SSL termination with HA-Proxy
SSL termination refers to the process of terminating the encrypted connection at the load balancer and handling all internal traffic in an unencrypted way. This means that traffic between your load balancer and internal services (or between internal services) will not be encrypted, so you should make sure your network is secure. If you have your own data center, you can trust your network, otherwise you should set up a VPN so traffic can’t be sniffed.
Terminating SSL at the load balancer has a few advantages:
- Single place responsible of managing encryption and decryption of traffic
- Centralized place to store certificates
- The load balancer can analyze the traffic and take special actions based on this
- The load balancer can modify the request and response if necessary
A somewhat common scenario of wanting the load balancer to modify the request is adding headers to HTTP requests. More specifically, it is common to have the load balancer add a X-Forwarded-For header, which includes the IP address where the request originated. Without this header, all requests would look like they originated in the load balancer.