What is SSL Termination?

SSL Termination allows for the termination of secure traffic at the load balancer.  When this feature is disabled (the default configration for Load Balancers), secure traffic is decrypted only by the web server that holds the SSL certificate. With this feature enabled, you can load balance SSL traffic over multiple Cloud Servers. This increases performance significantly when dealing with high-volume SSL traffic.

How is SSL traffic normally handled?

Normally, secure traffic comes into your site over an encrypted SSL connection and must be decrypted by the web server that holds the SSL certificate. The Cloud Load Balancer passes all traffic directly to the Cloud Server with the corresponding SSL certificate, placing the burden of the decryption on that server alone. This is because each device (Cloud Server or Cloud Load Balancer) handling traffic through an SSL connection requires either its own SSL certificate or a Licensed Certificate Option.  

What are the benefits of using SSL Termination on the Cloud Load Balancer?

The main benefit of SSL Termination is that traffic is decrypted at the Cloud Load Balancer and then distributed to one or more Cloud Servers to be processed. Other benefits of using SSL Termination include:

• The ability to configure a load balancer that accepts both secure and unsecured traffic, or secure traffic only.
• Less expensive option compared to a dedicated F5 load balancer solution
• Alternative to using HA Proxy with Cloud Servers

Do Cloud Load Balancers Support SSL Termination?  

Yes, SSL Termination on Cloud Load Balancers is supported in the Cloud Control Panel and the API. SSL Termination allows stops secure traffic at the load balancer with centralized certificate management. Features of this service include:

• SSL acceleration for improved throughput
• Reduced CPU load at the application level for better performance
• HTTP/HTTPS session persistence

 Note:  SSL Termination should not be used when transferring certain types of Personally Identifiable Information (PII).    

How do I configure SSL Termination using the Cloud Control Panel?

You can quickly configure SSL termination for an existing Cloud Load Balancer using the Cloud Control Panel.

1. Click on an existing load balancer to open its Details Page.
2. Scroll to the Optional Features section. 
3. Click the Edit pencil to the right of the Secure Traffic (SSL) option:

The SSL configuration popover appears where you can enter and save your SSL configuration.

What are the security concerns?

After SSL Termination decrypts the data at the Cloud Load Balancer it passes the unencrypted data to any nodes that are configured for that device. If you have nodes that are not in the same datacenter as the SSL-enabled load balancer, that unencrypted data will be sent over the public internet to those nodes. Therefore we recommend you use an SSL-enabled load balancer only with nodes that reside in the same datacenter as the load balancer. Their proximity allows the load balancer to use the nodes’ private IP addresses on the Rackspace Network to limit unencrypted traffic to within the datacenter’s network, as illustrated below.    

What is the Rackspace Network?

The Rackspace Nework is an internal only, multi-tenant network connection within each Rackspace datacenter. Rackspace Network IPs are not accessible from the public Internet and are local per data center.

Note: You can configure your account resources, such as Cloud Servers and Cloud Load Balancers,  to use the Rackspace Network IP address instead of the public IP address. Any traffic that occurs between your cloud resources on the Rackspace Network does not incur bandwidth charges. 

Requirements

• Additional fees apply when SSL Termination is enabled.
• SSL Termination is available to Rackspace Cloud Load Balancer customers in the US and UK with a valid SSL certificate/intermediate certificate and associated private key.
• SSL Termination cannot be enabled when a Cloud Load Balancer is provisioned, it must be configured on existing Load Balancers by issuing a command through the API.