Bit of a followup to my previous post. I now have a VPS with nginx working as a reverse proxy to some services on my DMZ. My router (UDM pro) is running a wireguard server and the VPS is acting as a client.
I’ve used Letsencrypt to get certs for the proxy, but the traffic between the proxy and the backend is plain HTTP still. Do I need to worry about securing that traffic considering its behind a VPN? If I should secure it, is there an easier way to do self-signed certs besides spinning up your own certificate authority? Do self-signed certs work between a proxy and a backend, or would one or the other of them throw a fit like a browser does upon encountering a self-signed cert?
I’d rather not have to manage another set of certs just for one service, and I don’t want to involve my internal domain if possible.
If that traffic is going through an encrypted Wireguard tunnel, I don’t see a reason to encrypt it a second time. Judging by your description, it’s already encrypted on transport between the router and VPS. HTTPS would add nothing there. It will however add encryption within your DMZ, if you expect something nefarious going on within your DMZ.