How to Configure SSL Termination

DigitalOcean Load Balancers are a fully-managed, highly available network load balancing service. Load balancers distribute traffic to groups of Droplets, which decouples the overall health of a backend service from the health of a single server to ensure that your services stay online.

When load balancing encrypted web traffic, there are two main configuration choices:

  • SSL termination, which decrypts SSL requests at the load balancer and sends them unencrypted to the backend via the Droplets' private IP addresses.

    SSL termination places the slower and more CPU-intensive work of decryption on the load balancer and simplifies certificate management. Traffic between the load balancer and its Droplets is secured by routing over the VPC network. However, if you host multiple customer applications in a single account or team, data could be readable by others on the private network. We recommend separating customers by team or using SSL passthrough instead.

  • SSL passthrough, which sends encrypted SSL requests directly to the backend, via the Droplets' private IP addresses. This secures the traffic between the load balancers and the backend servers.

    SSL passthrough distributes the decryption load across the backend servers, but every server must have the certificate information. You also can’t add or modify HTTP headers, so you may lose the client’s IP address, port, and other information contained in the X-forwarded-* headers.

To configure SSL termination, you need to add an SSL termination rule and choose or create an SSL certificate to use.

If you added your domain to DigitalOcean, you can use our Let’s Encrypt integration to create a fully managed SSL certificate. You can also manually upload a certificate if you don’t use DigitalOcean to manage your DNS, want to generate your own certificate, or have an existing certificate you want to upload.

DigitalOcean Load Balancers support only TLS 1.2 and TLS 1.3 for incoming connections, and do not support downgrading incoming connections to TLS 1.0 or 1.1. The same limits apply to connections from load balancers to Droplets.

Add the SSL Termination Rule

From the control panel, click Networking in the main navigation, then click Load Balancers. Click on the load balancer you want to modify, then click the Settings tab to go to its settings page.

Load Balancer Settings page

In the Forwarding Rules section, click Edit. You’ll see any existing forwarding rules and an option to add additional rules.

From the New rule drop-down, select HTTPS and/or HTTP2, which will open a new row of options. Fill in the fields to forward HTTPS and/or HTTP2 traffic on port 443 on the load balancers to HTTP port 80 on the Droplets.

Add an SSL Certificate

Next, you need to add an SSL certificate. In the Forwarding Rules section, where you’re filling in the new rule, the Certificate drop-down will display any SSL certificates already uploaded to your account.

The Certificate drop-down menu with two uploaded SSL certificates and the New Certificate option highlighted

If you want to use one of these certificates, select it from the menu and click Save. We’ll automatically create a new DNS A record for the apex domain pointing to the load balancer.

If you don’t have a certificate uploaded that you want to use, select the + New Certificate option. This will open a New Certificate window to guide you through either creating a new certificate with Let’s Encrypt and DigitalOcean DNS or uploading a certificate manually.

If you manage your domain with DigitalOcean DNS, you can choose the Use Let’s Encrypt tab to create a new, fully-managed SSL certificate. You can either use an existing domain you manage with DigitalOcean or add a new domain from here.

Use an Existing Domain

If you want to use a domain you already manage with DigitalOcean, select it from the menu. This will reveal the Select other subdomains to include option.

Creating a new Let's Encrypt SSL certificate with an existing domain on DigitalOcean

We’ll automatically create a new DNS A record for the apex domain pointing to the load balancer, but we won’t create or change DNS records for subdomains. If your subdomains don’t already point at the load balancer, you’ll need to add DNS records for that.

Enter a name for the certificate, then click Generate Certificate. You’ll see a pending status until the certificate has been issued, which typically takes a few seconds, after which you can click Save. As soon as the rule is saved, it’s active and you can begin testing.

Add a New Domain

If you want to start managing a new domain with DigitalOcean DNS to use, select the + Add new domain option to automatically import your domain to the control panel, add DNS records, and create the certificate.

When you do, an Additional steps required window will open to tell you that you need to update your nameserver records with your domain registrar.

We strongly recommend adding your domain to DigitalOcean before changing nameservers with your registrar. This minimizes service disruptions by creating matching records on DigitalOcean before you make the name server change, which can take up to 48 hours to take effect.

After you click Yes, continue, you’ll return to the New certificate window with the Add New Domain options.

Creating a new Let's Encrypt SSL certificate while adding a new domain to DigitalOcean

In the Add New Domain section, enter a domain you own. When you generate the certificate, this domain will be imported into the control panel. We’ll automatically create an A record pointing to the load balancer’s IP address.

Next, select any subdomains you want to use. We’ll automatically create CNAME records that reference the A record of the apex domain.

Enter a name for the certificate, then click Generate Certificate. You’ll see a pending status until the certificate has been issued, which typically takes a few seconds, after which you can click Save. As soon as the rule is saved, it’s active and you can begin testing.

In the Bring Your Own Certificate tab, you can manually enter the details of an existing certificate.

Uploading an existing SSL certificate

You need to fill in four fields:

  • Name. This is a name you choose to identify the certificate in the DigitalOcean interface. It can only contain letters, numbers, periods, and dashes.

  • Public key. This is the actual SSL public key or certificate file.

  • Private key. This is the secret key associated with the certificate.

  • Certificate Chain. This is the full trust chain between the trusted certificate authority’s certificate and your domain’s certificate.

Click the Save SSL Certificate button, then click Save to implement the new forwarding rule. As soon as the rule is saved, it’s active and you can begin testing.

Keep track of when manually-managed certificates expire to avoid service interruptions. You’ll need to update the certificate your load balancer uses when you generate a new certificate. Once you upload the renewed certificate to your account, you can edit the load balancer’s HTTPS rule and select the new certificate.

You can manage all of your account’s SSL certificates in the Account section of the main navigation, in the Security section. Learn more in our certificate management documentation.

Force SSL Traffic

If you would like to force visitors to connect over HTTPS for data integrity and security purposes, you can optionally redirect HTTP traffic to HTTPS. Any insecure connections made to the load balancer will be redirected to use the certificate you loaded.

To do this, click the Edit button associated with the SSL row in the settings. Inside, select the Redirect HTTP to HTTPS checkbox:

Load Balancer Settings SSL redirection open

Click Save to implement the change.