Bit of a followup to my previous post. I now have a VPS with nginx working as a reverse proxy to some services on my DMZ. My router (UDM pro) is running a wireguard server and the VPS is acting as a client.
I’ve used Letsencrypt to get certs for the proxy, but the traffic between the proxy and the backend is plain HTTP still. Do I need to worry about securing that traffic considering its behind a VPN? If I should secure it, is there an easier way to do self-signed certs besides spinning up your own certificate authority? Do self-signed certs work between a proxy and a backend, or would one or the other of them throw a fit like a browser does upon encountering a self-signed cert?
I’d rather not have to manage another set of certs just for one service, and I don’t want to involve my internal domain if possible.
Letsencrypt works fine, just use a “real” domain and DNS challenge.
Your service will need to be on the “real” domain, but it won’t need to be accessible externally and you won’t need a public DNS entry for it (of course your VPS will still need to be able to resolve the backend’s name).