SSL between a proxy and its target

JaredBusch

Because of client requests, I often have a VM reverse proxy server (most always Nginx) sitting on a client local hypervisor to handle routing thing from the public to internal servers such as owncloud or IIS, or whatever.

The Nginx proxy has certbot setup and handles all of the certificate renewals.

But some of the apps are also access with a hairpin NAT or split DNS entry for the local network. Mostly I route this to the proxy also, but sometimes they just need to go direct.

When I go direct I then run into problems with SSL.

How would you all handle getting the valid SSL from certbot (LetsEnrypt) from the proxy server to the back end server on a regular basis?

scottalanmiller

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

dafyre

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

JaredBusch

That was my thought also, but wanted to ask for opinions.

Dashrender

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

scottalanmiller

@Dashrender said in SSL between a proxy and its target:

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

Far more secure than passwords. It's key rather than password. Think of it as 256 character password.

travisdh1

@Dashrender said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

It's industry standard public/private key encryption, so shouldn't be an issue.

You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.

wirestyle22

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

How often would you want to pull something like this? daily?

dafyre

@wirestyle22 said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

How often would you want to pull something like this? daily?

I would. Make it fire and forget.

travisdh1

@wirestyle22 said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

How often would you want to pull something like this? daily?

I'd add it to the script I use to update the letsencrypt certs, so it all happens at the same time.

Dashrender

@scottalanmiller said in SSL between a proxy and its target:

@Dashrender said in SSL between a proxy and its target:

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

Far more secure than passwords. It's key rather than password. Think of it as 256 character password.

awww OK key.. got it.. thanks.

Dashrender

@travisdh1 said in SSL between a proxy and its target:

@Dashrender said in SSL between a proxy and its target:

@dafyre said in SSL between a proxy and its target:

@scottalanmiller said in SSL between a proxy and its target:

Never had to do that. Seems like a script to pull it from time to time might be enough, though?

Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine?

Any security risk to this? I don't know anything about it - I just see passwordless and have to ask.

It's industry standard public/private key encryption, so shouldn't be an issue.

You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism.

I'm fully aware of SQRL - I asked Scott on Day one of ML if he would support it when it became available, sadly it's still not released to the wild