Score:1

Is there still a need for the web applications/API to use HTTPS if the proxy server is already using it in microservices architecture?

it flag

If my proxy server already is using HTTPS/SSL, is there still any sense for my other applications to implement it too?

I'm trying out microservices architecture through Docker/Kubernetes, and I am using Nginx as a reverse proxy for multiple applications/services. Only the proxy server has its ports exposed.

And in case it is still big deal to implement it, how to produce these kind of certificates for containerized environment?

anx avatar
fr flag
anx
Is your question equivalent to *"Should I encrypt connections that never leave the machine the proxy is running on?"*
Lex Li avatar
vn flag
If you go through previous discussions under a variety of contexts, the answer should be obvious, https://security.stackexchange.com/search?q=https+internal# If you can get a certificate for the proxy server, I wonder why you cannot do the same for other applications.
djdomi avatar
za flag
IMHO it depends on the security. if a user is doing authentication, it should be encrypted e2e on any ways. But that should be more a security question. as Told. If you can ensure I. e. because you are working on EU Region that noone can interrupt the traffic in MITM attack which imho you will never be able to, you can do so. If it's just a plane information site, which noone can login for my knowledge it would not make sense to do e2e encryption. Remind that public services can also be affected by the GDPR when you are serving a service to any of the affected locations or look like too
it flag
@anx yeah, I'm planning to host everything containerized. And I'm not really good at standard on terms of security so I have no idea how attackers do their stuffs.
it flag
@LexLi Sorry, I'm a software dev but haven't explored security that deep, so I don't know what are the terms to search for this. I tried to search but it looks like I'm using different terms. Regarding the certificates, I'm currently using self-signed ones and based on what I found, looks like the certificates you buy are based on domain names. I think I need to do deeper research on how these SSL, certificates, and secured connection works.
it flag
@djdomi yeah, that is what I'm thinking in practical way. Plus, SSL certificates are quite pricey for my small solo project, who knows when will it get people's attention.
djdomi avatar
za flag
pricy? let's encrypt for example is free of charge even for wildcard domains. So no excuses?! Next try ;)
Lex Li avatar
vn flag
Since you are just the developer, I suggest you escalate this to your network administrators who should have extensive knowledge on such topics. A company or an institute is likely to have its own certificate authority, so that any kind of certificates can be easily generated and managed.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.