Checklist
[x ] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[x ] I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
Hi,
I am currently trying to setup Passbolt in my network behind a NginX Proxy Manager (NPM) and Let’s Encrypt certificates. In fact I successfully managed to do that, BUT I am petty sure this is not how one should setup the environment.
How does my installation look like:
NginX Proxy Manager which does the Let’s Encrypt certificate renewal and SSL termination for 3 services (including Passbolt).
Passbolt was setup with “manual” certificates (OpenSSL self-signed certificate) listening on the public domain which the NPM is listening on.
NPM does the SSL termination with the Let’s Encrypt certificate and forwad the requests to the passbolt server using the self-signed certificate within my network.
What are my fears?
Well, the NPM acts somehow as a man in the middle and does SSL re-encryption.
My question(s) are now:
is this setup “fine” from security perspective?
How could I use SSL passthrouth with NginX? I googled that but did not got a working solution, especially if you only have one public IP address for multiple services.
Hi @M4n1 It’s common to use a reverse proxy in front of passbolt, even if the reverse proxy is not on the same server, especially for the reasons you are mentioning.
If you have control over the NGINX reverse proxy it should be fine. It will establish a connection to the end user, in addition to the connection to the backend passbolt. The passbolt certs will be used for the connection between it and the reverse proxy, and the reverse proxy certs will be used for the public facing connection with the end user.
At you are calling it a NPM, maybe it provides both reverse proxy and proxy services? Proxy would be for handling outgoing connections (used often for filtering and screening internal outgoing calls, or at least controlling the flow) and reverse proxy is for incoming connections, to route to the proper backend resource, which is relevant in our case.
Yes the server is in my control and for all other service I am fine with this re-encryption, but I just want to make sure that this does not compromise the security and integrity of the passwords. Since this is a very important piece of infrastructure to setup the right way ;).
I know that you could do SSL passthrough, but this has a significant drawback. I would need a dedicated port for each service where I want to do a passthrough. But I was not able to find something useful in that direction.
