0

If the SSL certificate must match the name entered into the browser; what if the name entered into the browser is https://localhost:8080, in the case of accessing a server that is behind an SSH gateway; and is accessed via Local Port Forwarding?

Should I instead on the client add a name/ip pair to /etc/hosts, make my certificate the same name and then enter https://forwarded-server-beyond-ssh-gw:8080 to access it over SSL?

I realize it might be a little bit overkill to encrypt the tunnel and then encrypt the https request too, but if someone gets into my DMZ they'd be able to see the traffic there on the DMZ subnet, so it's probably idea to do it anyway.

leeand00
  • 4,807
  • 13
  • 64
  • 106

1 Answers1

0

SSL in browser is a requirement only for the Browser to confirm that both endpoints communicate via Secured Layer with (in your case) a confirmed SSL issuer. As you can also have a self-signed SSL.

On the back end you can have any service, even non-encrypted, which can be simply routed/proxied by local webservice like nginx/apache2 which will take care of the negotiation between a visitor and your endpoint, eg: https://forwarded-server-beyond-ssh-gw:8080

Ron
  • 161
  • 7
  • Yes, I’m trying to setup an SSL certificate for a web server, proxied to another service as you stated. But; I don’t want it to happen via a publicly accessible port; I want to do it over SSH. – leeand00 May 15 '20 at 19:44