Configure load balanced sites with SSL offloading by using IIS
This article demonstrates how to configure load balanced sites with
Secure Sockets Layer (SSL) offloading by using Internet Information Services (IIS).
Create a web server to use a template
Create a web server, set up your site in IIS, and test the site to
make sure it is functioning correctly.
Create a load balancer
-
In the Rackspace Cloud Portal, click the Servers tab, and then click
Create Resources -> Load Balancers. -
In the Identification section, enter a Name and a Region.
-
In the Configuration section, make sure to use the Protocol/Port values
HTTP/80
-
Optionally, in the Add node section, click Add Cloud Servers and choose which servers to load balance, or if you prefer, click Add External Node and fill in the details. You can also add nodes after the load balancer is built.
-
After it builds, click Actions -> Edit Protocol/Port to set SSL traffic. Make sure to allow
both secure and insecure traffic and to use the default Hyper Text Transfer Protocol
Secure (HTTPS) port 443. Click Save Protocol/Port. -
In the Optional Features section, click the Edit pencil to the right of the Secure Traffic (SSL) option. In the pop-up dialog box, enter and save your SSL configuration.
Create a conditional redirect
-
IIS version 7 does not support conditional redirects by default. To handle this,
install an extension, such as Microsoft® URL Rewrite. -
The Rackspace Cloud Load Balancers service passes a header value to determine the
original protocol used by the request (HTTP or HTTPS). This header is
labeledX_FORWARDED_PROTO
. Its value is either http or https. -
You can set up a conditional redirect either by site or for the IIS instance.
The following example uses rewrite on the site level. Insert
the following XML into your web.config file in thesystem.webServer
section:<rewrite> <globalRules> <rule name="HTTPS Redirect" enabled="true" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" negate="true" /> <add input="{SERVER_PORT}" pattern="8080" negate="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" /> </rule> </globalRules> </rewrite>
-
In addition to adding this rule, you need to add a binding to
the site for port 8080. This enables monitoring services to test
this server directly without binding a certificate to the site. -
Open a Firewall port for direct testing. Depending on your security
concerns, you can open port 8080 to all Internet Protocol (IP) addresses,
or to a range of IPs used by your pollers. Opening this port allows the site to
load without encryption from a remote IP address.
Create a Monitoring Check
-
In the Rackspace Cloud Portal Servers tab, click the server for which you want to create the
monitor. -
In the Monitoring Checks section, click Create Check.
-
Change the Check Type to HTTP Check (Website).
-
In Check Name, enter a meaningful name.
-
Enter the IP address of the server in URL, designating port 8080.
The IP address is listed in the Networks section. If you are
hosting multiple sites on the server, you need to give the server
its own DNS name (for example, web1.customerdomain.com). Use this domain name
instead of the IP address and make sure to designate port 8080. -
Click Create Check to confirm your entries.
Updated about 1 year ago