How to Configure SSL Termination

Validated on June 19, 2018 • Posted on June 19, 2018

When balancing encrypted web traffic, there are two main configuration choices: SSL termination and SSL passthrough.

With SSL termination, SSL requests are decrypted at the Load Balancer and sent unencrypted to the backend. This places the slower and more CPU intensive work of decryption on the Load Balancer and simplifies the management of the SSL certificates. However, the traffic between the Load Balancer and the backend is unencrypted, which means it is visible to any neighbors on that network segment.

The other option is SSL passthrough, which sends SSL connections directly to the backend. Unlike SSL termination, the requests remain encrypted and the decryption load is distributed across the backend servers. However, the certificate information must be replicated on every server. In addition, you cannot add or modify the HTTP headers, so you may lose the client’s IP address, port, and other information contained in the X-forwarded-* headers.

We recommend SSL passthrough to secure traffic between the Load Balancers and backend Droplets.

Add the Load Balancer SSL Termination Rule

On the Load Balancer index page with the Control Panel (located by selecting Networking followed by Load Balancers), click your Load Balancer’s name to view the detail page. On the detail page, click Settings to get to the settings page:

DigitalOcean Load Balancer settings page

Click the Edit button associated with the Forwarding Rules row. You should see the current rule, followed by an option to add additional rules.

DigitalOcean Load Balancer edit rules

From the New Rule drop down menu, select HTTPS. The options populated by default, to forward HTTPS traffic on port 443 to HTTP port 80 on the backend, are correct for this configuration. The only thing you need to do is add the details of your SSL configuration.

In the Certificate field drop down menu, select + New Certificate option:

DigitalOcean Load Balancer new cert button

A modal will appear asking you for the details of the certificate you would like to use. You can either use a Let’s Encrypt certificate or use a custom SSL certificate. Once you have a certificate, you will need to fill out the following details:

  • Name. This is the name that will identify the certificate in the DigitalOcean interface.

    You choose this name yourself. You can call it anything, provided the name only contains letters, numbers, periods, or dashes.

  • Public key. This is the actual SSL public key or certificate file.

  • Private key. This is the secret key associated with the certificate.

  • Certificate Chain. This is the full trust chain between the trusted certificate authority’s certificate and your domain’s certificate.

When you are finished, it should look similar to this:

DigitalOcean Load Balancer add certificate

Click the Save SSL Certificate button to continue.

In the Forwarding Rules section, click Save to implement your new forwarding rules.

To manage SSL credentials that have been added to DigitalOcean, click the user icon in the upper-right corner of the Control Panel, then select Settings from the drop down menu.

On the left-hand menu that appears, select Security. Entries for each of your uploaded certificates are available under the TLS/SSL certificates section. You can delete any SSL certificates you’ve uploaded in this interface.

Force SSL Traffic

If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the Load Balancer will be redirected to use the certificate you loaded.

To do this, click the Edit button associated with the SSL row in the settings:

DigitalOcean Load Balancers redirect SSL section

Inside, select the Redirect HTTP to HTTPS checkbox:

DigitalOcean Load Balancers select redirect

Click Save to implement the change.

Adding Additional Backends to the Load Balancer

You can add additional backends to the Load Balancer after SSL termination is set up. To add additional backend Droplets, click the Droplets item in your Load Balancer’s detail page.

DigitalOcean Load Balancer Droplet page

Click the Add Droplets button in the upper right corner. In the window that opens, choose the Droplets you would like to add, then click Add Droplets.

DigitalOcean Load Balancer add additional Droplet

Once your new Droplets respond positively to the necessary number of health checks, they will begin to receive traffic.

Updating Certificates

It is important to keep track of the expiration of your certificates in order to avoid service interruptions.

To transition to a renewed certificate, upload the new certificate to the DigitalOcean interface in by visiting the account-level Settings page and clicking Security. In the TLS/SSL certificates section, upload the new certificate files.

When you are ready to switch over to the new certificate, visit your Load Balancer page by clicking Networking in the top menu and then selecting Load Balancers. Select your Load Balancer by name and then click on the Settings page.

Click the Edit button associated with the Forwarding rules section. In your HTTPS rule, select the new certificate and click Save when you are ready to switch over.