Currently I'm using nginx as a reverse proxy over https and everything that is proxied is itself over https. SSL termination happens at Nginx and since the traffic is over https it get encrypted again before going on its way.
My first instinct was that my public facing servers must use a signed certificate and use SSL passthrough from nginx. Turns out nginx does not allow you to do that. So I started looking at haproxy since it can do SSL passthrough.
And after a lot of reading I started wondering if any of this really matters. I can use self signed certificated once inside my own network.
Is there a reason to use the same certificate on nginx / haproxy as on my servers? Is there any reason not to use self signed certificates for internal traffic?
There is no technical reason why you would need to use the external certificate on internal servers, unless you have a configuration where internal servers are also directly reachable from outside, which seems unlikely in most environments.
Self-signed is fine in an environment where you control both ends of the SSL connection, which is the case on the back-side of HAProxy and the front-side of internal application servers.
I think is a better solution to use internal certficiate. Due to security reason you wouldn't add an extra opportunity to compromize your public certificate.