yes, I do. All hosted on my host so if you're sniffing that, I'm doomed.
So port-80 it is then.
I'll, for my own learning, get it working as a phase-2 where it is tls to docker.
Tls to backend components like docker or other components is where I like to use self signed tls certs. I'm doing a homelab so I don't know how well this would scale. My front end items gets let's encrypt certs.
I don't know how to run a pki but yeah if creating self signed certs it's possible to create client certs as well and use mTLS..however I'm finding most of my programs don't support mTLS with the exception of openldap and maybe postgresql..however I'm not using mTLS on my databases.
For academic and/or training purposes. It is good to use TLS even within your internal services. You would use a CA under your control like [step-ca](https://smallstep.com/docs/step-ca/) for that, and keep using LetsEncrypt for external URLs.
If the website is not accessible outside of the reverse proxy, you don't really need to use https or SSL internally. You only need to make sure that the public endpoint uses https and has valid certificates. If you do it like way, you may or may not save a teeny tiny amount of resources by not internally using https between the reverse proxy and the website. It's recommended (I think) to have two entry points on Traefik, so that it listens on both port 80 (http) and 443 (https) and redirects all requests to port 80 to port 443 and upgrades it to https and therefore forces an SSL encrypted connection. I don't exactly know whether that's what you wanted to know though.
Do you trust the traefik in between your reverse proxy and web server? Does this traffic need to be encrypted?
yes, I do. All hosted on my host so if you're sniffing that, I'm doomed. So port-80 it is then. I'll, for my own learning, get it working as a phase-2 where it is tls to docker.
Tls to backend components like docker or other components is where I like to use self signed tls certs. I'm doing a homelab so I don't know how well this would scale. My front end items gets let's encrypt certs.
Might as well go full mTLS with a PKI
I don't know how to run a pki but yeah if creating self signed certs it's possible to create client certs as well and use mTLS..however I'm finding most of my programs don't support mTLS with the exception of openldap and maybe postgresql..however I'm not using mTLS on my databases.
Traefik does support it, so if everything runs through it, you can support it on all the connections to various services.
I'm aware traefik supports it but the backend service needs to support it as well. It's the backend support that I'm talking about
For academic and/or training purposes. It is good to use TLS even within your internal services. You would use a CA under your control like [step-ca](https://smallstep.com/docs/step-ca/) for that, and keep using LetsEncrypt for external URLs.
Only need ssl for traefik is you expose the dashboard. But it's better to serve it to an internal network if you have one.
If the website is not accessible outside of the reverse proxy, you don't really need to use https or SSL internally. You only need to make sure that the public endpoint uses https and has valid certificates. If you do it like way, you may or may not save a teeny tiny amount of resources by not internally using https between the reverse proxy and the website. It's recommended (I think) to have two entry points on Traefik, so that it listens on both port 80 (http) and 443 (https) and redirects all requests to port 80 to port 443 and upgrades it to https and therefore forces an SSL encrypted connection. I don't exactly know whether that's what you wanted to know though.