2

I have a reverse proxy (e.g. nginx, nghttpx, haproxy) that proxies connection to a service running on the same physical server. I think the most common way to configure this setup is to enable TSL only on the frontend and leave the backend connection unsecured. In other words, the reverse proxy is the TLS termination point.

Why is there no security concern on leaving the backend unsecured?

If a malicious client happens to know the address/port of a backend service, can't they connect to it directly without having a valid cert and isn't this a huge security risk?

leopoodle
  • 121
  • 2
  • 1. Why would you leave the service exposed if there is no need for it 2. Why is it a huge risk for a "malicious" client to connect without TLS? – multithr3at3d Jun 27 '18 at 16:03

2 Answers2

4

Connections to the backend server should be rejected when the originate from an external address, that is from some other machine outside the secure machine/subnet. This is accomplished by configuring the backend server and/or operating system. If this isn't set up properly then yes, it could lead to a major security breach.

Generally secure connections don't require a client certificate though. Usually the certificate proves the authenticity of the server rather than the client (but there are some exceptions). Some other mechanism (e.g. basic authentication, cookie, OAuth) is required to authenticate the client.

snibbets
  • 141
  • 2
  • 1
    and/or a firewall on the backend net, which is often simpler to set up and monitor/test/verify and can't accidentally get turned off when you replace upgrade or otherwise change the app server – dave_thompson_085 Jun 27 '18 at 07:00
2

The configuration past the TLS termination point, generally, is such that only connections from certain internal IP addresses will be accepted (usually the same server). E.g., if Nginx is setup as a reverse proxy and TLS terminator, and it proxy_passes php requests to Apache on port 8080, someone outside the network shouldn't be able to directly connect to Apache at all-- only the reverse proxy should be able to pass requests to it. A firewall would be setup to block all requests to port 8080 on the server with both the reverse proxy and the backend entity on it.

You could also use something called upstream SSL, which does re-encrypt traffic past the reverse proxy. This usually happens when the traffic is being proxied to a server in another location (over an insecure protocol).

cheers
  • 110
  • 9