Do I need to setup SSL for reverse proxy between containers?

mdfrg · December 3, 2018, 2:25pm

Not strictly LXD-related I know, but I have hard time finding a proper place for such question…
I am developing a solution in which my host has several containers (LXD 01…04) and only LXD 01 is facing internet. The others are accessible via nginx reverse proxy configuration like this one:

server {
  server_name example2.com;
  location / {
     proxy_pass http://ip.of.lxd02;
  }
}
server {
  server_name example3.com;
  location / {
     proxy_pass http://ip.of.lxd03;
  }
}

I plan to setup Letsencrypt certbot for LXD 01 to have SSL. Should I setup a SSL connection between LXD 01 and other hosts if all of them are just diffrent containers on the same host? Is there any big security risk if I don’t do hat considering that the host server is behind a home router?

simos · December 4, 2018, 9:11pm

Hi!

You would need to encrypt the inter-container network communication if a malicious container was to be able to intercept the traffic.

You can verify in practice by creating three containers; two that will communicate with each other, and a third that has tcpdump running. You will see that the third container cannot intercept the traffic.

In terms of security, you can get your containers to accept network containers only from their designated other containers. For example, with mysql, this is done from within the MySQL.