before its final destination, so, it’s not end to end if you decrypt and re-encrypt at the reverse proxy.

So, you either replace your reverse proxy for something like haproxy that can reverse proxy without terminating ssl, and in this case you can get a cert for the end2end site directly on its webserver; and this will get you a proper end2end encrypted https, or…

…you use something like minica to create your own certificate authority, install one of these certs on the webserver, and add the root certificate to your reverse proxy trust store (or maybe nginx configuration, check its documentation); this is usually good enough but not end2end.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.