Documentation
System StatusPortal Login

Configuring SSL Termination on a Load Balancer

Adding SSL Certs and Cert Mappings to your Flex Load Balancer

Suggest Edits

Overview

SSL Termination allows a load balancer to handle SSL/TLS encryption and decryption, offloading the processing from backend instances. This guide provides steps to enable SSL Termination on Rackspace OpenStack Flex using the Skyline UI.

Prerequisites

Uploading Certificates

Before you can add the certificates to your Load Balancer, they need to exist within the Certificates section of Skyline. Here's how to add those:

  1. Log in to the Skyline UI.
  2. Go to NetworkCertificates
  3. Click Create Certificate
  4. In the fields provided, supply the following:
    1. Certificate Name
    2. Certificate Content
    3. Private Key
    4. Domain Name
    5. Expiration Date
  5. Click OK to complete the creation.
Example of Certificate Creation

Example of Certificate Creation

Enabling SSL Termination

Navigate to Load Balancers

  1. Log in to Skyline UI.
  2. Go to NetworkLoad Balancers.
  3. Select the load balancer you want to configure.

Configure a Listener with a Primary SSL Certificate

  1. Under the Listeners tab, click Create Listener.
  2. Set the following values:
    • Protocol: HTTPS
    • Port: 443 (or another HTTPS port if applicable)
    • SSL Parsing Method is up to you.
  3. Select your certificate from the list of available certificates.
  4. Optional: Enable any of the following headers for additional information on the traffic arriving through your Load Balancer:
    1. X-Forwarded-For
    2. X-Forwarded-Port
    3. X-Forwarded-Proto
  5. Click Create
Example of a Listener with a Primary Cert

Example of a Listener with a Primary Cert

Verify Listener Configuration

  1. Once created, check that the listener is active.
  2. Ensure backend instances are configured to handle unencrypted traffic.

Enabling SNI Mapping and Additional Certificates

Server Name Indication (SNI) allows hosting multiple SSL certificates on a single listener.

Add Additional Certificates

  1. Navigate to NetworkLoad Balancers and click the desired Load Balancer.
  2. In the Listeners pane for your Load Balancer click Edit next to the Listener you're updating.
  3. Scroll down until you see SNI Enabled and toggle it On if it isn't already.
  4. Under the SNI Certificate section select the certificate you want to add as an SNI mapped certificate.
  5. Click OK
Example of a Listener with a Primary Cert and SNI Mapped Cert

Example of a Listener with a Primary Cert and SNI Mapped Cert

Validate SNI Configuration

  1. Ensure multiple domain names are correctly mapped.
  2. Test with curl or an SNI-supported browser: 
    curl -v --resolve example.com:443:<LOAD_BALANCER_IP> https://example.com
  3. Verify that the correct certificate is served.

Conclusion

By following these steps, you can successfully enable SSL Termination and manage multiple certificates with SNI mapping using the OpenStack Skyline UI.

Updated about 9 hours ago