Names resolve before anything else
Public DNS and internal split views (e.g., Pi-hole or corporate resolvers) must agree on intent: which IP answers for `www` versus apex, which names are delegated to CDNs, and which stay on your LAN. Document the matrix when you host services; future-you will not remember why `git.internal` pointed at a lab IP.
TLS: modern defaults and renewal
Prefer TLS 1.2+ with forward secrecy; automate certificate renewal and monitor expiry independently of the vendor UI. Mozilla publishes interoperable cipher suites; ACME (RFC 8555) is the de facto lifecycle for public certs. For internal-only names, private CAs are fine if you distribute trust correctly—otherwise staff disable warnings and you have taught them to click through errors.
Reverse proxy as the choke point
Terminate TLS at the proxy, enforce HSTS where appropriate, add security headers, and route to backends on plain HTTP inside trusted networks. Keep configuration in version control; pair with identity basics for admin surfaces.
HTTP semantics still matter
Caching, redirects, and method semantics follow RFC 9110. Misconfigured redirects (apex ↔ www, HTTP → HTTPS) create subtle duplicate content and cookie issues for SEO and sessions alike.
Further reading
- RFC 9110 — HTTP Semantics.
- RFC 8555 — Automatic Certificate Management Environment (ACME).
- Mozilla SSL Configuration Generator.
- NGINX — Configuring HTTPS servers.
Talk to us
We help teams untangle DNS and proxy rows, harden TLS configs, and document the edge so incidents are shorter.
Contact EasyGoin Services