Bit of a followup to my previous post. I now have a VPS with nginx working as a reverse proxy to some services on my DMZ. My router (UDM pro) is running a wireguard server and the VPS is acting as a client.
I’ve used Letsencrypt to get certs for the proxy, but the traffic between the proxy and the backend is plain HTTP still. Do I need to worry about securing that traffic considering its behind a VPN? If I should secure it, is there an easier way to do self-signed certs besides spinning up your own certificate authority? Do self-signed certs work between a proxy and a backend, or would one or the other of them throw a fit like a browser does upon encountering a self-signed cert?
I’d rather not have to manage another set of certs just for one service, and I don’t want to involve my internal domain if possible.
What I’ve usually seen is that the VPS does TLS termination and then comms between the VPS and the LAN are sent http, but still secure due to traveling through the VPN. This is the easiest way if you don’t require full e2ee and trust your LAN