Prod and Dev servers both on port 80

Issuance Tech
#1

I have 2 (potentially 3) servers on my LAN (dev, test, prod) that have nginx on port 80. I want a wildcard *.domain.net certificate to be shared, but my understanding is that I can only forward port 80 (incoming requests) to one of these servers. Yet I'd like to use certbot for certificate management.

What are my options? Seems like prod should use the standard port, with certbot configured for that server (prod - production), and then manually copy the certs to dev and test.

What's the best practice on this?

Kirk

1 Like
#2

Why not setup a reverse proxy in front of your 3 servers? That way, you could setup the wildcard certificate only on that server and do host-based routing to your LAN hosts.

Otherwise, a wildcard certificate can only be obtained by the DNS challenge (https://letsencrypt.org/docs/challenge-types/). As such, forwarding port 80 is not required to obtain it. It's probably better to obtain 3 different certificates than trying to share one across 3 hosts.

2 Likes
#3

Use SNI to separate the traffic.
Yes, initially, only one IP will receive the HTTP requests; But it can proxy to the others (provided that they each have unique names).

OR add another system to do that (as _az suggested).

1 Like
#4

If you terminate the TLS connection at the reverse proxy, there's no need to share anything, assuming the internal network is fully secure.

A reverse proxy doesn't need to be a separate entity. It could just be one of the two (or three) dev/test/prod servers.

#5

I'm working with @kirkroyster on this. For context, we're operating with a SonicWall firewall. So, I imagine we can do something in there. I just haven't learned what that is, yet!

#6

Unless it can terminate the TLS connections and SNI proxy the traffic, it will just have to forward HTTP/
HTTPS to an internal IP that will do that.