Using nginx reverse proxy, should I install my ssl cert in Nginx or my other services?

Question

my current setup is a Ubuntu server (18.04) and I've installed Nginx (1.14.2) and configured it as a reverse-proxy for my local Expressjs service (4.15.4) & future projects.

When using Nginx as a reverse-proxy for a set of services, should I install my ssl cert into Nginx or into my other web-services and what would the pros/cons be? Please use facts, not opinions.

My thinking is, If I install it into my Nginx service, then it'll secure everything, as long as I use a wild-card cert. But I'm not sure what the pro or con would be apart from convince of automatically securing all content with one setup with a slightly more expensive wildcard cert & the potential for a expired cert to ruin everything.

But I could be severely wrong about this assumption of mine. That's why I'm asking you. I tried to find something online about this subject, but everything I was finding pointed me in the direction of installing certs and I already know that haha. Thank you for reading!

Answer 1

Browser ----> nginx ----> upstream servers

You can install certificates on both nginx and upstream servers. But there is no need to buy/use wildcard certificate, as SNI is there to simplify the configuration,

https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04

Answer 2

It is based on what you expect from that proxy and how much you trust the network between proxy and webserver.

If you install the cert on your webserver it will be easier but you will have quite dull proxy since it won't be able to decrypt the stream.

If you install the cert on proxy you will have a much better proxy but you will have to protect the connection between proxy and webserver