Reverse proxy and SSL

Luis Mendes
11 September 2018, 18:11
First, I must say that I had my reverse proxy and ending hiawatha servers working fine with TLS. But when needed to renew the certificate with letsencrypt, things were not clear.
The purpose of this post if to try that you Hugo or other person could shed some light on this.

In the closed topic (that's why I opened this topic) you say that
You should do the letsencrypt stuff at that reverse proxy. That's the server the Let's Encrypt server will be connecting to. And that's the server the certificate must be installed on.

At another of my topics you say that
The receiving webserver must be using SSL if the https reverse proxy works. It will of course be using a certificate. By default, Hiawatha doesn't the the validity of that certificate. Use the CAcertificates setting for that.

So this partially invalidates the former message, no? The certificate must be installed on both reverse proxy and receiving server? Should I copy it to the ending server certificate directory after
letsencrypt renew
? That's how I accomplished it to work. Or can I use any TLS certificate that the ending server will work anyways?

A brief excerpt of the receiving server, regarding TLS certificates that I've configured is:
(optional] MinTLSversion = 1.2

At the receiving binding for 8443 to where the reverse proxy sends the https connections: Is this binding optional since at the moment I'm using just one website configured at the VirtualHost?
Define TLScertFile=.... does this have to be the same certificate as the one of the reverse proxy?

Inside the VirtualHost
TLScertFile = tls/
RequireTLS = yes

I'd appreciate some clarification on this.
Once again, many thanks for your work, it's the only webserver I like to try to configure ;-)
Hugo Leisink
16 September 2018, 10:28
The webserver that's directly connected to the internet and will receive the initial connection, needs to hold a valid certificate. All other webservers behind that first proxying webserver only need a certificate if the one before it doesn't do SSL termination (in other words, continue to use HTTPS for the next connection). If you don't set CAcertificates, Hiawatha can't check the connections it sets up. In that case, the webservers it connects to doesn't need to have a valid certificate, just a certificate (can even be self signed).
This topic has been closed.