Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to set up SSL in a load balanced environment?

Tags:

asp.net

wcf

load-balancing

infrastructure

Here is our current infrastructure:

  1. 2 web servers behind a shared load balancer
  2. dns is pointing to the load balancer
  3. web app is done in asp.net, with wcf services

My question is how to set up the SSL certificate to support https connection.

Here are 2 ideas that I have:

  1. SSL certificate terminates at the load balancer. secure/unsecure communication behind the load balancer will be forwarded to 2 different ports.
    pro: only need 1 certificate as I scale horizontally
    cons: I have to check secure or not secure by checking which port the request is coming from. doesn't quite feel right to me

    WCF by design will not work when IIS is binded 2 different ports
    (according to this)

  2. SSL certificate terminates on each of the server?
    cons: need to add more certificates to scale horizontally

thanks

like image 381
ronaldwidha Avatar asked May 04 '09 05:05

ronaldwidha

People also ask

How does SSL work with a load balancer?

The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the instances. The SSL and TLS protocols use an X. 509 certificate (SSL/TLS server certificate) to authenticate both the client and the back-end application.

Does Network Load Balancer support SSL?

TLS termination on Network Load Balancers also offers centralized deployment of SSL certificates by integrating with AWS Certificate Manager (ACM) and Identity Access Manager (IAM). You can also optionally configure encryption to the targets.

Does each server behind a load balancer need their own SSL certificate?

Google Cloud uses SSL certificates to provide privacy and security from a client to a load balancer. To achieve this, the load balancer must have an SSL certificate and the certificate's corresponding private key.

2 Answers

Definitely terminate SSL at the load balancer!!! Anything behind that should NOT be visible outside. Why wouldn't two ports for secure/insecure work just fine?

like image 93
Alex Martelli Avatar answered Oct 06 '22 02:10

Alex Martelli

You don't actually need more certificates at all. Because the externally seen FQDN is the same you use the same certificate on each machine.

This means that WCF (if you're using it) will work. WCF with the SSL terminating on the external load balancer is painful if you're signing/encrypting at a message level rather than a transport level.

like image 22
blowdart Avatar answered Oct 06 '22 02:10

blowdart
Sign in to Comment

Related questions

Complete check for build asp.net mvc core 2.0 application without publish
Can't access public class from web service
Is Visual Studio's Remove Unused References Safe?
How to make ASP.NET/React app serve SPA from subpath?
Can "Blazor (ASP.NET Core hostd)" use windows authentication?
.Net 5 - Asp.Net still has no SynchronizationContext?
Looking for code to render a form that displays a view of an object
Calculate DateTime Weeks into Rows
IronPython and ASP.NET
Filtering out anchor tags in a string
Redirecting users from edit page back to calling page
Best way to handle URLs in a multilingual site in ASP.net
Tips for avoiding big ball of mud with ASP.NET WebForms
.NET library or asp.net application for Amazon S3
Dotnetnuke development environment and deployment
ITemplate and DataGrid Column in Codebehind
What replaces .htaccess on IIS/ASP.NET sites?
How do I use frame on ASP.NET page?
Deploying application updates to multiple sites
Use DisplayNameAttribute in ASP.NET

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!