Add SSL to a Node.js endpoint: NGINX vs Endpoint

Question

I need to add SSL to several Node.js services, each of one is listening on its own port, and that have NGINX to map them to our public "api" domain.

Due to the release of a new security policy now all services must be enforced to only work on SSL connections.

Since I'm not used to work with SSL certificates it's not clear to me what can be the advantage of setting the SSL on NGINX and make NGINX itself to proxy-pass to a http:// connection or have the real node.js endpoint to be a SSL server and (then proxy-pass to https://).

I guess with the NGINX solution, I could re-use the same SSL cert adding it to our "api" domain, while each different SSL node server would need a different cert. Then it's not clear to me if into a production environment like this I should be using self-signed certificates (since the endpoint is touched through other services) or if it should be a CA trusted certificate exactly like it should be a public domain.

What am I missing in this considerations?

Answer 1

I assume the NGINX is public facing, and the nodejs services are internal (ie. not accessed directly by public web users).

1. You would only secure the connection between the public web to your NGINX. The transport between the NGINX and the NodeJS services is internal, and doesn't need to be secured. it's a big waste of CPU.

2. For the NGINX you buy a certificate from a valid certificate authority. For internal services you may use self-signed (ie. your own internal certificate authority generated certificates), but as said above, you shouldn't need to use SSL internally.