I wanted to ask you a rhetorical question about basic security.
One thing is very clear.
HTTP implies unencrypted data and therefore can be intercepted.
With HTTPS, since it’s encrypted, that’s not possible in principle (you never know when it comes to security).
At home, I have several services installed and I always use HTTPS. In fact, if the service doesn’t have it by default, I enable it.
I’ve set up several services in my home with a Raspi4 and I’ve set up a bastioned Raspi3 with Caddy as a reverse proxy.
My workflow idea is client → https → Caddy as a reverse proxy (Raspi3) → https → service (Raspi4).
I had this question while reading VaultWarden’s documentation on how to enable HTTPS.
They recommend not doing https in VaultWarden but rather through Caddy as a reverse proxy.
If I do this, the traffic between the Raspi3 and Raspi4 would be HTTPS, and therefore passwords could be intercepted.
So the rhetorical question would be:
Shouldn’t HTTPS be used whenever information travels over the LAN?
If the answer is yes, the next question would be:
Why do you recommend not enabling HTTPS directly in the application?
I hope I’ve made myself clear, and thank you very much in advance.
Theoretically, yes. But it depends on how much you trust your LAN and whether it’s worth it. Sometimes the effort is more than the gain. But these days, with tools like Caddy and services like Let’s Encrypt, the effort and cost of implementing TLS / HTTPS everywhere is minuscule or zero.
You mean why THEY recommend not enabling it?
It depends on the application - some applications simply do not implement TLS by themselves and rather rely on tools like Caddy, stunnel, etc. The app and its developer focuses on the things the app is supposed to do, and they offload the TLS to another app that specialized on that. They also assume, in most cases, that you’d run tools like Caddy on the same server where you run your application. So the unencrypted traffic would be happening only via the loopback interface and not traversing the network between the servers. Sometimes, they just want to offload the TLS encryption/decryption to a dedicated machine that runs Caddy and has enough computing power for that, while the other server spends all its computing power specifically for the application. There’s plenty of reasons and scenarios. You have to compare the pros and cons for your specific deployment and pick the right solution for your particular case.
Now let me propose another scenario and see what you think of my solution @timelordx
Imagine that on the Raspi4 there is an important service that doesn’t support native https (Vaultwarden, Nextcloud with personal data, etc.).
In my opinion, instead of relying on the LAN and having Caddy (Raspi3) talk to the service (Raspi4) over http, I would do the following, keeping in mind that Caddy doesn’t consume many resources and is easy to configure.
For me, it’s a good solution if the service is important.
You never know if malware might get onto your LAN, especially if it shares the network with the rest of the family’s home PCs, but I’d like to know if I’m just too paranoid
