In my previous post, I talked about how to implement SSL certificate on shared hosting, Cloud/VPS server, Cloudflare, etc. and some of you asked how to do it on Load Balancer (LB).
It’s a good idea to terminate the SSL handshake at network edge device for many reasons.
- It’s faster
- You can make changes on the fly
- Easy maintenance
- SSL/TLS hardening managed by LB
Google Cloud Platform (GCP) is fantastic, and I use for Geek Flare and just love it. GCP offers many cloud solutions including the load balancer.
There are three types of load balancer available, and if you are hosting Web based applications, then HTTP(S) type is recommended.
Let’s take a look how to implement SSL certificate on Google Cloud HTTP(S) load balancer.
For this exercise, I will use my lab domain (techpostal.com) to forward traffic to compute engine VM (Nginx) through LB.
I assume you already have the following ready.
- Running web server
- HTTP(S) LB with port 80
Implementing Certificate on Google Cloud LB
- Login to Google Cloud >> Network services >> Load balancing (direct link)
- Click edit for the respective LB
- Go to frontend configuration >> Add Frontend IP and port
- Select the protocol as HTTPS
- I’ve left IP as ephemeral, but in a production system it’s recommended to have a static
- Drop-down Certificate and click “Create a new certificate.”
It will prompt an another window where you can enter private key, public and chain certificate.
- Let’s get the CSR (Certificate Signing Request) created using OpenSSL
openssl req -out techpostal.csr -newkey rsa:2048 -nodes -keyout techpostal.key
- Enter the necessary information as prompted
- You will notice key & CSR file created
[email protected]:~# ls -ltr -rw-r--r-- 1 root root 1704 Sep 2 06:56 techpostal.key -rw-r--r-- 1 root root 1017 Sep 2 06:56 techpostal.csr [email protected]:~#
Now you need to send this CSR to a certificate authority to sign it. I am using Let’s Encrypt to sign my certificate and have entered those details and click “create.”
There are more FREE SSL certificate provider if you want to explore.
- Click Done and then Update
Let’s get the frontend IP details by expanding the LB
Now, you got to update your domain A record to point the load balancer IP at the domain registrar. Once done, try to access your URL with https, and it should work.
This concludes SSL handshake for techpostal.com is getting terminated at the load balancer.
Google Cloud take care of necessary SSL/TLS hardening to ensure it’s not exposed to a known protocol, cipher vulnerabilities. I did a test at SSL Labs and got A rating.
I hope this quick guide helps you get SSL enabled on Google LB for your domain.
Hello Chandan,
I’ve been using let’s encrypt certificate on my websites. I’m having a hard time on figuring out on how to automate the certificate renewal on Google Load Balancer. Can you share your idea on this?
Thanks,
Nice tutorial Chandan, very helpful.
Here’s also a helpful post explaining how SSL impacts Google rankings, if someone’s interested: https://fourdots.com/blog/why-you-need-ssl-to-rank-better-in-2016-and-how-to-set-it-2169
How to forward 80 to 443 port?
Hello Vlad, you can configure LB to listen on 80 and 443 and get the redirection done through web server. I hope this helps.