HomeNetworkLoad BalancersAPI/CLI
Setting up SSL offloading
Update content

Setting up SSL Offloading via API

Reviewed on 09 May 2023 • Published on 26 May 2021

SSL offloading can be configured using the Load Balancers API.

Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

Before configuring the Load Balancer from the API, prepare your environment to facilitate the API usage. Recover the secret_key and the organization_id from the Scaleway console or the API and set them as environment variables. Make sure you also have configured the geographical location of your Load Balancer:

export TOKEN="<secret_key>"
REGION="<choose your location (nl-ams/fr-par)>"
ORGANIZATION_ID="<your organization ID>"
  1. Create a new Load Balancer by running the following API call. Customize the name, description and tags:
    curl -X POST "https://api.scaleway.com/lb/v1/regions/$REGION/lbs" -H "accept: application/json" -H "X-Auth-Token: $SECRET_KEY" -H "Content-Type: application/json" \
    -d "{\"description\":\"YOUR DESCRIPTION\",\"name\":\"TEST\",\"organization_id\":\"$ORGANIZATION_ID\",\"tags\":[\"test\", \"step by step\"]}"

The output of the API call returns a json output, similar to the example below where:

  • The first line starting with id displays the ID of the newly created Load Balancer.
  • The line starting with ip_address displays the load balanced IP.
{
"id": "6208ec73-2b0e-4b60-b449-7f6bd72fd522",
"name": "TEST",
"description": "YOUR DESCRIPTION",
"status": "pending",
"Instances": [],
"organization_id": "ORGANIZATION_ID",
"ip": [
{
"id": "7906bc2b-00cd-4548-8e06-ebfdf1e850be",
"ip_address": "51.159.11.11",
"organization_id": "6208ec73-2f0a-8e06-9ea1-e53b4f625527",
"lb_id": "6208ec73-2b0e-4b60-b449-7f6bd72fd522",
"reverse": "",
"region": "fr-par"
}
],
"tags": [
"test",
"step by step"
],
"frontend_count": 0,
"backend_count": 0,
"region": "fr-par"
}
  1. Copy the id field of the response to use during the next steps. To simplify the use, save the ID to a variable, which will be used in the following steps.
    export LB_ID="REPLACE-BY-ID-OF-YOUR-LOAD-BALANCER"
  2. Create a new backend. This tutorial supposes that a web application is running on port 80 of the backend machines. Make sure to replace REPLACE-BY-IP-OF-YOUR-SERVER1 and REPLACE-BY-IP-OF-YOUR-SERVER2 with the IPs of the backend servers:
    curl -s -X POST "https://api.scaleway.com/lb/v1/regions/$REGION/lbs/$LB_ID/backends" -H "accept: application/json" -H "X-Auth-Token: $SECRET_KEY" -H "Content-Type: application/json" \
    -d "{\"forward_port\":80,\"forward_port_algorithm\":\"roundrobin\",\"forward_protocol\":\"tcp\",\"health_check\":{\"check_delay\":2000,\"check_max_retries\":3,\"check_timeout\":1000,\"port\":80,\"tcp_config\":{}},\"name\":\"main backend\",\"send_proxy_v2\":false,\"server_ip\":[\"<REPLACE-BY-IP-OF-YOUR-SERVER1>\", \"<REPLACE-BY-IP-OF-YOUR-SERVER2>\"]} | jq ."

A json output similar to the first request displays. 4. Copy the value of the first line of the output, starting with id, and set it as a variable:

export BACKEND_ID="<REPLACE-BY-ID-OF-YOUR-BACKEND>"
  1. Create the certificate by calling the API endpoint, after replacing YOUR-CERTFICATE-NAME with a friendly name for the certificate and REPLACE-BY-YOUR-DOMAIN-NAME with your domain name (i.e. lb.example.com):
    curl -X POST "https://api.scaleway.com/lb/v1/regions/$REGION/lbs/$LB_ID/certificates" -H "accept: application/json" -H "X-Auth-Token: $SECRET_KEY" -H "Content-Type: application/json" -d "{\"name\":\"<YOUR-CERTIFICATE-NAME>\",\"letsencrypt\":{\"common_name\":\"<REPLACE-BY-YOUR-DOMAIN-NAME>\"}}"

The certificate details are presented in the form of a json list. 6. Copy the value of the first line of the list starting with id and set it as a variable:

export CERT_ID="<REPLACE-BY-ID-OF-YOUR-CERTIFICATE>"
  1. Create a new frontend by specifying the IDs of the Load Balancer, an existing backend and the certificate. Specify also the inbound_port (Port 443 for the default HTTPS port), on which the frontend will listen for incoming connections.
    curl -X POST "https://api.scaleway.com/lb/v1/regions/$REGION/lbs/$LB_ID/frontends" -H "accept: application/json" -H "X-Auth-Token: $SECRET_KEY" -H "Content-Type: application/json" \
    -d "{\"backend_id\":\"$BACKEND_ID\",\"inbound_port\":443,\"name\":\"main frontend\",\"timeout_client\":5000,\"certificate_id\": \"$CERT_ID\"}"

The Load Balancer is now up, configured with a Let’s Encrypt SSL/TLS certificate, accepting HTTPS connections on port 443 and terminating the HTTPS sessions on the Load Balancer before connecting to the backends via a plain HTTP connection.

For more information about the configuration of a Load Balancer via the API, refer to the API documentation.