I think many here don't get that not working in a tech startup is very different.
The IT budget is shrinking every year instead of increasing with company profits and sometimes a 3 person team needs to handle 300 users plus those machines that nowadays are tightly interconnected. These 300 users are essentially a threat to the company because they often click on anything they get per mail.
So you need to encrypt everything as much as possible to decrease the attack surface inside the network.
> These 300 users are essentially a threat to the company because they often click on anything they get per mail.
I agree, but I have to mention as well that in general all teams (not only IT) got reductions of budgets and amount of employees and in the end everybody is very stressed most of the time, which in turn makes everybody pay less attention to what they're doing.
In my case (IT) last year I received an email with the title "ACTION REQUIRED" and I just blindly opened it and clicked on the link of the document which I was supposed to fill out, and (luckily) it was just a well-crafted internal test related to phishing (which then of course I failed => I then had to take an online course) - in my opinion the problem is that nowadays we're permanently under pressure to deliver/react/do stuff with very short lead times and it's therefore hard after a while not to start to unwillingly forget best practices related to security.
This year the company I'm working for has started as well to use quite often external companies (websites) to provide some services => doing that makes identifying phishing emails even more difficult for me.
You can terminate SSL at nginx and forward over socket or local port to service bound only on localhost. Then you can LB over the nginx's. You can even deploy the same certs to all of them.
