Question about Reverse Proxy and Lets Encrypt

If I have a reverse proxy that proxies for a few different Virtual Machines, do I want to install the Lets Encrypt certs on the reverse proxy, or the VM’s individually?

If the certs get installed on the reverse proxy, do the forwarded requests from the proxy to the VM get passed unencrypted? If so, is there a way to insure that the proxied connection is also encrypted? That way if the VM has to be on a different machine than the proxy the connection from client all the way to the end point will be encrypted and secure.

Any information or links greatly appreciated.

1 Like

I run a reverse proxy which provides TLS for all services on my network. I have a wildcard on the proxy, so all requests from the internet to the proxy are encrypted. It then passes them unencrypted to the host inside my network.

If you want to encrypt connections from the proxy inside your network, probably the best way I could think of is to use OpenSSL to make a private certificate authority and issue multi year certificates that are only trusted on your devices. At least that’s how I would do it (And I may sometime here in the future since I already have a CA).


Thank you. So just to clarify:

The proxy provides for the security.

If I want the proxied connection to be sure I should use OpenSSL to issue a self signed cert kind of thing?

Yes, that’s right.

The other option (terminating TLS on the end VMs instead of on the proxy) is also possible and is used in some configurations. It mostly depends on your preferences, system administration methods, and the capabilities of your proxy. In one case you might be proxying things at a different network layer than the other case. Let’s Encrypt doesn’t specifically require or expect one configuration or the other.

An advantage of terminating TLS on the proxy is that it may be simpler to get and renew your Let’s Encrypt certificates because you can run a Let’s Encrypt client application directly on the proxy to prove your control over the relevant domain names.

1 Like

That makes complete sense. Thank you.

I will opt for the first solution, using the proxy to get the certificates and then using my own certs for the proxied connections. The client never knows about the proxied connections anyhow right?

Yes, the proxy can be transparent for most purposes to the machines on either side.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.