SSL Termination on Load Balancer

SSL Termination (or TLS Termination) involves decrypting HTTPS traffic at the load balancer level rather than on backend application servers. The load balancer handles the SSL handshake and forwards traffic in HTTP (or re-encrypted to HTTPS) to backends.

This architecture simplifies certificate management (single point of configuration), improves performance (offloads CPU from backends), and facilitates traffic monitoring and debugging.

MoniTao monitors your SSL certificates, whether on your application servers or on your load balancer. Centralization also makes monitoring easier.

What is SSL Termination?

Understanding the SSL termination concept:

• Termination point: the load balancer is where SSL encryption ends. Backends receive unencrypted traffic.
• Centralized certificate: the SSL certificate is installed only on the load balancer, not on each backend.
• Backend communication: LB → backend traffic can be HTTP (private network) or re-encrypted to HTTPS (SSL passthrough or re-encryption).
• X-Forwarded headers: the LB adds headers (X-Forwarded-For, X-Forwarded-Proto) so backends know the original context.

Benefits of SSL Termination

Why terminate SSL at the load balancer:

• Performance: SSL handshake is CPU-intensive. Offloading it to the LB frees backends for application processing.
• Simplified management: one certificate to manage and renew instead of one on each backend server.
• Traffic inspection: the LB can inspect decrypted traffic for L7 load balancing, caching, WAF, etc.
• Easier debugging: plaintext backend traffic is easier to debug and monitor.

SSL Termination Configuration

How to configure SSL termination:

1. Install certificate on LB: import your certificate and private key into your load balancer (AWS ALB, Nginx, HAProxy, etc.).
2. Configure listeners: create an HTTPS listener (443) on the LB that terminates SSL and forwards to backends.
3. Configure backends: backends listen on HTTP on their port (80 or other) and receive decrypted traffic.
4. Add headers: configure the LB to add X-Forwarded-For and X-Forwarded-Proto so apps know the client was on HTTPS.

Configuration Examples

SSL Termination configuration on different platforms:

# Nginx as load balancer with SSL Termination
upstream backend {
    server backend1:80;
    server backend2:80;
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# HAProxy SSL Termination
frontend https_front
    bind *:443 ssl crt /path/to/combined.pem
    default_backend http_back

backend http_back
    server backend1 192.168.1.10:80 check
    server backend2 192.168.1.11:80 check

The load balancer handles SSL and forwards decrypted traffic to backends. X-Forwarded headers let backends know the original protocol.

Best Practices

Tips for SSL Termination:

• Secure backend network: if backend traffic is HTTP, ensure the network is private and secure (VPC, isolated VLAN).
• Consider re-encryption: for maximum security, re-encrypt traffic to backends (SSL bridging) if the network isn't 100% trusted.
• Handle headers correctly: your applications must use X-Forwarded-Proto to generate URLs correctly (HTTPS, not HTTP).
• Monitor the LB certificate: use MoniTao to monitor the certificate expiration on the load balancer.

Frequently Asked Questions

Centralize Your SSL Security

SSL Termination simplifies certificate management and improves performance. It's the recommended architecture for deployments with load balancers.

With MoniTao, monitor your centralized certificate and receive alerts before expiration to maintain optimal availability.

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing