Question

DigitalOcean Load Balancer TLS termination and forward via self signed certification to backend

Let’s consider an application managing 100 distinct SSL Certifications, with each customer requiring their own SSL certificate. If configured through a load balancer, setting up 100 SSL certificates that automatically renew (using Let’s Encrypt) becomes necessary.

Our aim is to implement end-to-end encryption, ensuring that the traffic leaving the load balancer and reaching our droplet/backend application remains encrypted.

To achieve this, my understanding is that the backend application must also possess all 100 SSL certificates for decrypting the incoming traffic.

I’ve come across alternative solutions offered by some providers through the load balancer. In this scenario, the load balancer holds all 100 SSL certificates, but before forwarding the traffic to the backend, it translates them into a single Self-Signed SSL Certificate. This single certificate is then utilized by the droplet or backend application.

This approach simplifies our end, requiring only one certificate instead of the original 100. I’m curious if DigitalOcean’s Load Balancers support such a configuration, or if there are other viable solutions available?

Many thanks


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
December 23, 2023

Hey there!

Great question about handling SSL termination and re-encryption with DigitalOcean Load Balancers.

First off, DigitalOcean’s Load Balancers are pretty solid when it comes to SSL termination. They handle the decryption of SSL requests efficiently, which is a big plus as it offloads the CPU-intensive task of decryption from your servers and centralizes certificate management.

For the Post SSL termination, the traffic is usually routed to the backend droplets via DigitalOcean’s VPC network. This network layer adds a degree of security, but remember, this traffic will be unencrypted unless you take additional measures.

There’s also the SSL passthrough option, where the encrypted requests are sent directly to the backend. This means each of your servers needs to be equipped with the necessary SSL certificate info.

Now, about re-encrypting traffic with a self-signed certificate after it’s been decrypted by the Load Balancer—this is where it gets a bit tricky. As of the current time being the DigitalOcean Load Balancers don’t really support this specific scenario. Essentially, you’re looking at SSL bridging, where the Load Balancer terminates the SSL connection and then initiates a new SSL connection to the backend. This isn’t a standard feature as of now.

A possible workaround could be setting up a self-managed load balancer service like HAProxy on a Droplet where you will be able to achieve this setup instead of using the managed DigitalOcean Load Balancers as you will have full control over the configuration.

The best thing to do to get your voice heard regarding this would be to head over to our Product Ideas board and post a new idea, including as much information as possible for what you’d like to see implemented.

https://ideas.digitalocean.com/

Hope that helps!

- Bobby.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.