堆栈内存溢出
  简体   繁体   English

是否需要HTTPS反向代理?

[英]Is HTTPS behind reverse proxy needed?

 原文  2017-12-24 08:46:34       security/ ssl/ nginx/ https/ server

问题描述

I have an API server running behind an nginx reverse proxy. 我有一个在nginx反向代理后面运行的API服务器。 It is important to have all requests to my API server be secured via TLS since it handles sensitive data. 由于处理敏感数据,因此通过TLS保护对我的API服务器的所有请求非常重要。

I've setup nginx to work with TLS (LetsEncrypt) so that seems to be okay. 我已经设置了nginx来使用TLS(LetsEncrypt),所以这似乎没问题。 However, requests from nginx to my API server are still insecure http requests (this is all happening across docker containers, by the way). 但是,从nginx到我的API服务器的请求仍然是不安全的http请求(顺便说一下,这都是在docker容器中发生的)。

Is it a best practice to also setup https between the reverse proxy and the API server? 在反向代理和API服务器之间设置https是最佳做法吗? If so, how would I go about doing that without over-engineering it? 如果是这样的话,如果不对其进行过度设计,我该怎么做呢?

1 个解决方案

解决方案1
 2 已采纳  2017-12-27 17:26:09

It all comes down to how secure or paranoid you'd like your implementation to be. 这一切都归结为您希望实施的安全性或偏执性 It may also depend on the type of data you're playing with. 它还可能取决于您正在玩的数据类型。 For instance: I'd definitely do this for credit card numbers or other sensitive information. 例如:我肯定会对信用卡号码或其他敏感信息这样做。

As the comments have already stated, you would typically terminate SSL connections at the front facing webserver, assuming the API backend is also inside your LAN, which you trust and control. 由于 意见已经说过,您通常会在前面面向Web服务器终止SSL连接,假设API后端也是你的局域网,您的信任和控制内。 If you want to go that extra mile, you could also set up SSL on the API backend. 如果你想加倍努力,你也可以在API后端设置SSL。 Details of how to do that depend on the software you're using on your backend. 有关如何执行此操作的详细信息取决于您在后端使用的软件。

If you do decide to implement SSL on the API backend, the setup would be similar to what you did to setup Nginx with SSL on the frontend, with the main difference being you don't need to use a public certificate on the backend. 如果您决定在API后端实施SSL,则设置类似于您在前端使用SSL设置Nginx所做的设置,主要区别在于您不需要在后端使用公共证书。 It can be self-signed, since no one else besides your web server will be talking to it. 它可以是自签名的,因为除了您的Web服务器之外没有其他人会与它通信。 Then it's just a matter of fixing all the URIs in your code to use HTTPS. 然后,只需修复代码中的所有URI即可使用HTTPS。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何从代理后面的Android应用通过HTTPS访问服务? - How to access services over HTTPS from Android app behind proxy? 反向代理安全风险 - Reverse Proxy Secruity Risks 查尔斯代理 + 安卓 HTTPS - Charles Proxy + Android HTTPS 安全代理背后的一切是否安全? - Is everything behind a secure proxy secure? 以编程方式检测Apache反向代理 - Detect apache reverse proxy programmatically 如何在代理服务器上反向访问 - How to reverse access on a proxy server 反向代理是否提供安全性? - Does reverse proxy provide security? 是否有反向代理可以防止CSRF攻击? - Is there a reverse proxy that will prevent CSRF attacks? 如何检测坐在反向代理中的SQL注入? - How to detect SQL Injection sitting at a reverse proxy? 反向代理 Apache 和 Team Foundation Server - Reverse Proxy Apache and Team Foundation Server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM