Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Loadbalancer SSL Termination & secure cookie

Tags:

security

ssl

cookies

load-balancing

I need some clarity regarding load balancer ssl termination.

I have the following deployment overview:

CLIENT ->(https)-> [LB] ->(http)-> { app001 | app002 | appNNN }

I have a new requirement to access a secure cookie set by the client user agent in one of my back-end servers which are located behind a load balancer.

I understand the the secure cookie must be transmitted over ssl but if the load balancer terminates ssl will the cookie be passed/visable to the backend servers ?

like image 757
Sam Avatar asked Feb 22 '16 20:02

Sam

People also ask

What is SSL termination in load balancer?

SSL termination, which decrypts SSL requests at the load balancer and sends them unencrypted to the backend via the Droplets' private IP addresses. SSL termination places the slower and more CPU-intensive work of decryption on the load balancer and simplifies certificate management.

Can Network Load Balancer do SSL termination?

TLS termination on Network Load Balancers also offers centralized deployment of SSL certificates by integrating with AWS Certificate Manager (ACM) and Identity Access Manager (IAM). You can also optionally configure encryption to the targets.

Which load balancers support SSL termination?

You can now create a highly scalable, load-balanced web site using multiple Amazon EC2 instances, and you can easily arrange for the entire HTTPS encryption and decryption process (generally known as SSL termination) to be handled by an Elastic Load Balancer.

Does a classic load balancer support SSL termination?

You must deploy an SSL certificate on your load balancer. The load balancer uses this certificate to terminate the connection and then decrypt requests from clients before sending them to the instances.

1 Answers

Yes, it will be passed through to your web server even though the communication between your LB and Web server will be over HTTP. The client will not know that this is the case and believes it is communicating via HTTPS.

The secure cookie flag is observed by the browser and tells the browser to only send the cookie if the communication is via HTTPS. Since the client sets up its communication to the LB (which is over HTTPS) the client believes it is going via HTTPS and the cookie will be sent.

like image 66
grandnasty Avatar answered Oct 20 '22 02:10

grandnasty
Sign in to Comment

Related questions

Repetitive usage of Java's SecureRandom
AFL warning: Last new path : none yet (odd, check syntax!)
How to pass CSRF token from server to client?
Insecure deserialization using Json.NET
Could we consider non-plugins web-based crypto wallets as safe?
What's the secret to getting ClaimsResponse working with DotNetOpenId?
Another Security Exception on GoDaddy after Login attempt
SQL server Error 4060
How to share memory between services and user processes?
How to implement authorization checks in ASP.NET MVC based on Session data?
Software security Module/ toolkit replacing HSM for developing crypto functions
API authentication design and hackability
If MD5 is broken, what is a better solution?
How secure is a PostgreSQL database if my server is stolen?
Where on internet can we learn Secure Programming in c/c++ [closed]
Is there any way to prevent AJAX pages from being viewed alone in a browser?
Restricting access to static files in Django/Nginx
certificate not trusted by Websphere
Difference between nextXXX() and generateSeed() function in SecureRandom?
Is it safe to have sandbox="allow-scripts allow-popups allow-same-origin" on <iframe />?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!