I wish to set up a new website that will be accessed by users using HTTPS. I think it is good practise to put the "real" web server in a seperate subnet, and then install an Apache Reverse Proxy in a DMZ.
My question is, where should I put the SSL cert(s)? Should I
a) Use a self-signed cert on the "real" web server, and a proper cert on the reverse proxy?
b) Use 2 real certs on both the "real" web server and the reverse proxy?
c) Don't use any cert on the "real" web server, and use a proper cert on the reverse proxy?
I'd like to use a) or c), if possible. I also don't want anyone's browser complaining of a self-signed cert.
Thanks
have look this link ssl
Typically, Web servers would go in the DMZ unless for an unusual reason they contain restricted or confidential information. Databases typically contain that data, which go in a more restricted subnet.
Often, modern DMZs are an internally reserved subnet. You would have a firewall on the edge network, which would provide NATing to that subnet. What I describe is a dual firewall configuration.
SSL certificates would be acceptable on the network segment where the Web servers live. I typically lean towards encryption whenever reasonably possible unless there's another consideration at the time. I would use a CA signed SSL certificate in all cases that you describe.