We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Configure SSL Termination on DigitalOcean Load Balancers

PostedFebruary 14, 2017 36.8k views Load Balancing DigitalOcean Let's Encrypt Security Ubuntu 16.04

Introduction

DigitalOcean Load Balancers allow you to easily distribute traffic among a group of backend Droplets. While HTTP forwarding may be the most straightforward method of handling client requests, many scenarios require additional security.

In this guide, we will demonstrate how to configure DigitalOcean Load Balancers with SSL termination. Clients connect to the Load Balancer securely using HTTPS. The Load Balancer decrypts the traffic and forwards plain HTTP traffic to the backend web servers. This gives you the benefit of SSL encryption between the Load Balancer and client, while simplifying the SSL requirements by maintaining the certificate files in a single location.

We will demonstrate this procedure using two backend Droplets. We will create a DigitalOcean Load Balancer during the course of this guide, so you will not need one to begin.

Note: Load Balancers with SSL termination provide encrypted traffic between the client and the Load Balancer. However, traffic between the Load Balancer and backend still uses HTTP. We suggest that you use SSL passthrough to secure traffic between the Load Balancer and backend Droplets.

Prerequisites

Before you begin, you will need to create two Ubuntu 16.04 Droplets in the same region. On each of these servers, configure a non-root user with sudo privileges and set up a firewall by following our Ubuntu 16.04 initial server setup guide.

This tutorial will make use of Let's Encrypt's certbot client to acquire the SSL certificate for the Load Balancer. In order to request a certificate, you will need a domain name to assign to the Load Balancer once it becomes available.

Once you have these servers configured, follow along below.

Installing the Web Server Software on the Backends

Before we create the Load Balancer, we will configure our backend Droplets so that they can respond to the requests they will receive.

On each of your Droplets, refresh the apt package index and then install the Nginx web server by typing:

  • sudo apt-get update
  • sudo apt-get install nginx

Once the installation completes, allow HTTP traffic through the UFW firewall by typing:

  • sudo ufw allow 'Nginx HTTP'
Output
Rule added Rule added (v6)

You can confirm that the rule was added successfully by typing:

  • sudo ufw status
Output
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)

In most scenarios, you will want the services provided by backends to be identical to one another. However, for this guide, we will put some unique content on each backend to better demonstrate the distributed request handling.

On each of your Droplets, create an index.html file in the server's document root:

  • sudo nano /var/www/html/index.html

Inside, on your first Droplet, enter the following content:

/var/www/html/index.html on first backend
<h1 style="color:blue">First Backend</h1>

On the second Droplet, enter this content instead:

/var/www/html/index.html on second backend
<h1 style="color:orange">Second Backend</h1>

Save and close the files when you are finished.

You should be able to access these pages by visiting your Droplet's IP address in your web browser:

http://droplet_IP_address

Check that both of your backends are able to serve their content correctly.

Creating a Load Balancer

Now that the backend servers are configured, we are ready to create the Load Balancer that will handle traffic distribution.

In the DigitalOcean control panel, click the Networking item in the top navigation bar, and in the page that follows, select the Load Balancers tab:

select Load Balancers in DigitalOcean control panel

Next, click the Create Load Balancer button. This will be in the middle of the page if you do not currently have any Load Balancers, or in the upper-right corner otherwise:

Create new DigitalOcean Load Balancer button

On the Load Balancer creation page which follows, begin by selecting a name for your new Load Balancer.

When we request a certificate using Let's Encrypt, our server will need to be able to respond to a domain verification challenge. Adding a single backend initially ensures that only the correct backend can be selected by the Load Balancer to respond to the challenge.

Add only your first backend Droplet to the Load Balancer under the Add Droplets section by selecting it by name:

Add first backend Droplet to the Load Balancer

In the Forwarding rules section, the default rule specifying that HTTP port 80 on the load balancer be forwarded to HTTP port 80 on the backend is correct for our purposes. The Advanced settings can also be left alone for now.

When you are ready, click the Create Load Balancer button at the bottom:

Create DigitalOcean Load Balancer

Your Load Balancer will be created within a few minutes.

Assigning a Domain Name to the Load Balancer

Once the creation completes, you will have access to the Load Balancer's IP address on the Load Balancer index page:

Load Balancer index page

Now we have the information we need to point our domain name to the Load Balancer's IP address.

Follow our guide on setting up a domain name with DigitalOcean to create an A record for your domain. Point the domain to your Load Balancer's IP address instead of an individual Droplet.

When you are finished, you should be able to access your first backend server by requesting your domain name in a web browser:

http://example.com

first backend page

When you can reach your first Droplet backend by requesting your domain, we can install the Let's Encrypt client and request a certificate.

Preparing Certbot on the First Backend

Now that the first backend is accessible through the domain, we can request our SSL certificate. We will install and use the official Let's Encrypt client certbot. Log into your first backend Droplet (the one currently hooked up to the Load Balancer) with your sudo user.

The Certbot developers maintain their own Ubuntu software repository with up-to-date versions of the software. Because Certbot is in such active development it's worth using this repository to install a newer Certbot than provided by Ubuntu.

First, add the repository:

  • sudo add-apt-repository ppa:certbot/certbot

You'll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository's package information:

  • sudo apt-get update

And finally, install Certbot with apt-get:

  • sudo apt-get install certbot

After the client is installed, open the default Nginx server block configuration file. We will add the location block that Certbot will need to correctly respond to the certificate challenge:

  • sudo nano /etc/nginx/sites-enabled/default

Inside, within the server block, add a regular expression location block explicitly allowing access to requests containing .well-known:

/etc/nginx/sites-enabled/default on first backend
server {
    . . .

    location ~ /.well-known {
        allow all;
    }

    . . .
}

Save and close the file when you are finished.

Test your configuration for syntax errors by typing:

  • sudo nginx -t

If no problems were found, you should see output that looks like this:

Output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

If the syntax check was successful, restart Nginx to incorporate your changes:

  • sudo systemctl restart nginx

Nginx is now configured correctly to respond to the Let's Encrypt domain validation challenge.

Requesting a Let's Encrypt Certificate

Now, we can request a certificate for our domain using the following Certbot command. Substitute your domain for the argument after the first -d, and any alternative names after additional -d flags:

  • sudo certbot certonly --webroot --webroot-path=/var/www/html -d example.com -d www.example.com

You will be prompted for a recovery email address and to accept the Let's Encrypt terms and conditions. If everything was successful, you should see a message that looks similar to this:

Output
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-07-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you lose your account credentials, you can recover through e-mails sent to sammy@example.com. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

We now have the certificate files we need to configure SSL termination on our Load Balancer.

Check the directory that Let's Encrypt uses to hold certificate files to find the specific subdirectory we'll need. It should be named after your domain:

  • sudo ls /etc/letsencrypt/live
Output
example.com

List the files within that directory by typing:

  • sudo ls /etc/letsencrypt/live/example.com
Output
cert.pem chain.pem fullchain.pem privkey.pem

We will need the contents of the cert.pem, privkey.pem, and fullchain.pem files to set up SSL termination on the Load Balancer.

Configuring SSL Termination on the Load Balancer

We can now modify the settings of our load balancer to accept HTTPS traffic and forward it to our backends over HTTP.

Add a Load Balancing Rule for SSL Traffic

On the Load Balancer index page with the DigitalOcean control panel (located by selecting Networking followed by Load Balancers), click your Load Balancer's name to view the detail page:

select Load Balancer in DigitalOcean control panel

On the detail page, click Settings to get to the settings page:

DigitalOcean Load Balancer settings page

Click the Edit button associated with the Forwarding Rules row. You should see the current rule, followed by an option to add additional rules:

DigitalOcean Load Balancer edit rules

From the New Rule drop down menu, select HTTPS. The options populated by default, to forward HTTPS traffic on port 443 to HTTP port 80 on the backend, are correct for our configuration. The only thing we need to do is add the details of our SSL configuration.

In the Certificate field drop down menu, select + New Certificate option:

DigitalOcean Load Balancer new cert button

A modal will appear asking you for the details of the certificate you would like to use. You will need to fill out the following details:

Name:

  • What is it? The name that will identify the certificate in the DigitalOcean interface.
  • How to get it? You choose this name yourself. You can call it anything, provided the name only contains letters, numbers, periods, or dashes.

Public key:

  • What is it? This is the actual SSL public key or certificate file.
  • How to get it? In this guide, this is the cert.pem file within the /etc/letsencrypt/live/example.com directory Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines in the output of the following command:

    • sudo cat /etc/letsencrypt/live/example.com/cert.pem

Private key:

  • What is it? The secret key associated with the certificate.
  • How to get it? In this guide, this is the privkey.pem file within the /etc/letsencrypt/live/example.com directory. Be sure to include the BEGIN PRIVATE KEY and END PRIVATE KEY lines in the output of the following command:

    • sudo cat /etc/letsencrypt/live/example.com/privkey.pem

Certificate Chain:

  • What is it? This is the full trust chain between the trusted certificate authority's certificate and your domain's certificate.
  • How to get it? In this guide, this is the fullchain.pem file within the /etc/letsencrypt/live/example.com directory. Be sure to include the first BEGIN CERTIFICATE and the last END CERTIFICATE lines in the output of the following command:

    • sudo cat /etc/letsencrypt/live/example.com/fullchain.pem

When you are finished, it should look something like this:

DigitalOcean Load Balancer add certificate

Click the Save SSL Certificate button to continue.

In the Forwarding Rules section, click Save to implement your new forwarding rules.

Note: To manage SSL credentials that have been added to DigitalOcean, click the user icon in the upper-right corner of the control panel and select Settings from the drop down menu that appears.

On the left-hand menu that appears, select Security. Entries for each of your uploaded certificates are available under the TLS/SSL certificates section. To correctly identify the certificates, match the displayed fingerprint against the fingerprint of the certificate in the Let's Encrypt directory, which can be found by typing:

  • sudo openssl x509 -noout -sha1 -fingerprint -in /etc/letsencrypt/live/example.com/cert.pem

You can delete any SSL certificates you've uploaded in this interface.

(Optional) Force SSL Traffic

If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the Load Balancer will be redirected to use the certificate you loaded.

To do this, click the Edit button associated with the SSL row in the settings:

DigitalOcean Load Balancers redirect SSL section

Inside, select the Redirect HTTP to HTTPS checkbox:

DigitalOcean Load Balancers select redirect

Click Save to implement the change.

Adding Additional Backends to the Load Balancer

When we first set up the Load Balancer, we only added a single backend so that we could guarantee that a known server would receive the Let's Encrypt domain verification challenge. Since we have our certificate now, we can add our remaining backend(s).

Click the Droplets item in your Load Balancer's detail page:

DigitalOcean Load Balancer Droplet page

Click the Add Droplets button in the upper right corner. In the modal that appears, search by name to add your remaining backend to the Load Balancer. Click the Add Droplets button on the modal when you are ready:

DigitalOcean Load Balancer add additional Droplet

The second Droplet will be added to the Load Balancer. Once it has responded positively to the necessary number of health checks, it will begin to receive traffic.

Testing the Balancing

At this point, you should have two Droplets behind your Load Balancer. HTTPS should be available to encrypt traffic between the Load Balancer and clients. If you chose to redirect HTTP to HTTPS, this encryption will be mandatory.

To test that the configuration works, visit your domain name in your web browser, prepended with https://. If you enabled SSL redirection, you do not have to specify the protocol:

https://example.com

You should see the index.html page from one of your backends:

first backend index

The connection should be marked secure in the address bar, although the way the security status is displayed will vary depending on the browser.

If you refresh the page, you should see the index.html page from the other backend:

second backend index

Again, this should be marked as secure. Since the second backend was not involved in the certificate request process, this shows us that the Load Balancer itself is handling the SSL load.

Updating Certificates

It is important to keep track of the expiration of your certificates in order to avoid service interruptions.

To transition to a renewed certificate, upload the new certificate to the DigitalOcean interface in by visiting the account-level Settings page and clicking Security. In the TLS/SSL certificates section, upload the new certificate files.

When you are ready to switch over to the new certificate, visit your Load Balancer page by clicking Networking in the top menu and then selecting Load Balancers. Select your Load Balancer by name and then click on the Settings page.

Click the Edit button associated with the Forwarding rules section. In your HTTPS rule, select the new certificate and click Save when you are ready to switch over.

Conclusion

You should now have have a DigitalOcean Load Balancer configured with SSL termination. The Load Balancer will take responsibility for encrypting outgoing traffic with the certificate and decrypting incoming traffic.

12 Comments

Creative Commons License