Comment by udev4096

Comment by udev4096 2 days ago

2 replies

View on Hacker News

Interesting. I was just setting up a LB like this: client ->LB(nginx) ->TLS terminate for LB conn -> proxy_pass to backend which is behind nginx and has separate TLS certs. it's surprisingly easy to configure. Wonder why people still use HTTP at all. Even at home, I have setup LE certs for all local domains

On a side note, nginx doesn't support HTTP/2 for https load balancing so I am thinking of switching to haproxy which supports it

butvacuum 2 days ago

Because you've now published your internal machine names. Look up certificate transparency logs.

Reply View 1 reply
  • udev4096 2 days ago

    What do you mean? I used self-signed for communication b/w LB and the nginx serving backend

    Edit: I don't see any "machine name" on crt.sh for public LB which uses LE

    Ah, you meant the DNS address is on CT now. You think I wouldn't know that? Regardless, a dns01 challenge is far better than using self-signed at home

    Reply View 0 replies