Return to Question

added 6 characters in body

edited May 22, 2023 at 11:59

Does it make sense to haveimplement TLS encryption for a serverservice which will always be behind a reverse proxy? The reverse proxy will be able to handle encryption to users directly.

 +-------------------------------+ | +---------+ +---------+ | | | service |<--->| reverse |<--O---> Internet | | | | proxy | | | +---------+ +---------+ | +-------------------------------+

These are the arguments I could think of, but I cannot quite decide which side makes weighs more:

Cons

Unnecessary complexity in the code which might lead to problems in the future.
Would need to use self-signed certificates anyway, so no CA based authentication.
No actual security gain: if the machine is compromised, transport encryption is futile anyway.

Pros

An additional layer of security in case the internal network is compromised. (Not relevant if service and proxy are on the same physical machine?)
Service can not accidentally be exposed unencrypted.

Does it make sense to have TLS encryption for a server which will always be behind a reverse proxy? The reverse proxy will be able to handle encryption to users directly.

 +-------------------------------+ | +---------+ +---------+ | | | service |<--->| reverse |<--O---> Internet | | | | proxy | | | +---------+ +---------+ | +-------------------------------+

These are the arguments I could think of, but I cannot quite decide which side makes weighs more:

Cons

Unnecessary complexity in the code which might lead to problems in the future.
Would need to use self-signed certificates anyway, so no CA based authentication.
No actual security gain: if the machine is compromised, transport encryption is futile anyway.

Pros

An additional layer of security in case the internal network is compromised. (Not relevant if service and proxy are on the same physical machine?)
Service can not accidentally be exposed unencrypted.

Does it make sense to implement TLS encryption for a service which will always be behind a reverse proxy? The reverse proxy will be able to handle encryption to users directly.

 +-------------------------------+ | +---------+ +---------+ | | | service |<--->| reverse |<--O---> Internet | | | | proxy | | | +---------+ +---------+ | +-------------------------------+

These are the arguments I could think of, but I cannot quite decide which side makes weighs more:

Cons

Unnecessary complexity in the code which might lead to problems in the future.
Would need to use self-signed certificates anyway, so no CA based authentication.
No actual security gain: if the machine is compromised, transport encryption is futile anyway.

Pros

An additional layer of security in case the internal network is compromised. (Not relevant if service and proxy are on the same physical machine?)
Service can not accidentally be exposed unencrypted.

Source Link

asked May 22, 2023 at 11:41

quazgar

Should I provide TLS connections in a service that is designed to run behind a reverse proxy?

Does it make sense to have TLS encryption for a server which will always be behind a reverse proxy? The reverse proxy will be able to handle encryption to users directly.

 +-------------------------------+ | +---------+ +---------+ | | | service |<--->| reverse |<--O---> Internet | | | | proxy | | | +---------+ +---------+ | +-------------------------------+

These are the arguments I could think of, but I cannot quite decide which side makes weighs more:

Cons

Unnecessary complexity in the code which might lead to problems in the future.
Would need to use self-signed certificates anyway, so no CA based authentication.
No actual security gain: if the machine is compromised, transport encryption is futile anyway.

Pros

An additional layer of security in case the internal network is compromised. (Not relevant if service and proxy are on the same physical machine?)
Service can not accidentally be exposed unencrypted.