homelab

6642 readers

16 users here now

founded 4 years ago

MODERATORS

When is it necessary to have SSL on the LAN side of a reverse proxy (between the reverse proxy and the server)? (sh.itjust.works)

submitted 11 months ago by [email protected] to c/[email protected]

12 comments fedilink hide all child comments

Without SSL on the LAN side of a reverse proxy, I presume that all traffic between the server and the reverse proxy is unencrypted and, thus, accessible to any device on the LAN.

Which specific scenarios result in this being a concern? The primary concern that I can come up with is if you know that there are untrustworthy entities connected to the LAN (untrustworthy devices, or perhaps malicious individuals).

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 4 points 11 months ago

I imagine the primary reason for having SSL between a reverse proxy and servers is to align with a zero-trust model. You're exactly correct that you'd rather expect that you don't know who is on the network and can monitor the traffic, so encrypt traffic rather than trust the network is secure and leave the traffic unencrypted.

Although best-practice is likely to always have SSL, especially in a corporate environment or in an environment where you don't control the proxy or the server (since this also rules out man in the middle attacks as you can verify the proxy an potentially the client), in a LAN where you control both elements and know what's likely to be on the network (like a home network) you can probably get away without SSL for the convenience.