This is a pretty newbie level question.
I previously had two websites set up behind a Sophos XG CE firewall using Let's Encrypt on the webserver. (Ubuntu 22.04 Apache). Under this configuration I had redirect HTTP to HTTPS enabled on the WAF, and the Sophos would communicate to the back end server over HTTPS and everything was working well. It was a pain to have to manually copy the Let's Encrypt certs to the XG firewall every 90 days, but so be it.
With v21, I have successfully set up Let's encrypt on the firewall. My question though is, under this new setup, I'm guessing I need to now reconfigure my Apache server to only accept HTTP, and only accept traffic from the firewall? The XG terminates HTTPS and then communicates with the webserver unencrypted?
If not I'm struggling to understand what the let's encrypt on the firewall gives you? Or does this mean I can use a self-signed cert for the XG to Webserver traffic now? Or will that also not work? I guess I'm just trying to understand what the best practice is here when using Lets Encrypt on the firewall itself.
This is for a home lab which also runs my band's website. The server is in an isolated vlan with all external traffic having to go through the WAF, so I'm thinking it's relatively safe to have the XG to web server communication be unencrypted?
