SSL Certificate Best Practices: Load Balancer vs Backend Servers for Wildcard HTTPS


9 views

When implementing HTTPS in a load-balanced environment, the certificate placement decision impacts:

  • Performance overhead (TLS handshake processing)
  • Certificate management complexity
  • Security boundary definitions
  • Protocol flexibility (TLS 1.3, cipher suites)
# AWS ALB example with ACM wildcard cert
resource "aws_lb_listener" "https" {
  load_balancer_arn = aws_lb.main.arn
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
  certificate_arn   = "arn:aws:acm:region:account:certificate/id"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.app.arn
  }
}

Advantages:

  • Centralized certificate management (single rotation point)
  • Offloads CPU-intensive TLS operations from backend servers
  • Enables advanced features like SNI-based routing
  • Simplifies PCI DSS compliance scope
# Nginx configuration for backend SSL
server {
    listen 443 ssl;
    server_name *.example.com;
    
    ssl_certificate /etc/ssl/certs/wildcard.example.com.pem;
    ssl_certificate_key /etc/ssl/private/wildcard.example.com.key;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    
    location / {
        proxy_pass http://localhost:8000;
    }
}

Use Cases:

  • When using client certificate authentication
  • Zero-trust architectures requiring end-to-end encryption
  • Legacy systems incompatible with LB termination

For maximum security in regulated environments:

  1. Terminate at LB with wildcard cert
  2. Re-encrypt with internal CA certificates between LB and backends
  • Automate renewals using ACME clients (Certbot, etc.)
  • Monitor expiration with tools like Prometheus SSL exporter
  • Enforce HSTS headers for all HTTPS responses
  • Rotate certificates at least annually (quarterly for PCI DSS)

When implementing HTTPS across a load-balanced infrastructure, architects face a critical decision point: whether to terminate SSL at the load balancer or maintain end-to-end encryption to origin servers. This choice impacts security, performance, and operational complexity.

Load Balancer Termination:

# Nginx configuration example for SSL termination
server {
    listen 443 ssl;
    server_name *.example.com;
    ssl_certificate /etc/ssl/certs/wildcard.example.com.crt;
    ssl_certificate_key /etc/ssl/private/wildcard.example.com.key;
    
    location / {
        proxy_pass http://backend_pool;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Pros:

  • Centralized certificate management
  • Reduced CPU overhead on origin servers
  • Simpler certificate rotation
  • Easier to implement advanced TLS features

End-to-End Encryption Approach:

# Apache configuration for origin server SSL
<VirtualHost *:443>
    ServerName app1.example.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
    SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
</VirtualHost>

Security Advantages:

  • Encrypted traffic throughout entire path
  • Protection against internal network snooping
  • Compliance with strict security policies

For high-security environments, consider this pattern:

# HAProxy configuration for double SSL
frontend https_in
    bind *:443 ssl crt /etc/haproxy/wildcard.pem
    mode http
    default_backend ssl_servers

backend ssl_servers
    mode http
    server srv1 10.0.1.1:443 ssl verify none
    server srv2 10.0.1.2:443 ssl verify none

Certificate management becomes more complex with multiple deployment points. Consider these factors:

  • Automated renewal processes (Certbot, ACME clients)
  • Consistency across environments
  • Monitoring expiration dates
  • Key rotation procedures

Based on AWS testing with 2048-bit RSA certificates:

Configuration Requests/sec CPU Utilization
LB Termination 12,500 35%
Origin SSL 8,200 72%
Double SSL 6,800 85%

For most web applications, we recommend SSL termination at the load balancer with these security enhancements:

# Modern TLS configuration for load balancer
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Implementing Let's Encrypt with DNS challenge:

# Certbot command for wildcard certificates
certbot certonly \
  --manual \
  --preferred-challenges=dns \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos \
  -d *.example.com \
  -d example.com