How to Configure SSL Passthrough

When balancing encrypted web traffic, there are two main configuration choices: SSL termination and SSL passthrough.

With SSL termination, SSL requests are decrypted at the Load Balancer and sent unencrypted to the backend. This places the slower and more CPU intensive work of decryption on the Load Balancer and simplifies the management of the SSL certificates. However, the traffic between the Load Balancer and the backend is unencrypted, which means it is visible to any neighbors on that network segment.

The other option is SSL passthrough, which sends SSL connections directly to the backend. Unlike SSL termination, the requests remain encrypted and the decryption load is distributed across the backend servers. However, the certificate information must be replicated on every server. In addition, you cannot add or modify the HTTP headers, so you may lose the client’s IP address, port, and other information contained in the X-forwarded-* headers.

We recommend SSL passthrough to secure traffic between the Load Balancers and backend Droplets.

Add the Load Balancer SSL Passthrough Rule

On the Load Balancer index page with the control panel (located by selecting Networking followed by Load Balancers), click your Load Balancer’s name to view the detail page. On the detail page, click Settings to get to the settings page:

Load Balancer settings page

Click the Edit button associated with the Forwarding Rules row. You should see the current rule, followed by an option to add additional rules.

From the New rule dropdown, select HTTPS, which will open a new row of options. In the dropdown menu that says Certificate, select Passthrough. When you do, the Droplet protocol will automatically change to HTTPS, the port will be updated to the default SSL port, 443, and the Save button will become available.

Screenshot of the Completed Passthrough Rule

After you click Save, you can test the SSL passthrough by visiting content on your domain in a browser using HTTPS.

Force SSL Traffic

If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the Load Balancer will be redirected to use the certificate you loaded.

To do this, click the Edit button associated with the SSL row in the settings. Inside, select the Redirect HTTP to HTTPS checkbox:

DigitalOcean Load Balancers select redirect

Click Save to implement the change.

All of the web servers you use with your Load Balancer need the same certificate. After your setup works with one backend server, you can create an image of the first Droplet to use to create additional instances. Alternatively, you can use scp or rsync to copy the certificate files from one server to the next.