How to Configure SSL Termination

When balancing encrypted web traffic, there are two main configuration choices: SSL termination and SSL passthrough.

With SSL termination, SSL requests are decrypted at the Load Balancer and sent unencrypted to the backend. This places the slower and more CPU intensive work of decryption on the Load Balancer and simplifies the management of the SSL certificates. However, the traffic between the Load Balancer and the backend is unencrypted, which means it is visible to any neighbors on that network segment.

The other option is SSL passthrough, which sends SSL connections directly to the backend. Unlike SSL termination, the requests remain encrypted and the decryption load is distributed across the backend servers. However, the certificate information must be replicated on every server. In addition, you cannot add or modify the HTTP headers, so you may lose the client’s IP address, port, and other information contained in the X-forwarded-* headers.

We recommend SSL passthrough to secure traffic between the Load Balancers and backend Droplets.

Add the Load Balancer SSL Termination Rule

On the Load Balancer index page with the control panel (located by selecting Networking followed by Load Balancers), click your Load Balancer’s name to view the detail page. On the detail page, click Settings to get to the settings page:

DigitalOcean Load Balancer settings page

Click the Edit button associated with the Forwarding Rules row. You should see the current rule, followed by an option to add additional rules.

From the New Rule drop down menu, select HTTPS. The options populated by default, to forward HTTPS traffic on port 443 to HTTP port 80 on the backend, are correct for this configuration. The only thing you need to do is add the details of your SSL configuration.

In the Certificate field drop down menu, select the + New Certificate option:

DigitalOcean Load Balancer new cert button

A modal will appear asking you for the details of the certificate you would like to use. You can either use a Let’s Encrypt certificate or use a custom SSL certificate. Once you have a certificate, you will need to fill out the following details:

  • Name. This is the name that will identify the certificate in the DigitalOcean interface.

    You choose this name yourself. You can call it anything, provided the name only contains letters, numbers, periods, or dashes.

  • Public key. This is the actual SSL public key or certificate file.

  • Private key. This is the secret key associated with the certificate.

  • Certificate Chain. This is the full trust chain between the trusted certificate authority’s certificate and your domain’s certificate.

Click the Save SSL Certificate button to continue.

In the Forwarding Rules section, click Save to implement your new forwarding rules.

Force SSL Traffic

If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the Load Balancer will be redirected to use the certificate you loaded.

To do this, click the Edit button associated with the SSL row in the settings. Inside, select the Redirect HTTP to HTTPS checkbox:

DigitalOcean Load Balancers redirect SSL section

Click Save to implement the change.

Managing Certificates

It is important to keep track of the expiration of your certificates in order to avoid service interruptions.

To manage SSL credentials that have been added to DigitalOcean, under the Accounts section of the main navigation, select Security. Entries for each of your uploaded certificates are available under the TLS/SSL certificates section.

From this interface, you can delete SSL certificates you’ve uploaded as well as upload new ones.

To transition to a renewed certificate, upload the new certificate. When you are ready to switch over to the new certificate, visit your Load Balancer page by clicking Networking in the top menu and then selecting Load Balancers. Select your Load Balancer by name and then click on the Settings page. Click the Edit button associated with the Forwarding rules section. In your HTTPS rule, select the new certificate and click Save..