Rackspace Cloud recently introduced SSL termination on Cloud Load Balancers. As of right now, there is no way to implement this feature through the control panel and it is only available via the API. This tutorial will guide you through how to setup SSL termination via the API.
Things you will need:
- Your private key
- Your certificate
- Your CA’s intermediate certificate (optional, but recommended)
- curl
- tidy (optional, but it makes reading the return XML much nicer)
- SSL termination API documentation
Cloud load balancers with SSL termination work a little differently than the traditional HTTPS Cloud load balancers. With SSL pass-through you have two distinct load balancers, one for HTTP and another for HTTPS. However, with SSL termination you only have you primary HTTP load balancer. You then apply the SSL termination onto that load balancer, creating what the documentation calls a “shadow server” that uses the same configuration as the primary load balancer, except it runs on a different port and performs SSL termination. So if you disable a node on the HTTP load balancer, then that node is also disabled on the “shadow server,” for example.
1. Authenticate with Rackspace Cloud and get your Auth Token
The first step to installing your certificate onto the load balancer is to authenticate with the API. To do this you will need your username (the username you use to login to https://manage.rackspacecloud.com or https://lon.manage.rackspacecloud.com), your API key (you can retrieve this by going to “Your Account” -> “API Access” and clicking “Show Key” in the Rackspace Cloud control panel), and the URL for the authentication endpoint for your account. If your account was registered at rackspace.com, then you will want to use the US endpoint. If it was registered at rackspace.co.uk, then you will want to use the UK endpoint. The authentication endpoints are listed below:
US: https://auth.api.rackspacecloud.com/v1.0/
UK: https://lon.auth.api.rackspacecloud.com/v1.0/
To authenticate with the Rackspace Cloud API, you will need to send a GET request to the authentication endpoint for your account, with your username in the X-Auth-User header and your API key in the X-Auth-Key header. Here is an example request and response using curl:
$ curl -i -H "X-Auth-User: this_is_an_example" -H "X-Auth-Key: 23034ef200c35bbc907c928e657e3ea2" https://auth.api.rackspacecloud.com/v1.0/ HTTP/1.1 204 No Content Server: Apache/2.2.3 (Red Hat) vary: X-Auth-Token,X-Auth-Key,X-Storage-User,X-Storage-Pass X-Storage-Url: https://storage101.ord1.clouddrive.com/v1/MossoCloudFS_00b60dc9-a8b3-4e6d-90fa-5e545583ee9 Cache-Control: s-maxage=28711 Content-Type: text/xml Date: Sun, 18 Mar 2012 19:18:40 GMT X-Auth-Token: a9247b31-179d-49f1-be3c-c76bc9bbda2b X-Server-Management-Url: https://servers.api.rackspacecloud.com/v1.0/99999999 X-Storage-Token: a9247b31-179d-49f1-be3c-c76bc9bbda2b Connection: Keep-Alive X-CDN-Management-Url: https://cdn2.clouddrive.com/v1/MossoCloudFS_00b60dc9-a8b3-4e6d-90fa-5e545583ee9 Content-Length: 0
The two important things to note with the response are the X-Auth-Token and the number after the last slash in X-Server-Management-Url, which is your account number (in this example, the account number is 99999999 and the Auth Token is a9247b31-179d-49f1-be3c-c76bc9bbda2b). Now that we’ve successfully authenticated, we can move on to interacting with the Cloud load balancer API.
2. Interact with the load balancer API to get your load balancer ID
There are different Cloud load balancer API endpoints, depending on which region your Cloud load balancer is deployed to. You can check the region of your load balancer by navigating to “Hosting” -> “Load Balancers” in the Rackspace Cloud control panel. Here are the URLs for the different endpoints:
Chicago (ORD): https://ord.loadbalancers.api.rackspacecloud.com/v1.0/
Dallas/Ft. Worth (DFW): https://dfw.loadbalancers.api.rackspacecloud.com/v1.0/
London (LON): https://lon.loadbalancers.api.rackspacecloud.com/v1.0/
With this example account, the load balancer is located in ORD, so we will use that endpoint. The next thing to do is to pull a list of all of the load balancers on your account. You can do this by appending account_number / loadbalancers to the end of the endpoint URL, so for this example that will look like https://ord.loadbalancers.api.rackspacecloud.com/v1.0/99999999/loadbalancers. Issue a GET request against this URL with your Auth Token in the X-Auth-Token header. In the following example I piped the output to tidy to clean up the XML return to make it easier to read:
$ curl -s -H "X-Auth-Token: a9247b31-179d-49f1-be3c-c76bc9bbda2b" https://ord.loadbalancers.api.rackspacecloud.com/v1.0/99999999/loadbalancers | tidy -q -xml <?xml version="1.0" encoding="utf-8" standalone="yes"?> <loadBalancers xmlns="http://docs.openstack.org/loadbalancers/api/v1.0"> <loadBalancer id="12341234" name="syntheticworks.com" algorithm="ROUND_ROBIN" protocol="HTTP" port="80" status="ACTIVE"> <virtualIps> <virtualIp id="12341234" address="50.57.204.110" ipVersion="IPV4" type="PUBLIC" /> </virtualIps> <created time="2011-10-30T10:37:24Z" /> <updated time="2012-03-18T17:25:08Z" /> </loadBalancer> </loadBalancers>
With this return, you can see that the load balancer’s ID is 12341234. Generally the ID will be much shorter as I fabricated this ID for the purpose of this example. Now we can move onto the next step of formatting our XML submission to enable SSL termination. While it is possible to also submit the request using JSON, I’ve found that XML is much easier since you must replace every instance of a newline in the JSON request with \n, which can be a pain.
3. Formatting the XML submission to enable SSL termination
For ease of use, I’ve included a general purpose template to enable SSL termination on port 443:
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <sslTermination xmlns="http://docs.openstack.org/loadbalancers/api/v1.0" enabled="true" securePort="443" secureTrafficOnly="false"> <privatekey> </privatekey> <certificate> </certificate> <intermediateCertificate> </intermediateCertificate> </sslTermination>
Copy this template and paste it into your favorite text editor. Paste your private key, certificate, and intermediate certificate into their respective fields as such:
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <sslTermination xmlns="http://docs.openstack.org/loadbalancers/api/v1.0" enabled="true" securePort="443" secureTrafficOnly="false"> <privatekey>-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAo7uDQ4IaQMQRXudMevBQ9V0K0PMMCEtaWjCz+86uBxbgnMF+ QnCCYaI1lAl2SnOBIjptoZotOB8c/69+KDzfJwvgQlQUhZfQjlXJ2OwuLxkYjaTl Dl1M4F1cuQp0B9jwcwBb26e2qIV75w/cBYjpGinYWqYawhal7dOeylH89E755+Fj CiRhLANwrFVMi8ycorLRisYX9Q3A84wyZyXIUaa83x7PLM0Taf81APeykR/yR420 48feWLc0SaXkaqgbR/kYuQsjuyqWUYvWbfIPGrMAOKBohiB8UhNydx6afzpf0kV1 jdhbX9Kd6A/tkE8bwQ9HPXUEvet4LcL5/JsfbwIDAQABAoIBACdSMgz1Ys6pB67u B20C5751UNKre/lF93Xveln/4cVsFhcvVN4p3PYLmahquVDZ+mo48/k6aJ+wwSsa f0a0j7b14C6tuJv4wKpeKfKBjfnbogzqS+QuPfcoFMuPmhwEWoKT1HulBHXmUMJG CcX+glS5Ne9XMtfnzoOWLe1S0VfueQ8g6/UhXqWYwUiudVqtB1sVINydHVOGcKCi yfjitAtnBktI510AEubxoTkvfgQfzoPTl1+reg1nzPTEN+38KrBJiH9a6wxzHBOS 5QZL/liolU67YB6U4WTC/PLvwsKXGcgIAm+70yCnhi1t/XMMjBT/4QoZFL+ttlTx k0SpxhkCgYEA2P42WOzsdH1HD7zU/+NSda+FZp9ba/m7S9emJWO2UWNgdV1EqEjI i0ehV/qkRZqzGP37u0Rewxxw7/xeJ9ZfN9ywITPVcMBLGy2urw9yVGed+f1IiUaU /at12J/I9K9S9v34PZAl44DqcIKRKOr0jh1h85EoCghHc5a8JTFGz+UCgYEAwSpO ja77phucAzlRQnD5P7he0P0dHqRSmfLe5oTIVucRX4auA3dkBvA+mUQwA0KuD/YL yGpz/g6vZmaq5SAZk+xMSdt1Qenn2V7LK73MFaUHr/ST9Wb9AsepGvC2k+X2RRvG Xx0A7zfJTvgG3LOifiEuU5eTo28GgRtMP4ordMMCgYBXY/pLUg/g0lt+MRSvgcPB 9dCKBf/xun/+CXm2cTQKDzXXzppKFBYAUfbe0ei6x5T9qbxqLRzlA11QqZjZ/nIW s2CT3qZFZIxbA8joZBYtfBWZirJd5vk2OImblq5+LOYC50HEuXso5tCEQ3Fmw0l+ usKqL3mqoK72FGztpazZKQKBgBXyTpZ+aQ0IWgNrwbXAzDDXK76m42YV2WSwWW7r ay+kdS7bSG4QZIb9SL91JddY/hnGJLSSk7crx/XkeEosCXvq/wftLTdd8f+aa47+ s29KHsN5EE5zcw+by7TJ4JSRLhfP/gvUacTEG9UjDPSKXE3kSzUoJZgOBzkn9tPJ SQKtAoGARgRyYwBNfnSVkPoRStIK8K4OwRScQ2OXPDf9ShuUy11AGEV0WJdVsWZS 3AGadoucpxOXrHrLWcHIOFDYJIK/bB6BfyCWmhxM4aBiNB5c+2ioqogoOLpF9mEY OoCJNbjIegI+07ZtlfFoJVQguP4tNv+/dLcy6Af7LFMzPTaebow= -----END RSA PRIVATE KEY-----</privatekey> <certificate>-----BEGIN CERTIFICATE----- MIIDpzCCAo+gAwIBAgIJAL90GbKnB5mdMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xGDAW BgNVBAoMD1N5bnRoZXRpYyBXb3JrczEbMBkGA1UEAwwSc3ludGhldGljd29ya3Mu Y29tMB4XDTEyMDMxODIxNDY0MloXDTEzMDMxODIxNDY0MlowajELMAkGA1UEBhMC VVMxDjAMBgNVBAgMBVRleGFzMRQwEgYDVQQHDAtTYW4gQW50b25pbzEYMBYGA1UE CgwPU3ludGhldGljIFdvcmtzMRswGQYDVQQDDBJzeW50aGV0aWN3b3Jrcy5jb20w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCju4NDghpAxBFe50x68FD1 XQrQ8wwIS1paMLP7zq4HFuCcwX5CcIJhojWUCXZKc4EiOm2hmi04Hxz/r34oPN8n C+BCVBSFl9COVcnY7C4vGRiNpOUOXUzgXVy5CnQH2PBzAFvbp7aohXvnD9wFiOka KdhaphrCFqXt057KUfz0Tvnn4WMKJGEsA3CsVUyLzJyistGKxhf1DcDzjDJnJchR przfHs8szRNp/zUA97KRH/JHjbTjx95YtzRJpeRqqBtH+Ri5CyO7KpZRi9Zt8g8a swA4oGiGIHxSE3J3Hpp/Ol/SRXWN2Ftf0p3oD+2QTxvBD0c9dQS963gtwvn8mx9v AgMBAAGjUDBOMB0GA1UdDgQWBBSaqL1hk6xX++hOJxGSs2KG5kwuKzAfBgNVHSME GDAWgBSaqL1hk6xX++hOJxGSs2KG5kwuKzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 DQEBBQUAA4IBAQBnOu3Qw8TfRwZJ/C9LLakj3Uqp4Ukn/q/iKL2EfagWyIDowdBo zWIP7UA+Ri3auxHOtUQ+vH9uHCOvevBGNNDqfQgT7L0wqUwROtOc7GB/pHA0C+PJ STcJ65clFbH2vRkLSs+x4AAWKbnxQHy9cMXoutpzPgrZEjvmqTIzqnosQX4gg/P8 iD/byEHrxMNF+IIxqLXiJPPOUkuDUAsYWUKbbwOot3vQEhryDI6SpxJPXB9d/yNe P0DyMLSJKHCwY5/Qc1sEMTMJjLWESmqtKbj/jCLyKloINLMi/vAdV9jsOGurzgVo FL7GOnPeUWwEzhjcSqZHZgBSVw3E6WcXmb7u -----END CERTIFICATE-----</certificate> <intermediateCertificate>-----BEGIN CERTIFICATE----- MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0 YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/ ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5 xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0 c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0 BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un 0q6Dp6jOW6c= -----END CERTIFICATE-----</intermediateCertificate> </sslTermination>
Now save your changes. For this example, I saved the file as ssl-termination.xml. We can now move onto the next step of enabling SSL termination on the load balancer.
4. Enabling SSL termination on the load balancer
Now that we have our Auth Token, load balancer ID, and our XML request in place, we can finally enable SSL termination on the load balancer. If you are changing over to SSL termination from a previous configuration that utilized SSL pass-through, you must first delete your HTTPS load balancer before enabling SSL termination on your HTTP load balancer. This is because the HTTPS load balancer will already be using port 443 on your shared IP, which will result in the API returning an error when it tries to configure your HTTP load balancer to use that port for SSL termination.
First we need to get the URL to issue the request to. Append loadbalancer_id / ssltermination to the end of the last URL we issued a curl to, so for this example we will have https://ord.loadbalancers.api.rackspacecloud.com/v1.0/99999999/loadbalancers/12341234/ssltermination.To enable SSL termination, we need to issue a PUT request to this URL, with ssl-termination.xml as our payload. In my example, I appended .xml to the end of the request URL to ensure that the return data was in XML and not JSON:
$ curl -i -T ssl-termination.xml -H "X-Auth-Token: a9247b31-179d-49f1-be3c-c76bc9bbda2b" https://ord.loadbalancers.api.rackspacecloud.com/v1.0/99999999/loadbalancers/12341234/ssltermination.xml HTTP/1.1 100 Continue HTTP/1.1 202 Accepted Server: Rackspace Cloud Load Balancer API v1.9.13 Date: Sun, 18 Mar 2012 21:57:02 GMT Content-Type: application/xml Transfer-Encoding: chunked <?xml version="1.0" encoding="UTF-8" standalone="yes"?><sslTermination xmlns="http://docs.openstack.org/loadbalancers/api/v1.0" enabled="true" securePort="443" secureTrafficOnly="false"><privatekey>-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAo7uDQ4IaQMQRXudMevBQ9V0K0PMMCEtaWjCz+86uBxbgnMF+ QnCCYaI1lAl2SnOBIjptoZotOB8c/69+KDzfJwvgQlQUhZfQjlXJ2OwuLxkYjaTl Dl1M4F1cuQp0B9jwcwBb26e2qIV75w/cBYjpGinYWqYawhal7dOeylH89E755+Fj CiRhLANwrFVMi8ycorLRisYX9Q3A84wyZyXIUaa83x7PLM0Taf81APeykR/yR420 48feWLc0SaXkaqgbR/kYuQsjuyqWUYvWbfIPGrMAOKBohiB8UhNydx6afzpf0kV1 jdhbX9Kd6A/tkE8bwQ9HPXUEvet4LcL5/JsfbwIDAQABAoIBACdSMgz1Ys6pB67u B20C5751UNKre/lF93Xveln/4cVsFhcvVN4p3PYLmahquVDZ+mo48/k6aJ+wwSsa f0a0j7b14C6tuJv4wKpeKfKBjfnbogzqS+QuPfcoFMuPmhwEWoKT1HulBHXmUMJG CcX+glS5Ne9XMtfnzoOWLe1S0VfueQ8g6/UhXqWYwUiudVqtB1sVINydHVOGcKCi yfjitAtnBktI510AEubxoTkvfgQfzoPTl1+reg1nzPTEN+38KrBJiH9a6wxzHBOS 5QZL/liolU67YB6U4WTC/PLvwsKXGcgIAm+70yCnhi1t/XMMjBT/4QoZFL+ttlTx k0SpxhkCgYEA2P42WOzsdH1HD7zU/+NSda+FZp9ba/m7S9emJWO2UWNgdV1EqEjI i0ehV/qkRZqzGP37u0Rewxxw7/xeJ9ZfN9ywITPVcMBLGy2urw9yVGed+f1IiUaU /at12J/I9K9S9v34PZAl44DqcIKRKOr0jh1h85EoCghHc5a8JTFGz+UCgYEAwSpO ja77phucAzlRQnD5P7he0P0dHqRSmfLe5oTIVucRX4auA3dkBvA+mUQwA0KuD/YL yGpz/g6vZmaq5SAZk+xMSdt1Qenn2V7LK73MFaUHr/ST9Wb9AsepGvC2k+X2RRvG Xx0A7zfJTvgG3LOifiEuU5eTo28GgRtMP4ordMMCgYBXY/pLUg/g0lt+MRSvgcPB 9dCKBf/xun/+CXm2cTQKDzXXzppKFBYAUfbe0ei6x5T9qbxqLRzlA11QqZjZ/nIW s2CT3qZFZIxbA8joZBYtfBWZirJd5vk2OImblq5+LOYC50HEuXso5tCEQ3Fmw0l+ usKqL3mqoK72FGztpazZKQKBgBXyTpZ+aQ0IWgNrwbXAzDDXK76m42YV2WSwWW7r ay+kdS7bSG4QZIb9SL91JddY/hnGJLSSk7crx/XkeEosCXvq/wftLTdd8f+aa47+ s29KHsN5EE5zcw+by7TJ4JSRLhfP/gvUacTEG9UjDPSKXE3kSzUoJZgOBzkn9tPJ SQKtAoGARgRyYwBNfnSVkPoRStIK8K4OwRScQ2OXPDf9ShuUy11AGEV0WJdVsWZS 3AGadoucpxOXrHrLWcHIOFDYJIK/bB6BfyCWmhxM4aBiNB5c+2ioqogoOLpF9mEY OoCJNbjIegI+07ZtlfFoJVQguP4tNv+/dLcy6Af7LFMzPTaebow= -----END RSA PRIVATE KEY-----</privatekey><certificate>-----BEGIN CERTIFICATE----- MIIDpzCCAo+gAwIBAgIJAL90GbKnB5mdMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xGDAW BgNVBAoMD1N5bnRoZXRpYyBXb3JrczEbMBkGA1UEAwwSc3ludGhldGljd29ya3Mu Y29tMB4XDTEyMDMxODIxNDY0MloXDTEzMDMxODIxNDY0MlowajELMAkGA1UEBhMC VVMxDjAMBgNVBAgMBVRleGFzMRQwEgYDVQQHDAtTYW4gQW50b25pbzEYMBYGA1UE CgwPU3ludGhldGljIFdvcmtzMRswGQYDVQQDDBJzeW50aGV0aWN3b3Jrcy5jb20w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCju4NDghpAxBFe50x68FD1 XQrQ8wwIS1paMLP7zq4HFuCcwX5CcIJhojWUCXZKc4EiOm2hmi04Hxz/r34oPN8n C+BCVBSFl9COVcnY7C4vGRiNpOUOXUzgXVy5CnQH2PBzAFvbp7aohXvnD9wFiOka KdhaphrCFqXt057KUfz0Tvnn4WMKJGEsA3CsVUyLzJyistGKxhf1DcDzjDJnJchR przfHs8szRNp/zUA97KRH/JHjbTjx95YtzRJpeRqqBtH+Ri5CyO7KpZRi9Zt8g8a swA4oGiGIHxSE3J3Hpp/Ol/SRXWN2Ftf0p3oD+2QTxvBD0c9dQS963gtwvn8mx9v AgMBAAGjUDBOMB0GA1UdDgQWBBSaqL1hk6xX++hOJxGSs2KG5kwuKzAfBgNVHSME GDAWgBSaqL1hk6xX++hOJxGSs2KG5kwuKzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 DQEBBQUAA4IBAQBnOu3Qw8TfRwZJ/C9LLakj3Uqp4Ukn/q/iKL2EfagWyIDowdBo zWIP7UA+Ri3auxHOtUQ+vH9uHCOvevBGNNDqfQgT7L0wqUwROtOc7GB/pHA0C+PJ STcJ65clFbH2vRkLSs+x4AAWKbnxQHy9cMXoutpzPgrZEjvmqTIzqnosQX4gg/P8 iD/byEHrxMNF+IIxqLXiJPPOUkuDUAsYWUKbbwOot3vQEhryDI6SpxJPXB9d/yNe P0DyMLSJKHCwY5/Qc1sEMTMJjLWESmqtKbj/jCLyKloINLMi/vAdV9jsOGurzgVo FL7GOnPeUWwEzhjcSqZHZgBSVw3E6WcXmb7u -----END CERTIFICATE-----</certificate><intermediateCertificate>-----BEGIN CERTIFICATE----- MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0 YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/ ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5 xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0 c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0 BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un 0q6Dp6jOW6c= -----END CERTIFICATE-----</intermediateCertificate></sslTermination>
If you get the 202 status like what I got in the example, then congrats, you have successfully setup SSL termination on the load balancer. It will take five or so minutes for the configuration to update on your load balancer. Once it has, the SSL termination “shadow server” will use the same configuration as the load balancer you installed the SSL termination on (meaning same nodes, same session persistence settings, etc). As well, it will start forwarding a new header to your server called “X-Forwarded-Proto” which will either have the value of “http” or “https,” depending on the connection type. You can either use this to have your scripts directly check if it’s a secure connection, or you can configure your HTTP server to check for your scripts. For example, here’s how to perform that check using nginx: http://daniel.hahler.de/handle-x-forwarded-proto-in-backend-nginx.
Happy hacking!
Leave a Comment