Without SSL on the LAN side of a reverse proxy, I presume that all traffic between the server and the reverse proxy is unencrypted and, thus, accessible to any device on the LAN.

Which specific scenarios result in this being a concern? The primary concern that I can come up with is if you know that there are untrustworthy entities connected to the LAN (untrustworthy devices, or perhaps malicious individuals).

  • @Gevashkar
    link
    English
    511 months ago

    I imagine the primary reason for having SSL between a reverse proxy and servers is to align with a zero-trust model. You’re exactly correct that you’d rather expect that you don’t know who is on the network and can monitor the traffic, so encrypt traffic rather than trust the network is secure and leave the traffic unencrypted.

    Although best-practice is likely to always have SSL, especially in a corporate environment or in an environment where you don’t control the proxy or the server (since this also rules out man in the middle attacks as you can verify the proxy an potentially the client), in a LAN where you control both elements and know what’s likely to be on the network (like a home network) you can probably get away without SSL for the convenience.