I have two droplets, one hosting backend servers (server2) and the other is an edge server (server1) that hosts front end client and edge servers.
On both servers I have NGINX managing proxying and SSL certificates.
I am looking for advice on configure edge servers on server1 that are connecting to backend servers on server2 using the private IP, specifically, does/should one use https
for initiating api call to backend server or will http
suffice (doesn’t feel right). If https
is recommended then how does one setup SSL certificate as a reachable domain name is required.
Also, can any servers outside of my servers connect to any of my servers via their private IP address.
I am happy to read more, just didn’t find much on the topic so thought I would reach out to the community.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hi there,
In the DigitalOcean VPC environment, the traffic between Droplets is isolated from the public internet. This isolation provides a layer of security, making internal communication over HTTP between your servers relatively safe compared to exposure over public networks.
However, even within a VPC, implementing HTTPS can add a layer of security that guards against potential internal threats, such as a compromised server attempting to intercept traffic. This is particularly important if your applications handle sensitive data that would necessitate encryption for compliance with data protection regulations or company policies. But in some cases, this could also be an overkill.
When it comes to setting up HTTPS without a domain, for internal communications, you can use self-signed SSL certificates. While these certificates won’t provide the same level of trust as those signed by a public CA, they will encrypt the traffic between your servers.
Finally, regarding connectivity via private IP addresses, the access is typically restricted to within your own account. It’s critical to configure firewalls, like the DigitalOcean’s Cloud Firewalls, to enforce strict access controls, ensuring that only your servers can communicate with each other on the VPC network.
Hope that this helps!
Best,
Bobby