HomeNetworkLoad BalancersHow to
Set up TLS/SSL offloading, passthrough or bridging

Jump toUpdate content

How to set up TLS/SSL passthrough, offloading or bridging

Published on 26 May 2021

Encrypted HTTPS traffic can be handled in various ways with Scaleway Load Balancers. You can choose to set up TLS/SSL passthrough, TLS/SSL offloading or TLS/SSL bridging. This page explains more about these three options and guides you through the setup process for each.

Requirements:

How to configure TLS/SSL passthrough

Passthrough is the simplest way to handle HTTPS traffic on a Load Balancer. As the name suggests, traffic is simply passed through the Load Balancer without being decrypted on it. Whilst this option generates very low overhead, no layer 7 actions can be carried out. This means that no cookie-based sticky sessions are possible with this method. In addition, if an application does not share sessions between servers, users’ sessions may get lost by being redirected to different servers of the group.

To configure SSL passthrough, create a frontend listening on port 443 and a backend listening on port 443 with the TCP protocol.

If you need help with creating and editing frontends and backends, refer to the documentation on how to manage frontends and backends.

How to configure TLS/SSL offloading

SSL offloading means that all HTTPS traffic is decrypted on the Load Balancer and passed to the backend servers in plain HTTP. Any layer 7 actions may therefore be applied to the traffic before passing it to the backend hosts. Traffic that has gone through the offloading process is marked with a new header, called X-Forwarded-Proto.

How to configure TLS/SSL offloading with Let’s Encrypt SSL certificates

Let’s Encrypt is a non-profit certificate authority (CA) that provides free domain-validated SSL certificates. These certificates are recognized by most modern web browsers as trustworthy. The goal of the project is to make TLS encrypted connections omnipresent on Internet servers. Therefore the solution is easy to install and to maintain and it is possible to generate SSL/TLS certificates directly from the Scaleway console.

  1. Click Load Balancers in the Network section of the Scaleway Console side menu. The Load Balancer dashboard displays.

  2. Click the Load Balancer you want to configure. The Load Balancer information page displays.

  3. Click the SSL Certificates tab.

  4. Click Create a SSL certificate.

  5. Enter the required details for the SSL certificate, which include:

    • SSL Certificate Name: A name of your choice, to faciliate certificate management.
    • SSL Certificate Type: The type of SSL certificate: select Let’s Encrypt from the drop-down list.
    • SSL Common Name: The common name which is the main domain name linked to the certificate.
    • SSL Subject Alternative Names: If the certificate should be valid for multiple domain names, enter all additional domain names.
  6. Click Create SSL certificate to request the certificate from the Let’s Encrypt authority.

    Note:

    Let’s Encrypt certificates have by default a validity of 90 days and are renewed automatically from our side before the expiry date. You do not have to worry about your certificate expiring and become invalid.

  7. Continue to the section How to configure frontends and backends for SSL offloading.

How to configure TLS/SSL offloading using a third party TLS/SSL certificate

Scaleway Load Balancers also support third party SSL certificates. These are certificates issued by a Certificate Authoriy (CA) other than Let’s Encrypt. Depending on the CA, they may offer extended validation certificates which require full verification of the requesting entity’s legal identity before issuing the certificate. These certificates can be useful for websites that require a high trust level, like e-commerce or government websites, and can be easily imported into the Load Balancer configuration from the management console.

See also our documentation on how to create a self-signed TLS certificate.

  1. Click Load Balancers in the Network section of the Scaleway Console side menu. The Load Balancer dashboard displays.

  2. Click the Load Balancer you want to configure. The Load Balancer information page displays.

  3. Click the SSL Certificates tab.

  4. Click Create a SSL certificate.

  5. Enter the required details for the SSL certificate, which include:

    • SSL Certificate Name: A name of your choice ,to facilitate certificate management.
    • SSL Certificate Type: The type of SSL certificate: select Import certificate from the drop-down list.
    • SSL Third Party Certificate: The full PEM-formatted certificate, including the entire certificate chain with public key, private key, and (optionally) certificate authorities. You may have received this information either in a combined file or in several separate files from your certificate authority (CA). Contact them for more details on how to combine the information if you received the chain divided into multiple files.
  6. Click Create SSL certificate to check and import your third party SSL certificate.

  7. Continue to the section How to configure frontends and backends for SSL offloading.

    Note:

    Third party certificates have a given validity set by your certificate authority. Unfortunately we can not automatically manage and renew them for you. Make sure to renew your certificate before expiration and upload the new certificate to avoid connection errors caused by experienced certificates.

How to configure frontends and backends for TLS/SSL offloading

You should now create or edit your frontend and backend with your SSL Certificate.

  1. Click Load Balancers in the Network section of the Scaleway Console side menu. The Load Balancer dashboard displays.

  2. Click the Load Balancer you want to configure. The Load Balancer information page displays.

  3. Click the Frontend tab.

  4. Click Add Frontend to create a new frontend, or click the «See more Icon» icon next to an existing frontend to edit it.

  5. Configure the frontend as follows:

    • Frontend name: A friendly name for the frontend
    • Port: The port number on which the frontend listens. Enter 443 to configure the Load Balancer to listen on the standard HTTPS port.
    • SSL Certificate: Choose the SSL Certificate to use from the drop-down list.
  6. If you are editing an existing frontend:

    • Save the configuration by clicking Edit frontend.
    • Click the Backends tab.
    • Click the «See more Icon» icon next to the backend to edit it.

    If you are creating a new frontend and backend, continue to the backend creation steps.

  7. Configure the backend as follows:

    • Backend name: A friendly name for the backend
    • Protocol: The protocol to use for the backend. Choose HTTP from the drop-down list.
    • Port: The port on which the backend application listens. Enter 80 to configure the Load Balancer to communicate with the backend on the standard HTTP port.
    • Proxy: Select the Proxyv2 protocol.
    • Health Check: Configure a HTTP health check to detect if the backend application is available.
    • Server IP(s): Enter the IP address of the server(s) running the backend application.
      • Configure advanced settings if required:
        • S3 failover: activate the feature and enter a Scaleway Object Storage URL. If none of your backend servers are available, users will be redirected to this page.
        • Sticky session: activate the feature and enter the name for a cookie that will bind users’ sessions to specific backend servers.
  8. Click the Edit or Create button as applicable to finish the process.

  9. Open a web browser and point it to https://common_name. Make sure to replace common_name with the main domain configured in the SSL certificate. The connection is now encrypted with SSL.

How to configure TLS/SSL bridging

SSL bridging removes SSL-based encryption from HTTPS traffic coming into the Load Balancer (as with SSL offloading), but then initiates a new SSL connection to re-encrypt traffic between the Load Balancer and the backend servers. To configure SSL bridging, you must configure your backend to listen on port 443 with TCP protocol, and add an SSL certificate to your frontend, as detailed below:

  1. Create a frontend listening on port 443 (although other ports can be used) and a backend listening on port 443 (mandatory for SSL bridging) with the TCP protocol.
  2. Create an SSL certificate as detailed above, using either Let’s Encrypt or a third party certificate.
  3. Edit your frontend and select the SSL certficate from the dropdown list.
See Also