SSL Termination allows for the termination of secure traffic at the load balancer. When this feature is disabled (the default configration for Load Balancers), secure traffic is decrypted only by the web server that holds the SSL certificate. With this feature enabled, you can load balance SSL traffic over multiple Cloud Servers. This increases performance significantly when dealing with high-volume SSL traffic.
Normally, secure traffic comes into your site over an encrypted SSL connection and must be decrypted by the web server that holds the SSL certificate. The Cloud Load Balancer passes all traffic directly to the Cloud Server with the corresponding SSL certificate, placing the burden of the decryption on that server alone. This is because each device (Cloud Server or Cloud Load Balancer) handling traffic through an SSL connection requires either its own SSL certificate or a Licensed Certificate Option.
The main benefit of SSL Termination is that traffic is decrypted at the Cloud Load Balancer and then distributed to one or more Cloud Servers to be processed. Other benefits of using SSL Termination include:
Yes, SSL Termination on Cloud Load Balancers is supported in the Cloud Control Panel and the API. SSL Termination allows stops secure traffic at the load balancer with centralized certificate management. Features of this service include:
Note: SSL Termination should not be used when transferring certain types of Personally Identifiable Information (PII).
You can quickly configure SSL termination for an existing Cloud Load Balancer using the Cloud Control Panel.
The SSL configuration popover appears where you can enter and save your SSL configuration.
After SSL Termination decrypts the data at the Cloud Load Balancer it passes the unencrypted data to any nodes that are configured for that device. If you have nodes that are not in the same datacenter as the SSL-enabled load balancer, that unencrypted data will be sent over the public internet to those nodes. Therefore we recommend you use an SSL-enabled load balancer only with nodes that reside in the same datacenter as the load balancer. Their proximity allows the load balancer to use the nodes’ private IP addresses on the Rackspace Network to limit unencrypted traffic to within the datacenter’s network, as illustrated below.
The Rackspace Nework is an internal only, multi-tenant network connection within each Rackspace datacenter. Rackspace Network IPs are not accessible from the public Internet and are local per data center.
Note: You can configure your account resources, such as Cloud Servers and Cloud Load Balancers, to use the Rackspace Network IP address instead of the public IP address. Any traffic that occurs between your cloud resources on the Rackspace Network does not incur bandwidth charges.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License