How to Configure SSL Termination

When load balancing encrypted web traffic, there are two main configuration choices:

• SSL termination, which decrypts SSL requests at the load balancer and sends them unencrypted to the backend.

  SSL termination places the slower and more CPU-intensive work of decryption on the load balancer and simplifies certificate management, but the unencrypted traffic to the backend is visible to any neighbors on that network segment.

• SSL passthrough, which sends encrypted SSL requests directly to the backend. We recommend this option because it secures the traffic between the load balancers and the backend servers.

  SSL passthrough distributes the decryption load across the backend servers, but every server must have the certificate information. You also can’t add or modify HTTP headers, so you may lose the client’s IP address, port, and other information contained in the X-forwarded-* headers.

To configure SSL termination, you need to add an SSL termination rule and choose or create an SSL certificate to use.

If you’ve added your domain to DigitalOcean, you can use our Let’s Encrypt integration to create a fully managed SSL certificate. You can also manually upload a certificate if you don’t use DigitalOcean to manage your DNS, want to generate your own certificate, or have an existing certificate you want to upload.

Add the SSL Termination Rule

From the control panel, click Networking in the main navigation, then click Load Balancers. Click on the load balancer you want to modify, then click the Settings tab to go to its settings page.

In the Forwarding Rules section, click Edit. You’ll see any existing forwarding rules and an option to add additional rules.

From the New rule drop-down, select HTTPS and/or HTTP2, which will open a new row of options. Fill in the fields to forward HTTPS and/or HTTP2 traffic on port 443 on the load balancers to HTTP port 80 on the Droplets.

Add an SSL Certificate

Next, you need to add an SSL certificate. In the Forwarding Rules section, where you’re filling in the new rule, the Certificate drop-down will display any SSL certificates already uploaded to your account.

If you want to use one of these certificates, select it from the menu and click Save. We’ll automatically create a new DNS A record for the root domain pointing to the load balancer.

If you don’t have a certificate uploaded that you want to use, select the + New Certificate option. This will open a New Certificate window to guide you through either creating a new certificate with Let’s Encrypt and DigitalOcean DNS or uploading a certificate manually.

Use Let’s Encrypt

If you manage your domain with DigitalOcean DNS, you can choose the Use Let’s Encrypt tab to create a new, fully-managed SSL certificate. You can either use an existing domain you manage with DigitalOcean or add a new domain from here.

Use an Existing Domain

If you want to use a domain you already manage with DigitalOcean, select it from the menu. This will reveal the Select other subdomains to include option.

We’ll automatically create a new DNS A record for the base domain pointing to the load balancer, but we won’t create or change DNS records for subdomains. If your subdomains don’t already point at the load balancer, you’ll need to add DNS records for that.

Enter a name for the certificate, then click Generate Certificate. You’ll see a pending status until the certificate has been issues, which typically takes a few seconds, after which you can click Save. As soon as the rule is saved, it’s active and you can begin testing.

Add a New Domain

If you want to start managing a new domain with DigitalOcean DNS to use, select the + Add new domain option to automatically import your domain to the control panel, add DNS records, and create the certificate.

When you do, an Additional steps required window will open to tell you that you need to update your nameserver records with your domain registrar.

After you click Yes, continue, you’ll return to the New certificate window with the Add New Domain options.

In the Add New Domain section, enter a domain you own. When you generate the certificate, this domain will be imported into the control panel. We’ll automatically create an A record pointing to the load balancer’s IP address.

Next, select any subdomains you want to use. We’ll automatically create CNAME records that reference the A record of the base domain.

Enter a name for the certificate, then click Generate Certificate. You’ll see a pending status until the certificate has been issues, which typically takes a few seconds, after which you can click Save. As soon as the rule is saved, it’s active and you can begin testing.

Bring Your Own Certificate

In the Bring Your Own Certificate tab, you can manually enter the details of an existing certificate.

You need to fill in four fields:

• Name. This is a name you choose to identify the certificate in the DigitalOcean interface. It can only contain letters, numbers, periods, and dashes.

• Public key. This is the actual SSL public key or certificate file.

• Private key. This is the secret key associated with the certificate.

• Certificate Chain. This is the full trust chain between the trusted certificate authority’s certificate and your domain’s certificate.

Click the Save SSL Certificate button, then click Save to implement the new forwarding rule. As soon as the rule is saved, it’s active and you can begin testing.

You can manage all of your account’s SSL certificates in the Accounts section of the main navigation, in the Security section. Learn more in our certificate management documentation.

Force SSL Traffic

If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the load balancer will be redirected to use the certificate you loaded.

To do this, click the Edit button associated with the SSL row in the settings. Inside, select the Redirect HTTP to HTTPS checkbox:

Click Save to implement the change.