文章探讨了为内部服务配置TLS证书的两种方案,并对比了使用私有顶级域名配合自签名证书与使用公共域名配合Split-Horizon DNS的优劣 [1]。作者推荐后者,即通过结合VPN、WAF和ACME协议实现自动化证书管理,从而避免客户端信任问题并保障安全 [1]。
具体实施方案中,建议采用Split-Horizon DNS配置,使内部服务在公网解析为公共IP以获取Let's Encrypt或ZeroSSL证书,同时在VPN内网解析为内部IP [1]。为了构建Web访问防火墙(WAF),可通过Nginx绑定VPN网络接口(如our-server.netbird.cloud:443)来拒绝非VPN来源的流量 [1]。
在自动化管理方面,建议使用acme.sh工具配合--standalone模式获取证书,并通过cron任务实现证书的自动续期与同步 [1]。针对多子域名服务场景,文章建议优先使用TLS SAN(Subject Alternative Name),而非通配符证书,以平衡便利性与安全性 [1]。
An article discusses two approaches to configuring TLS certificates for internal services: using a private top-level domain with self-signed certificates versus utilizing public domains combined with Split-Horizon DNS. The author recommends the latter approach, which integrates VPNs, Web Application Firewalls (WAF), and the ACME protocol to automate certificate management [1]. This method avoids client trust issues while ensuring security by resolving internal services to a public IP address on the internet for obtaining certificates from providers like Let's Encrypt or ZeroSSL, and to an internal IP address within the VPN network via Split-Horizon DNS configuration [1].
To secure web access as a WAF, Nginx is bound to specific VPN network interfaces (e.g., our-server.netbird.cloud:443) to reject traffic originating from non-VPN sources [1]. For certificate acquisition and management, the tool acme.sh is used in standalone mode to obtain certificates, with cron tasks implementing automatic renewal and synchronization [1]. When managing multiple subdomains for services, it is recommended to use TLS Subject Alternative Names (SAN) rather than wildcard certificates to balance convenience with security [1].