HTTPS Load Balancing
HTTPS load balancing requires an SSL certificate and the associated key pair. This page describes how to set it up .
Note that in
https offload pools client-side traffic uses
https and server-side traffic uses
http. For additional information on
https offload pools, please check Load Balancing Pool Types page.
Note also that pool type can't be changed from
https by just changing its port value via
manage-lb-pool modify command. You have to create a new pool with the type specified as
https (refer to manage-lb-pool man page for command options details).
1. Start an Instance
Reserve an available server and launch an instance as usual via
manage-server reserve and
manage-instance launch commands (see manage-server and manage-instance wiki man pages). When the instance status has changed from "starting" to "running," log in to the instance in a usual way:
(It's supposed here that you use
key.pem as your private key file to login to your instances).
2. Install and Configure Your Web Server
Installing Apache (package name is "httpd"):
Make Apache start automatically on reboot:
Let's create a dummy web page on the server to check that our installation works:
Now installing SSL module for Apache (
3. Configure SSL Using Self-signed Certificate
(For a certificate signed by a certificate authority, see Configure SSL Using Authorized Certificate and Certificate Chains below.)
We have to alter the SSL configuration by editing
/etc/httpd/conf.d/ssl.conf file (installed with
mod_ssl module) to make the web server aware of the secure certificate.
We also need to generate a Certificate Authority (CA) key pair.
Here are basic steps we should perform to create a self-signed certificate:
1. Creating RSA key and certificate request:
After setting the passphrase and answering to several questions, we got two files –
2. Removing passphrase from the key (need to enter passphrase set on step 1.)
3. Converting request into a signed certificate:
(Use whatever number of days you need.)
4. Now we have a private key. Let's set the correct permissions for it:
5. Moving certificates to the place they belong:
Configuring the basics in
The path and filename
/etc/httpd/conf.d/ssl.conf are correct for CentOS5.
Starting web server:
Next we need temporarily open port 443 to our instance via
Let's query instance via port 443 directly (no load balancing yet).
-k option to let curl perform an "insecure" SSL connection using our self-signed certificate.
4. Configure SSL Using Authorized Certificate and Certificate Chains
This is not much different from the previous step except we already have a signed certificate (
server.crt), key (
server.key), and chain certificate (
intermediate_bundle.crt) issued by some Certification Authority.
Let's check if passphrase is removed from the key file (the API does not currently support passphrase encrypted private keys):
If the key was created with a passphrase, prompt to enter it will appear. Then removing the passphrase as follows:
Entering existing passphrase when prompted. Now we got new key file without a passphrase. The original key file remained unchanged.
Movinging certificates and key to the right place:
Configure the basics in
ssl.conf on your instance:
(The path and filename
/etc/httpd/conf.d/ssl.conf are correct for CentOS 5.)
Starting web server:
5. Load Balancing Instances
Load Balancing an HTTPS pool is just like load balancing an HTTP pool with two exceptions:
1) When you create the pool, you must use the
--type parameter to select "https". Otherwise, the default "http" pool type will be set; the type cannot be modified later.
2) You must use port 443 instead of the standard HTTP port 80.
Adding instances to the pool:
Note: do not assign port 80 instead of 443 for an HTTPS load-balancing pool, as it won't work. If you don't specify any port number, port 443 will be assigned automatically.
Next – repeating these steps for other nodes that should be added to the pool.
Checking if the load balancer is properly loading your instances by using the "
manage-lb-pool status" command:
All set. Now we can check our HTTPS balancer from the outside.
If you have problems with your certificate, check the following page: SSL Certificate and HTTPS Load-Balancing Problems.
As always, please create a ticket at https://portal.xandr.com/ or contact us at email@example.com if you have any questions or concerns.