SSL Termination On Load Balancers


Prerequisites

To follow this guide, you need to create a Load Balancer on your account that uses HTTP protocol. You also need an SSL certificate, its private key, and any intermediate certficiates that your certificate requires to function. For development and testing purposes you might want to create a self-signed certificate for load balancer SSL termination, but for production systems and for properly leveraging the security aspect of SSL, provision a certificate from a trusted provider.

Configure SSL Termination

To begin, navigate to the Load Balancers section of the SpinUp Control panel and click on the desired instance. From this details page, click on the SSL Termination switch to see the configuration options.

You can set the behavior for the SSL Terminating load balancer by selecting an option for Allowed Traffic:

  • Allow secure and insecure traffic means both HTTP and HTTPS requests to the load balancer are passed to the nodes, with HTTPS requests decrypted at the load balancer.

  • Only allow secure traffic means only inbound requests over HTTPS will be accepted.

The Secure Port the load balancer will use to accept HTTPS requests defaults to 443. You can customize the port value, but this should not need to be changed in most cases.

Add the Certificates and Private Keys

Copy and paste your certificate and private key into the text boxes provided. The contents of each must be wrapped in the expected beginning and ending text, for example your SSL certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

Set a Cipher Profile

Ciphers are the methods used to encrypt and decrypt HTTPS traffic, which are controlled at the load balancer when using the SSL Termination feature. A Cipher profile is a bundled collection of popularly supported cipher suites that you can set the load balancer to use when it accepts and decrypts traffic. SpinUp currently maintains two cipher profiles for you to select from. SpinUp might update profiles or add additional profiles in the future to address any security concerns that arise with these encryption methods.

Cipher Profile Supported Ciphers
Comprehensive-V1 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA
Recommended-V1 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256

At this time, SpinUp Load Balancer SSL Termination supports TLS 1.1 and 1.2 as is displayed in the configuration checkboxes. SpinUp will add customization to control which specific TLS versions are supported in a future platform release. TLS 1.0 is no longer considered secure and is not available.

SSL Termination Tips

If the certificate or key contents cannot be recognized as a valid format, or if the load balancer is not set to HTTP protocol, you might receive a Bad Request error or other error messages from the control panel when attempting to save your configuration. If this occurs, check whether your certificate contents were properly pasted in full and check whether your load balancer’s general configuration is compatible with SSL Termination.

For security purposes, your private keys are not be displayed in the SpinUp Control Panel or retrievable when requesting load balancer information from the API. You are also prompted to re-enter your private keys when editing your existing SSL termination settings. Be sure to store your keys in a safe and accessible manner outside of your SpinUp account, and remember that you might not need to refer to them again for several years.


Related Content