Pragmatic Approach, Practical Designs, Secure Implementations

The topic of how to properly configure SSL for web resources behind network load balancer keeps coming up in many recent projects and it seems to be a source of some confusion. In this blog I will try to summarize key points which should be considered when configuring SSL for resources behind network load balancer.

 

SSL with Loadbalancer

Diagram above shows typical scenario where client needs to connect to some web resource www.app1.com over https. SSL tunnel is configured to terminate on servers hosting application behind load balancer.

On our diagram these servers are identified as having IP addresses of 192.168.1.2-4. Client will see www.app1.com name to be resolved to IP address 1.1.1.2 which is external virtual IP address of the load balancer.

In order for SSL server certificate validation to succeed, name of the system client is connecting to (www.app1.com) must match CN field of X.509 SSL certificate on the server where SSL tunnel is terminating. If client is connecting to the same server where SSL tunnel is terminated, everything is pretty obvious, but in our case client will connect to load balancer which will just pass SSL traffic to one of the servers hosting the application and SSL tunnel will terminate there.

In order for the client to be able to properly validate server SSL certificate, following configuration must be followed:

  • Connection to www.app1.com on the client system must be resolved to IP address of load balancer VIP (1.1.1.2) either via DNS or local hosts file
  • Load balancer should not terminate SSL connection, but pass it to one of the downstream servers hosting application
  • All servers must have SSL certificate installed with CN value equal to www.app1.com

Of course, this approach is only necessary when SSL tunnel needs to be terminated on the application servers. If tunnel terminates on load balancer, it will just need to have SSL certificate with CN value equal to www.app1.com installed on it.