Configuring SSL Termination on Rackspace Cloud Load Balancers

Rackspace Cloud recently introduced SSL termination on Cloud Load Balancers. As of right now, there is no way to implement this feature through the control panel and it is only available via the API. This tutorial will guide you through how to setup SSL termination via the API.

Things you will need:

  • Your private key
  • Your certificate
  • Your CA’s intermediate certificate (optional, but recommended)
  • curl
  • tidy (optional, but it makes reading the return XML much nicer)
  • SSL termination API documentation

Cloud load balancers with SSL termination work a little differently than the traditional HTTPS Cloud load balancers. With SSL pass-through you have two distinct load balancers, one for HTTP and another for HTTPS. However, with SSL termination you only have you primary HTTP load balancer. You then apply the SSL termination onto that load balancer, creating what the documentation calls a “shadow server” that uses the same configuration as the primary load balancer, except it runs on a different port and performs SSL termination. So if you disable a node on the HTTP load balancer, then that node is also disabled on the “shadow server,” for example.

1. Authenticate with Rackspace Cloud and get your Auth Token

The first step to installing your certificate onto the load balancer is to authenticate with the API. To do this you will need your username (the username you use to login to https://manage.rackspacecloud.com or https://lon.manage.rackspacecloud.com), your API key (you can retrieve this by going to “Your Account” -> “API Access” and clicking “Show Key” in the Rackspace Cloud control panel), and the URL for the authentication endpoint for your account. If your account was registered at rackspace.com, then you will want to use the US endpoint. If it was registered at rackspace.co.uk, then you will want to use the UK endpoint. The authentication endpoints are listed below:

US: https://auth.api.rackspacecloud.com/v1.0/
UK: https://lon.auth.api.rackspacecloud.com/v1.0/

To authenticate with the Rackspace Cloud API, you will need to send a GET request to the authentication endpoint for your account, with your username in the X-Auth-User header and your API key in the X-Auth-Key header. Here is an example request and response using curl:

$ curl -i -H "X-Auth-User: this_is_an_example" -H "X-Auth-Key: 23034ef200c35bbc907c928e657e3ea2" https://auth.api.rackspacecloud.com/v1.0/
HTTP/1.1 204 No Content
Server: Apache/2.2.3 (Red Hat)
vary: X-Auth-Token,X-Auth-Key,X-Storage-User,X-Storage-Pass
X-Storage-Url: https://storage101.ord1.clouddrive.com/v1/MossoCloudFS_00b60dc9-a8b3-4e6d-90fa-5e545583ee9
Cache-Control: s-maxage=28711
Content-Type: text/xml
Date: Sun, 18 Mar 2012 19:18:40 GMT
X-Auth-Token: a9247b31-179d-49f1-be3c-c76bc9bbda2b
X-Server-Management-Url: https://servers.api.rackspacecloud.com/v1.0/99999999
X-Storage-Token: a9247b31-179d-49f1-be3c-c76bc9bbda2b
Connection: Keep-Alive
X-CDN-Management-Url: https://cdn2.clouddrive.com/v1/MossoCloudFS_00b60dc9-a8b3-4e6d-90fa-5e545583ee9
Content-Length: 0

The two important things to note with the response are the X-Auth-Token and the number after the last slash in X-Server-Management-Url, which is your account number (in this example, the account number is 99999999 and the Auth Token is a9247b31-179d-49f1-be3c-c76bc9bbda2b). Now that we’ve successfully authenticated, we can move on to interacting with the Cloud load balancer API.

2. Interact with the load balancer API to get your load balancer ID

There are different Cloud load balancer API endpoints, depending on which region your Cloud load balancer is deployed to. You can check the region of your load balancer by navigating to “Hosting” -> “Load Balancers” in the Rackspace Cloud control panel. Here are the URLs for the different endpoints:

Chicago (ORD): https://ord.loadbalancers.api.rackspacecloud.com/v1.0/
Dallas/Ft. Worth (DFW): https://dfw.loadbalancers.api.rackspacecloud.com/v1.0/
London (LON): https://lon.loadbalancers.api.rackspacecloud.com/v1.0/

With this example account, the load balancer is located in ORD, so we will use that endpoint. The next thing to do is to pull a list of all of the load balancers on your account. You can do this by appending account_number / loadbalancers to the end of the endpoint URL, so for this example that will look like https://ord.loadbalancers.api.rackspacecloud.com/v1.0/99999999/loadbalancers. Issue a GET request against this URL with your Auth Token in the X-Auth-Token header. In the following example I piped the output to tidy to clean up the XML return to make it easier to read:

$ curl -s -H "X-Auth-Token: a9247b31-179d-49f1-be3c-c76bc9bbda2b" https://ord.loadbalancers.api.rackspacecloud.com/v1.0/99999999/loadbalancers | tidy -q -xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<loadBalancers xmlns="http://docs.openstack.org/loadbalancers/api/v1.0">

<loadBalancer id="12341234" name="syntheticworks.com"
algorithm="ROUND_ROBIN" protocol="HTTP" port="80" status="ACTIVE">
<virtualIps>
<virtualIp id="12341234" address="50.57.204.110" ipVersion="IPV4"
type="PUBLIC" />
</virtualIps>
<created time="2011-10-30T10:37:24Z" />
<updated time="2012-03-18T17:25:08Z" />
</loadBalancer>
</loadBalancers>

With this return, you can see that the load balancer’s ID is 12341234. Generally the ID will be much shorter as I fabricated this ID for the purpose of this example. Now we can move onto the next step of formatting our XML submission to enable SSL termination. While it is possible to also submit the request using JSON, I’ve found that XML is much easier since you must replace every instance of a newline in the JSON request with \n, which can be a pain.

3. Formatting the XML submission to enable SSL termination

For ease of use, I’ve included a general purpose template to enable SSL termination on port 443:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<sslTermination xmlns="http://docs.openstack.org/loadbalancers/api/v1.0"
enabled="true" securePort="443" secureTrafficOnly="false">
<privatekey>
</privatekey>
<certificate>
</certificate>
<intermediateCertificate>
</intermediateCertificate>
</sslTermination>

Copy this template and paste it into your favorite text editor. Paste your private key, certificate, and intermediate certificate into their respective fields as such:

 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
<sslTermination xmlns="http://docs.openstack.org/loadbalancers/api/v1.0"
enabled="true" securePort="443" secureTrafficOnly="false">
<privatekey>-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAo7uDQ4IaQMQRXudMevBQ9V0K0PMMCEtaWjCz+86uBxbgnMF+
QnCCYaI1lAl2SnOBIjptoZotOB8c/69+KDzfJwvgQlQUhZfQjlXJ2OwuLxkYjaTl
Dl1M4F1cuQp0B9jwcwBb26e2qIV75w/cBYjpGinYWqYawhal7dOeylH89E755+Fj
CiRhLANwrFVMi8ycorLRisYX9Q3A84wyZyXIUaa83x7PLM0Taf81APeykR/yR420
48feWLc0SaXkaqgbR/kYuQsjuyqWUYvWbfIPGrMAOKBohiB8UhNydx6afzpf0kV1
jdhbX9Kd6A/tkE8bwQ9HPXUEvet4LcL5/JsfbwIDAQABAoIBACdSMgz1Ys6pB67u
B20C5751UNKre/lF93Xveln/4cVsFhcvVN4p3PYLmahquVDZ+mo48/k6aJ+wwSsa
f0a0j7b14C6tuJv4wKpeKfKBjfnbogzqS+QuPfcoFMuPmhwEWoKT1HulBHXmUMJG
CcX+glS5Ne9XMtfnzoOWLe1S0VfueQ8g6/UhXqWYwUiudVqtB1sVINydHVOGcKCi
yfjitAtnBktI510AEubxoTkvfgQfzoPTl1+reg1nzPTEN+38KrBJiH9a6wxzHBOS
5QZL/liolU67YB6U4WTC/PLvwsKXGcgIAm+70yCnhi1t/XMMjBT/4QoZFL+ttlTx
k0SpxhkCgYEA2P42WOzsdH1HD7zU/+NSda+FZp9ba/m7S9emJWO2UWNgdV1EqEjI
i0ehV/qkRZqzGP37u0Rewxxw7/xeJ9ZfN9ywITPVcMBLGy2urw9yVGed+f1IiUaU
/at12J/I9K9S9v34PZAl44DqcIKRKOr0jh1h85EoCghHc5a8JTFGz+UCgYEAwSpO
ja77phucAzlRQnD5P7he0P0dHqRSmfLe5oTIVucRX4auA3dkBvA+mUQwA0KuD/YL
yGpz/g6vZmaq5SAZk+xMSdt1Qenn2V7LK73MFaUHr/ST9Wb9AsepGvC2k+X2RRvG
Xx0A7zfJTvgG3LOifiEuU5eTo28GgRtMP4ordMMCgYBXY/pLUg/g0lt+MRSvgcPB
9dCKBf/xun/+CXm2cTQKDzXXzppKFBYAUfbe0ei6x5T9qbxqLRzlA11QqZjZ/nIW
s2CT3qZFZIxbA8joZBYtfBWZirJd5vk2OImblq5+LOYC50HEuXso5tCEQ3Fmw0l+
usKqL3mqoK72FGztpazZKQKBgBXyTpZ+aQ0IWgNrwbXAzDDXK76m42YV2WSwWW7r
ay+kdS7bSG4QZIb9SL91JddY/hnGJLSSk7crx/XkeEosCXvq/wftLTdd8f+aa47+
s29KHsN5EE5zcw+by7TJ4JSRLhfP/gvUacTEG9UjDPSKXE3kSzUoJZgOBzkn9tPJ
SQKtAoGARgRyYwBNfnSVkPoRStIK8K4OwRScQ2OXPDf9ShuUy11AGEV0WJdVsWZS
3AGadoucpxOXrHrLWcHIOFDYJIK/bB6BfyCWmhxM4aBiNB5c+2ioqogoOLpF9mEY
OoCJNbjIegI+07ZtlfFoJVQguP4tNv+/dLcy6Af7LFMzPTaebow=
-----END RSA PRIVATE KEY-----</privatekey>
<certificate>-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIJAL90GbKnB5mdMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xGDAW
BgNVBAoMD1N5bnRoZXRpYyBXb3JrczEbMBkGA1UEAwwSc3ludGhldGljd29ya3Mu
Y29tMB4XDTEyMDMxODIxNDY0MloXDTEzMDMxODIxNDY0MlowajELMAkGA1UEBhMC
VVMxDjAMBgNVBAgMBVRleGFzMRQwEgYDVQQHDAtTYW4gQW50b25pbzEYMBYGA1UE
CgwPU3ludGhldGljIFdvcmtzMRswGQYDVQQDDBJzeW50aGV0aWN3b3Jrcy5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCju4NDghpAxBFe50x68FD1
XQrQ8wwIS1paMLP7zq4HFuCcwX5CcIJhojWUCXZKc4EiOm2hmi04Hxz/r34oPN8n
C+BCVBSFl9COVcnY7C4vGRiNpOUOXUzgXVy5CnQH2PBzAFvbp7aohXvnD9wFiOka
KdhaphrCFqXt057KUfz0Tvnn4WMKJGEsA3CsVUyLzJyistGKxhf1DcDzjDJnJchR
przfHs8szRNp/zUA97KRH/JHjbTjx95YtzRJpeRqqBtH+Ri5CyO7KpZRi9Zt8g8a
swA4oGiGIHxSE3J3Hpp/Ol/SRXWN2Ftf0p3oD+2QTxvBD0c9dQS963gtwvn8mx9v
AgMBAAGjUDBOMB0GA1UdDgQWBBSaqL1hk6xX++hOJxGSs2KG5kwuKzAfBgNVHSME
GDAWgBSaqL1hk6xX++hOJxGSs2KG5kwuKzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQBnOu3Qw8TfRwZJ/C9LLakj3Uqp4Ukn/q/iKL2EfagWyIDowdBo
zWIP7UA+Ri3auxHOtUQ+vH9uHCOvevBGNNDqfQgT7L0wqUwROtOc7GB/pHA0C+PJ
STcJ65clFbH2vRkLSs+x4AAWKbnxQHy9cMXoutpzPgrZEjvmqTIzqnosQX4gg/P8
iD/byEHrxMNF+IIxqLXiJPPOUkuDUAsYWUKbbwOot3vQEhryDI6SpxJPXB9d/yNe
P0DyMLSJKHCwY5/Qc1sEMTMJjLWESmqtKbj/jCLyKloINLMi/vAdV9jsOGurzgVo
FL7GOnPeUWwEzhjcSqZHZgBSVw3E6WcXmb7u
-----END CERTIFICATE-----</certificate>
<intermediateCertificate>-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
0q6Dp6jOW6c=
-----END CERTIFICATE-----</intermediateCertificate>
</sslTermination>

Now save your changes. For this example, I saved the file as ssl-termination.xml. We can now move onto the next step of enabling SSL termination on the load balancer.

4. Enabling SSL termination on the load balancer

Now that we have our Auth Token, load balancer ID, and our XML request in place, we can finally enable SSL termination on the load balancer. If you are changing over to SSL termination from a previous configuration that utilized SSL pass-through, you must first delete your HTTPS load balancer before enabling SSL termination on your HTTP load balancer. This is because the HTTPS load balancer will already be using port 443 on your shared IP, which will result in the API returning an error when it tries to configure your HTTP load balancer to use that port for SSL termination.

First we need to get the URL to issue the request to. Append loadbalancer_id / ssltermination to the end of the last URL we issued a curl to, so for this example we will have https://ord.loadbalancers.api.rackspacecloud.com/v1.0/99999999/loadbalancers/12341234/ssltermination.To enable SSL termination, we need to issue a PUT request to this URL, with ssl-termination.xml as our payload. In my example, I appended .xml to the end of the request URL to ensure that the return data was in XML and not JSON:

 $ curl -i -T ssl-termination.xml -H "X-Auth-Token: a9247b31-179d-49f1-be3c-c76bc9bbda2b" https://ord.loadbalancers.api.rackspacecloud.com/v1.0/99999999/loadbalancers/12341234/ssltermination.xml
HTTP/1.1 100 Continue

HTTP/1.1 202 Accepted
Server: Rackspace Cloud Load Balancer API v1.9.13
Date: Sun, 18 Mar 2012 21:57:02 GMT
Content-Type: application/xml
Transfer-Encoding: chunked

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><sslTermination xmlns="http://docs.openstack.org/loadbalancers/api/v1.0" enabled="true" securePort="443" secureTrafficOnly="false"><privatekey>-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAo7uDQ4IaQMQRXudMevBQ9V0K0PMMCEtaWjCz+86uBxbgnMF+
QnCCYaI1lAl2SnOBIjptoZotOB8c/69+KDzfJwvgQlQUhZfQjlXJ2OwuLxkYjaTl
Dl1M4F1cuQp0B9jwcwBb26e2qIV75w/cBYjpGinYWqYawhal7dOeylH89E755+Fj
CiRhLANwrFVMi8ycorLRisYX9Q3A84wyZyXIUaa83x7PLM0Taf81APeykR/yR420
48feWLc0SaXkaqgbR/kYuQsjuyqWUYvWbfIPGrMAOKBohiB8UhNydx6afzpf0kV1
jdhbX9Kd6A/tkE8bwQ9HPXUEvet4LcL5/JsfbwIDAQABAoIBACdSMgz1Ys6pB67u
B20C5751UNKre/lF93Xveln/4cVsFhcvVN4p3PYLmahquVDZ+mo48/k6aJ+wwSsa
f0a0j7b14C6tuJv4wKpeKfKBjfnbogzqS+QuPfcoFMuPmhwEWoKT1HulBHXmUMJG
CcX+glS5Ne9XMtfnzoOWLe1S0VfueQ8g6/UhXqWYwUiudVqtB1sVINydHVOGcKCi
yfjitAtnBktI510AEubxoTkvfgQfzoPTl1+reg1nzPTEN+38KrBJiH9a6wxzHBOS
5QZL/liolU67YB6U4WTC/PLvwsKXGcgIAm+70yCnhi1t/XMMjBT/4QoZFL+ttlTx
k0SpxhkCgYEA2P42WOzsdH1HD7zU/+NSda+FZp9ba/m7S9emJWO2UWNgdV1EqEjI
i0ehV/qkRZqzGP37u0Rewxxw7/xeJ9ZfN9ywITPVcMBLGy2urw9yVGed+f1IiUaU
/at12J/I9K9S9v34PZAl44DqcIKRKOr0jh1h85EoCghHc5a8JTFGz+UCgYEAwSpO
ja77phucAzlRQnD5P7he0P0dHqRSmfLe5oTIVucRX4auA3dkBvA+mUQwA0KuD/YL
yGpz/g6vZmaq5SAZk+xMSdt1Qenn2V7LK73MFaUHr/ST9Wb9AsepGvC2k+X2RRvG
Xx0A7zfJTvgG3LOifiEuU5eTo28GgRtMP4ordMMCgYBXY/pLUg/g0lt+MRSvgcPB
9dCKBf/xun/+CXm2cTQKDzXXzppKFBYAUfbe0ei6x5T9qbxqLRzlA11QqZjZ/nIW
s2CT3qZFZIxbA8joZBYtfBWZirJd5vk2OImblq5+LOYC50HEuXso5tCEQ3Fmw0l+
usKqL3mqoK72FGztpazZKQKBgBXyTpZ+aQ0IWgNrwbXAzDDXK76m42YV2WSwWW7r
ay+kdS7bSG4QZIb9SL91JddY/hnGJLSSk7crx/XkeEosCXvq/wftLTdd8f+aa47+
s29KHsN5EE5zcw+by7TJ4JSRLhfP/gvUacTEG9UjDPSKXE3kSzUoJZgOBzkn9tPJ
SQKtAoGARgRyYwBNfnSVkPoRStIK8K4OwRScQ2OXPDf9ShuUy11AGEV0WJdVsWZS
3AGadoucpxOXrHrLWcHIOFDYJIK/bB6BfyCWmhxM4aBiNB5c+2ioqogoOLpF9mEY
OoCJNbjIegI+07ZtlfFoJVQguP4tNv+/dLcy6Af7LFMzPTaebow=
-----END RSA PRIVATE KEY-----</privatekey><certificate>-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIJAL90GbKnB5mdMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEUMBIGA1UEBwwLU2FuIEFudG9uaW8xGDAW
BgNVBAoMD1N5bnRoZXRpYyBXb3JrczEbMBkGA1UEAwwSc3ludGhldGljd29ya3Mu
Y29tMB4XDTEyMDMxODIxNDY0MloXDTEzMDMxODIxNDY0MlowajELMAkGA1UEBhMC
VVMxDjAMBgNVBAgMBVRleGFzMRQwEgYDVQQHDAtTYW4gQW50b25pbzEYMBYGA1UE
CgwPU3ludGhldGljIFdvcmtzMRswGQYDVQQDDBJzeW50aGV0aWN3b3Jrcy5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCju4NDghpAxBFe50x68FD1
XQrQ8wwIS1paMLP7zq4HFuCcwX5CcIJhojWUCXZKc4EiOm2hmi04Hxz/r34oPN8n
C+BCVBSFl9COVcnY7C4vGRiNpOUOXUzgXVy5CnQH2PBzAFvbp7aohXvnD9wFiOka
KdhaphrCFqXt057KUfz0Tvnn4WMKJGEsA3CsVUyLzJyistGKxhf1DcDzjDJnJchR
przfHs8szRNp/zUA97KRH/JHjbTjx95YtzRJpeRqqBtH+Ri5CyO7KpZRi9Zt8g8a
swA4oGiGIHxSE3J3Hpp/Ol/SRXWN2Ftf0p3oD+2QTxvBD0c9dQS963gtwvn8mx9v
AgMBAAGjUDBOMB0GA1UdDgQWBBSaqL1hk6xX++hOJxGSs2KG5kwuKzAfBgNVHSME
GDAWgBSaqL1hk6xX++hOJxGSs2KG5kwuKzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQBnOu3Qw8TfRwZJ/C9LLakj3Uqp4Ukn/q/iKL2EfagWyIDowdBo
zWIP7UA+Ri3auxHOtUQ+vH9uHCOvevBGNNDqfQgT7L0wqUwROtOc7GB/pHA0C+PJ
STcJ65clFbH2vRkLSs+x4AAWKbnxQHy9cMXoutpzPgrZEjvmqTIzqnosQX4gg/P8
iD/byEHrxMNF+IIxqLXiJPPOUkuDUAsYWUKbbwOot3vQEhryDI6SpxJPXB9d/yNe
P0DyMLSJKHCwY5/Qc1sEMTMJjLWESmqtKbj/jCLyKloINLMi/vAdV9jsOGurzgVo
FL7GOnPeUWwEzhjcSqZHZgBSVw3E6WcXmb7u
-----END CERTIFICATE-----</certificate><intermediateCertificate>-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
0q6Dp6jOW6c= -----END CERTIFICATE-----</intermediateCertificate></sslTermination>

If you get the 202 status like what I got in the example, then congrats, you have successfully setup SSL termination on the load balancer. It will take five or so minutes for the configuration to update on your load balancer. Once it has, the SSL termination “shadow server” will use the same configuration as the load balancer you installed the SSL termination on (meaning same nodes, same session persistence settings, etc). As well, it will start forwarding a new header to your server called “X-Forwarded-Proto” which will either have the value of “http” or “https,” depending on the connection type. You can either use this to have your scripts directly check if it’s a secure connection, or you can configure your HTTP server to check for your scripts. For example, here’s how to perform that check using nginx: http://daniel.hahler.de/handle-x-forwarded-proto-in-backend-nginx.

Happy hacking!

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>