If I'm using a reverse proxy on Nginx do I need an SSL certificate for the reverse proxy and the server?

Question

so I'm starting to learn about nginx and reverse proxy's and I have a question about SSL, the thing is that I have a reverse proxy server like this:

upstream vnoApp {  
    server vyno.mx:81;
}

server {
    listen       80;
    server_name  app.vno.mx;

    location / {
        proxy_pass http://vnoApp/;
        proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
        proxy_set_header Host $host;  # pass the host header - http://wiki.nginx.org/HttpProxyModule#proxy_pass
        proxy_http_version 1.1;  # recommended with keepalive connections - http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

}

what this is doing as you might expect is to listen to http://app.vno.mx and it 'reverse proxys'' it to http://vyno.mx:81 , and everything works just fine, but now I want to add SSL support for the site and my question is if I have to add an SSL certificate to both vyno.mx and app.vno.mx (wildcard *vno.mx), or if I just add it to app.vno.mx it will work fine, thanks to all in advance!

Answer 1

No problem, you just need a certificate for the user-facing host.

As a side note, unless circumstances justify, it is generally ill-advised to forward anything to a publicly available port and host.

So that - unless there is a reason not to do so - you should firewall port 81 on vyno.mx to accept connections only from the app.vno.mx server.

If they are the same server, that's it, or perhaps using 127.0.0.1 is even better.

If they are distant, however, you might wish to encrypt the internal connection as well, you can just do that with a snakeoil (self-signed) certificate.