Reverse Proxy w/ SSL Cert on LAN with No External Forwarding
-
Some of our applications require SSL even for LAN connections. We are currently using Digitcert with IIS but parallel testing the application on Fedora 29 vs Windows, Fedora blew Windows away. So I created an NGINX reverse proxy to serve the app servers. Is there a way for me to generate/renew let's encrypt certs without allowing access to the VM from the WAN? I know I don't have to forward traffic to generate SSL, but in order to use SSL I would need to create a DNS record that points to the NGINX reverse proxy and then forward it from that. Same ports.
-
@wirestyle22 Yes. You can auth with a dns record. But only certain dns providers support the automation.
You can use any provider if you manually renew.
-
@JaredBusch I specify that during the challenge correct?
-
@wirestyle22 said in Reverse Proxy w/ SSL Cert on LAN with No External Forwarding:
@JaredBusch I specify that during the challenge correct?
Yes.
-
For anyone referencing this post: https://community.letsencrypt.org/t/dns-providers-who-easily-integrate-with-lets-encrypt-dns-validation/86438
-
@wirestyle22 said in Reverse Proxy w/ SSL Cert on LAN with No External Forwarding:
For anyone referencing this post: https://community.letsencrypt.org/t/dns-providers-who-easily-integrate-with-lets-encrypt-dns-validation/86438
Yeah, I have used Amazon and CLoudFlare which can do the Validation.
-
If you get external DNS to go to the nginx proxy you could probably allow all traffic to the URL path that lets encrypt needs and then create a whitelist for everything else.
