DigitalOcean Load Balancers are a fully-managed, highly available network load balancing service. Load balancers distribute traffic to groups of Droplets, which decouples the overall health of a backend service from the health of a single server to ensure that your services stay online.
When load balancing encrypted web traffic, there are two main configuration choices:
SSL termination, which decrypts SSL requests at the load balancer and sends them unencrypted to the backend via the Droplets’ private IP addresses.
SSL termination places the slower and more CPU-intensive work of decryption on the load balancer and simplifies certificate management. Traffic between the load balancer and its Droplets is secured by routing over the VPC network. However, if you host multiple customer applications in a single account or team, data could be readable by others on the private network. We recommend separating customers by team or using SSL passthrough instead.
SSL passthrough, which sends encrypted SSL requests directly to the backend, via the Droplets’ private IP addresses. This secures the traffic between the load balancers and the backend servers.
SSL passthrough distributes the decryption load across the backend servers, but every server must have the certificate information. You also can't add or modify HTTP headers, so you may lose the client's IP address, port, and other information contained in the X-forwarded-*
headers.
To configure SSL termination, you need to add an SSL termination rule and choose or create an SSL certificate to use.
If you added your domain to DigitalOcean, you can use our Let's Encrypt integration to create a fully managed SSL certificate. You can also manually upload a certificate if you don’t use DigitalOcean to manage your DNS, want to generate your own certificate, or have an existing certificate you want to upload.
From the control panel, click Networking in the main navigation, then click Load Balancers. Click on the load balancer you want to modify, then click the Settings tab to go to its settings page.
In the Forwarding Rules section, click Edit. You'll see any existing forwarding rules and an option to add additional rules.
From the New rule drop-down, select HTTPS and/or HTTP2, which will open a new row of options. Fill in the fields to forward HTTPS and/or HTTP2 traffic on port 443 on the load balancers to HTTP port 80 on the Droplets.
Next, you need to add an SSL certificate. In the Forwarding Rules section, where you're filling in the new rule, the Certificate drop-down will display any SSL certificates already uploaded to your account.
If you want to use one of these certificates, select it from the menu and click Save. We'll automatically create a new DNS A record for the apex domain pointing to the load balancer.
If you don't have a certificate uploaded that you want to use, select the + New Certificate option. This will open a New Certificate window to guide you through either creating a new certificate with Let’s Encrypt and DigitalOcean DNS or uploading a certificate manually.
If you manage your domain with DigitalOcean DNS, you can choose the Use Let’s Encrypt tab to create a new, fully-managed SSL certificate. You can either use an existing domain you manage with DigitalOcean or add a new domain from here.
If you want to use a domain you already manage with DigitalOcean, select it from the menu. This will reveal the Select other subdomains to include option.
We'll automatically create a new DNS A record for the apex domain pointing to the load balancer, but we won't create or change DNS records for subdomains. If your subdomains don't already point at the load balancer, you'll need to add DNS records for that.
Enter a name for the certificate, then click Generate Certificate. You'll see a pending status until the certificate has been issued, which typically takes a few seconds, after which you can click Save. As soon as the rule is saved, it's active and you can begin testing.
If you want to start managing a new domain with DigitalOcean DNS to use, select the + Add new domain option to automatically import your domain to the control panel, add DNS records, and create the certificate.
When you do, an Additional steps required window will open to tell you that you need to update your nameserver records with your domain registrar.
After you click Yes, continue, you'll return to the New certificate window with the Add New Domain options.
In the Add New Domain section, enter a domain you own. When you generate the certificate, this domain will be imported into the control panel. We'll automatically create an A record pointing to the load balancer's IP address.
Next, select any subdomains you want to use. We'll automatically create CNAME records that reference the A record of the apex domain.
Enter a name for the certificate, then click Generate Certificate. You'll see a pending status until the certificate has been issued, which typically takes a few seconds, after which you can click Save. As soon as the rule is saved, it's active and you can begin testing.
In the Bring Your Own Certificate tab, you can manually enter the details of an existing certificate.
You need to fill in four fields:
Name. This is a name you choose to identify the certificate in the DigitalOcean interface. It can only contain letters, numbers, periods, and dashes.
Public key. This is the actual SSL public key or certificate file.
Private key. This is the secret key associated with the certificate.
Certificate Chain. This is the full trust chain between the trusted certificate authority's certificate and your domain's certificate.
Click the Save SSL Certificate button, then click Save to implement the new forwarding rule. As soon as the rule is saved, it's active and you can begin testing.
You can manage all of your account's SSL certificates in the Account section of the main navigation, in the Security section. Learn more in our certificate management documentation.
If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the load balancer will be redirected to use the certificate you loaded.
To do this, click the Edit button associated with the SSL row in the settings. Inside, select the Redirect HTTP to HTTPS checkbox:
Click Save to implement the change.