Setting up SSL Offloading via API
SSL offloading can be configured using the Load Balancers API.
You may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
- You have an account and are logged into the Scaleway console.
Before configuring the Load Balancer from the API, prepare your environment to facilitate the API usage. Recover the secret_key
and the organization_id
from the Scaleway console or the API and set them as environment variables.
Make sure you also have configured the geographical location of your Load Balancer:
export TOKEN="<secret_key>"REGION="<choose your location (nl-ams/fr-par)>"ORGANIZATION_ID="<your organization ID>"
- Create a new Load Balancer by running the following API call. Customize the
name
,description
andtags
:curl -X POST "https://api.scaleway.com/lb/v1/regions/$REGION/lbs" -H "accept: application/json" -H "X-Auth-Token: $SECRET_KEY" -H "Content-Type: application/json" \-d "{\"description\":\"YOUR DESCRIPTION\",\"name\":\"TEST\",\"organization_id\":\"$ORGANIZATION_ID\",\"tags\":[\"test\", \"step by step\"]}"
The output of the API call returns a json
output, similar to the example below where:
- The first line starting with
id
displays the ID of the newly created Load Balancer. - The line starting with
ip_address
displays the load balanced IP.
{ "id": "6208ec73-2b0e-4b60-b449-7f6bd72fd522", "name": "TEST", "description": "YOUR DESCRIPTION", "status": "pending", "Instances": [], "organization_id": "ORGANIZATION_ID", "ip": [ { "id": "7906bc2b-00cd-4548-8e06-ebfdf1e850be", "ip_address": "51.159.11.11", "organization_id": "6208ec73-2f0a-8e06-9ea1-e53b4f625527", "lb_id": "6208ec73-2b0e-4b60-b449-7f6bd72fd522", "reverse": "", "region": "fr-par" } ], "tags": [ "test", "step by step" ], "frontend_count": 0, "backend_count": 0, "region": "fr-par"}
- Copy the
id
field of the response to use during the next steps. To simplify the use, save the ID to a variable, which will be used in the following steps.export LB_ID="REPLACE-BY-ID-OF-YOUR-LOAD-BALANCER" - Create a new backend. This tutorial supposes that a web application is running on port
80
of the backend machines. Make sure to replaceREPLACE-BY-IP-OF-YOUR-SERVER1
andREPLACE-BY-IP-OF-YOUR-SERVER2
with the IPs of the backend servers:curl -s -X POST "https://api.scaleway.com/lb/v1/regions/$REGION/lbs/$LB_ID/backends" -H "accept: application/json" -H "X-Auth-Token: $SECRET_KEY" -H "Content-Type: application/json" \-d "{\"forward_port\":80,\"forward_port_algorithm\":\"roundrobin\",\"forward_protocol\":\"tcp\",\"health_check\":{\"check_delay\":2000,\"check_max_retries\":3,\"check_timeout\":1000,\"port\":80,\"tcp_config\":{}},\"name\":\"main backend\",\"send_proxy_v2\":false,\"server_ip\":[\"<REPLACE-BY-IP-OF-YOUR-SERVER1>\", \"<REPLACE-BY-IP-OF-YOUR-SERVER2>\"]} | jq ."
A json
output similar to the first request displays.
4. Copy the value of the first line of the output, starting with id, and set it as a variable:
export BACKEND_ID="<REPLACE-BY-ID-OF-YOUR-BACKEND>"
- Create the certificate by calling the API endpoint, after replacing
YOUR-CERTFICATE-NAME
with a friendly name for the certificate andREPLACE-BY-YOUR-DOMAIN-NAME
with your domain name (i.e.lb.example.com
):curl -X POST "https://api.scaleway.com/lb/v1/regions/$REGION/lbs/$LB_ID/certificates" -H "accept: application/json" -H "X-Auth-Token: $SECRET_KEY" -H "Content-Type: application/json" -d "{\"name\":\"<YOUR-CERTIFICATE-NAME>\",\"letsencrypt\":{\"common_name\":\"<REPLACE-BY-YOUR-DOMAIN-NAME>\"}}"
The certificate details are presented in the form of a json
list.
6. Copy the value of the first line of the list starting with id
and set it as a variable:
export CERT_ID="<REPLACE-BY-ID-OF-YOUR-CERTIFICATE>"
- Create a new frontend by specifying the IDs of the Load Balancer, an existing backend and the certificate. Specify also the
inbound_port
(Port443
for the defaultHTTPS
port), on which the frontend will listen for incoming connections.curl -X POST "https://api.scaleway.com/lb/v1/regions/$REGION/lbs/$LB_ID/frontends" -H "accept: application/json" -H "X-Auth-Token: $SECRET_KEY" -H "Content-Type: application/json" \-d "{\"backend_id\":\"$BACKEND_ID\",\"inbound_port\":443,\"name\":\"main frontend\",\"timeout_client\":5000,\"certificate_id\": \"$CERT_ID\"}"
The Load Balancer is now up, configured with a Let’s Encrypt SSL/TLS certificate, accepting HTTPS
connections on port 443
and terminating the HTTPS
sessions on the Load Balancer before connecting to the backends via a plain HTTP
connection.
For more information about the configuration of a Load Balancer via the API, refer to the API documentation.