Let’s consider an application managing 100 distinct SSL Certifications, with each customer requiring their own SSL certificate. If configured through a load balancer, setting up 100 SSL certificates that automatically renew (using Let’s Encrypt) becomes necessary.
Our aim is to implement end-to-end encryption, ensuring that the traffic leaving the load balancer and reaching our droplet/backend application remains encrypted.
To achieve this, my understanding is that the backend application must also possess all 100 SSL certificates for decrypting the incoming traffic.
I’ve come across alternative solutions offered by some providers through the load balancer. In this scenario, the load balancer holds all 100 SSL certificates, but before forwarding the traffic to the backend, it translates them into a single Self-Signed SSL Certificate. This single certificate is then utilized by the droplet or backend application.
This approach simplifies our end, requiring only one certificate instead of the original 100. I’m curious if DigitalOcean’s Load Balancers support such a configuration, or if there are other viable solutions available?
Many thanks
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hey there!
Great question about handling SSL termination and re-encryption with DigitalOcean Load Balancers.
First off, DigitalOcean’s Load Balancers are pretty solid when it comes to SSL termination. They handle the decryption of SSL requests efficiently, which is a big plus as it offloads the CPU-intensive task of decryption from your servers and centralizes certificate management.
For the Post SSL termination, the traffic is usually routed to the backend droplets via DigitalOcean’s VPC network. This network layer adds a degree of security, but remember, this traffic will be unencrypted unless you take additional measures.
There’s also the SSL passthrough option, where the encrypted requests are sent directly to the backend. This means each of your servers needs to be equipped with the necessary SSL certificate info.
Now, about re-encrypting traffic with a self-signed certificate after it’s been decrypted by the Load Balancer—this is where it gets a bit tricky. As of the current time being the DigitalOcean Load Balancers don’t really support this specific scenario. Essentially, you’re looking at SSL bridging, where the Load Balancer terminates the SSL connection and then initiates a new SSL connection to the backend. This isn’t a standard feature as of now.
A possible workaround could be setting up a self-managed load balancer service like HAProxy on a Droplet where you will be able to achieve this setup instead of using the managed DigitalOcean Load Balancers as you will have full control over the configuration.
The best thing to do to get your voice heard regarding this would be to head over to our Product Ideas board and post a new idea, including as much information as possible for what you’d like to see implemented.
Hope that helps!
- Bobby.