this post was submitted on 25 Dec 2023
30 points (96.9% liked)

homelab

6250 readers
26 users here now

founded 4 years ago
MODERATORS
[email protected]
30
When is it necessary to have SSL on the LAN side of a reverse proxy (between the reverse proxy and the server)? (sh.itjust.works)
submitted 6 months ago by [email protected] to c/[email protected]
12 comments fedilink hide all child comments
 

Without SSL on the LAN side of a reverse proxy, I presume that all traffic between the server and the reverse proxy is unencrypted and, thus, accessible to any device on the LAN.

Which specific scenarios result in this being a concern? The primary concern that I can come up with is if you know that there are untrustworthy entities connected to the LAN (untrustworthy devices, or perhaps malicious individuals).

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 6 months ago (1 children)

accessible to any device on the LAN.

Only if that traffic is using broadcasts. Wired networking on moden hardware is strictly point-to-point, PC1 is completely unaware of any traffic between PC2 and your home server or whatever.

Wireless is different and can ostensibly be snooped by anything that knows your network key, but I'd assume that you're not running services on wireless devices.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

Only if that traffic is using broadcasts. Wired networking on moden hardware is strictly point-to-point, PC1 is completely unaware of any traffic between PC2 and your home server or whatever.

TIL of PPPoE! Could this still be circumvented through ARP spoofing, though?

[–] [email protected] 2 points 6 months ago

I wasn't speaking about PPPoE specifically when I made my post, all wired ethernet traffic only travels from sender to recipient without being visible to any other devices that's not in the direct communication chain. This wasn't always true. A network hub will send out incoming data to every single port, but hubs haven't been in common use for decades. A network switch is aware of what is plugged in where, and will only send received data out whichever specific port the destination is connected to. If you have three PCs plugged into a network switch and PC1 needs to send a packet to PC2, PC3 has no way of even knowing it happened.

That said, your final point is correct, and ARP spoofing defeats this. It had completely slipped my mind when I made the above post.