Bit of a followup to my previous post. I now have a VPS with nginx working as a reverse proxy to some services on my DMZ. My router (UDM pro) is running a wireguard server and the VPS is acting as a client.
I’ve used Letsencrypt to get certs for the proxy, but the traffic between the proxy and the backend is plain HTTP still. Do I need to worry about securing that traffic considering its behind a VPN? If I should secure it, is there an easier way to do self-signed certs besides spinning up your own certificate authority? Do self-signed certs work between a proxy and a backend, or would one or the other of them throw a fit like a browser does upon encountering a self-signed cert?
I’d rather not have to manage another set of certs just for one service, and I don’t want to involve my internal domain if possible.
Still it is not clear to me how the internal reverse proxy may get a valid certificate when the domain name is pointing to the vps. Do you copy later manually to the internal proxy?
And if so, how do you overcome the invalid certificate warning when you are accessing your services locally?