When balancing encrypted web traffic, there are two main configuration choices: SSL termination and SSL passthrough.
With SSL termination, SSL requests are decrypted at the Load Balancer and sent unencrypted to the backend. This places the slower and more CPU intensive work of decryption on the Load Balancer and simplifies the management of the SSL certificates. However, the traffic between the Load Balancer and the backend is unencrypted, which means it is visible to any neighbors on that network segment.
The other option is SSL passthrough, which sends SSL connections directly to the backend. Unlike SSL termination, the requests remain encrypted and the decryption load is distributed across the backend servers. However, the certificate information must be replicated on every server. In addition, you cannot add or modify the HTTP headers, so you may lose the client’s IP address, port, and other information contained in the
We recommend SSL passthrough to secure traffic between the Load Balancers and backend Droplets.
On the Load Balancer index page with the Control Panel (located by selecting Networking followed by Load Balancers), click your Load Balancer’s name to view the detail page. On the detail page, click Settings to get to the settings page:
Click the Edit button associated with the Forwarding Rules row. You should see the current rule, followed by an option to add additional rules.
From the New Rule drop down menu, select HTTPS. The options populated by default, to forward HTTPS traffic on port 443 to HTTP port 80 on the backend, are correct for this configuration. The only thing you need to do is add the details of your SSL configuration.
In the Certificate field drop down menu, select + New Certificate option:
A modal will appear asking you for the details of the certificate you would like to use. You can either use a Let’s Encrypt certificate or use a custom SSL certificate. Once you have a certificate, you will need to fill out the following details:
Name. This is the name that will identify the certificate in the DigitalOcean interface.
You choose this name yourself. You can call it anything, provided the name only contains letters, numbers, periods, or dashes.
Public key. This is the actual SSL public key or certificate file.
Private key. This is the secret key associated with the certificate.
Certificate Chain. This is the full trust chain between the trusted certificate authority’s certificate and your domain’s certificate.
When you are finished, it should look similar to this:
Click the Save SSL Certificate button to continue.
In the Forwarding Rules section, click Save to implement your new forwarding rules.
To manage SSL credentials that have been added to DigitalOcean, click the user icon in the upper-right corner of the Control Panel, then select Settings from the drop down menu.
On the left-hand menu that appears, select Security. Entries for each of your uploaded certificates are available under the TLS/SSL certificates section. You can delete any SSL certificates you’ve uploaded in this interface.
If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the Load Balancer will be redirected to use the certificate you loaded.
To do this, click the Edit button associated with the SSL row in the settings:
Inside, select the Redirect HTTP to HTTPS checkbox:
Click Save to implement the change.
You can add additional backends to the Load Balancer after SSL termination is set up. To add additional backend Droplets, click the Droplets item in your Load Balancer’s detail page.
Click the Add Droplets button in the upper right corner. In the window that opens, choose the Droplets you would like to add, then click Add Droplets.
Once your new Droplets respond positively to the necessary number of health checks, they will begin to receive traffic.
It is important to keep track of the expiration of your certificates in order to avoid service interruptions.
To transition to a renewed certificate, upload the new certificate to the DigitalOcean interface in by visiting the account-level Settings page and clicking Security. In the TLS/SSL certificates section, upload the new certificate files.
When you are ready to switch over to the new certificate, visit your Load Balancer page by clicking Networking in the top menu and then selecting Load Balancers. Select your Load Balancer by name and then click on the Settings page.
Click the Edit button associated with the Forwarding rules section. In your HTTPS rule, select the new certificate and click Save when you are ready to switch over.