How to Configure SSL Passthrough

When load balancing encrypted web traffic, there are two main configuration choices:

  • SSL termination, which decrypts SSL requests at the load balancer and sends them unencrypted to the backend.

    SSL termination places the slower and more CPU-intensive work of decryption on the load balancer and simplifies certificate management, but the unencrypted traffic to the backend is visible to any neighbors on that network segment.

  • SSL passthrough, which sends encrypted SSL requests directly to the backend. We recommend this option because it secures the traffic between the load balancers and the backend servers.

    SSL passthrough distributes the decryption load across the backend servers, but every server must have the certificate information. You also can’t add or modify HTTP headers, so you may lose the client’s IP address, port, and other information contained in the X-forwarded-* headers.

Warning

Sticky sessions do not work with SSL passthrough (port 443 to 443).

Backend Configuration for SSL Passthrough

Before you configure SSL passthrough on your load balancer, you’ll need:

  1. A registered domain name that you own. You can use any domain name registrar (e.g. Namecheap or Omnis).

  2. DNS records pointing from your domain to the load balancer. You can use DigitalOcean’s free DNS hosting service or another service of your choice.

  3. One or more backend Droplets running an application configured for SSL. There are several options on how to create an SSL certificate and configure the backend application to decrypt HTTPS or HTTP/2 requests depending on the software you prefer to use. Here are some resources:

All of the Droplets you use with your load balancer need to have the same SSL certificate. After your setup works with one backend server, you can create an image of the first Droplet to use to create additional instances. Alternatively, you can use scp or rsync to copy the certificate files from one server to the next.

Once your domain, DNS records, SSL certificate, and backend Droplets are ready, you can add the passthrough forwarding rule to the load balancer.

Add the Load Balancer SSL Passthrough Rule

From the control panel, click Networking in the main navigation, then choose the Load Balancers. Click on the load balancer you want to modify, then click Settings to go to its settings page.

Load Balancer Settings page

In the Forwarding Rules section, click Edit. You’ll see any existing forwarding rules and an option to add additional rules.

From the New rule drop-down, select HTTPS, which will open a new row of options. In the Certificate drop-down, select Passthrough. When you do, the Droplet protocol will automatically change to HTTPS, the port will be updated to the default SSL port (443), and the Save button will become available.

Load Balancer settings forwarding rules for HTTPS with Passthrough selected

After you click Save, you can test the SSL passthrough by visiting content on your domain in a browser using HTTPS.

Force SSL Traffic

If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the load balancer will be redirected to use the certificate you loaded.

On the load balancer’s Settings page, find the SSL section and click Edit.

Load Balancer SSL settings open

In the options that open, check the Redirect HTTP to HTTPS checkbox, then click Save.