2

Consider a scenario where my service is using a keystore made of self signed cerificate and the load balancer which is balancing traffic for service is binded with a CA approved certificate. I would like to know when communication starts between Client, who responds to client with the certificate ? will Service respond with self signed certificate or Load balancer with CA certificate ?

I would like to know how communication will work between client-loadBalancer and loadBalancer-server ? Which of them is secured ?

1 Answers1

1

Terminating HTTPS (presumably, you didn't state which protocol) on the load balancer has many advantages, a subset relevant here:

  • request inspection, protocol clean up/enforcement, URL restrictions and WAF capability
  • reply inspection, DLP capability
  • inspection of cookies/URLs for server assignment and session stickiness
  • (probably) common TLS session cache, hardware assisted RSA and symmetric cipher support

If you don't terminate TLS on the load-balancer, you will not have any inspection capability, and you will have limited session assignment options.

Using a certificate on the back-end (content/application) servers as well has some advantages:

  • the content/application back-end server uses the same protocol as the client, this can have an effect on the generation of absolute URLs, and change the behaviour of some protocol aware systems (e.g. OWA, but there are workarounds for this)
  • development and testing is usually easier if everything uses one protocol
  • you can keep everything in the front-end DMZ encrypted, which may be required by security policy
  • if there is no front-end DMZ (i.e. your load-balancer is outside your perimeter firewall) then this configuration is almost certainly required

and at least one disadvantage:

  • TLS overheads (mostly RSA key generation). On a trusted network it may be acceptable to use shorter RSA keys or quicker (less robust) symmetric ciphers though. Persistent connections or longer session times mitigate also.

In the general case, load-balancing or reverse-proxying is simplest when both the front-end and the back-end server use the same protocol (URI scheme), host name, port and URI path. This simplifies or eliminates the need for rewriting of headers, content, cookie paths, error messages etc.

The clients will (should) only see the public CA certificate on the front-end (load balancer). You can use a no-cost self-signed certificate on the back-end web server(s). There's usually no reason you cannot also use the same commercial CA certificates here too, though some CAs used to require a "licence" to use a certificate on more than one device.

All connections will be encrypted from client to load-balancer, and again from load-balancer to back-end server. See also: Should SSL be terminated at a load balancer?

mr.spuratic
  • 7,977
  • 26
  • 37