If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible…
Among common reverse proxies, I know of at least two underlying TLS stacks being used:
- Nginx uses OpenSSL.
- This is probably the one you thought everyone was using, as it’s essentially considered to be the “default” TLS stack.
- Caddy uses
crypto/tls
from the Go standard library (which has its own implementation, it’s not just a wrapper around OpenSSL).- This is in all likelihood also the case for Traefik (and any other Go-based reverse proxies), though I did not check.
For TLS-based protocols like HTTPS you can run a reverse proxy on the VPS that only looks at the SNI (server name indication) which does not require the private key to be present on the VPS. That way you can run all your HTTPS endpoints on the same port without issue even if the backend server depends on the host name.
This StackOverflow thread shows how to set that up for a few different reverse proxies.