If you have a site that is served over https only, you might be interested in a “hidden” feature of Rackspace Cloud Load Balancers. You can set up a Cloud Load Balancer to redirect to https in two different ways, but currently only one of them is exposed in the Rackspace Control Panel.
In certain situations (like my own), this “hidden” approach is more secure. In addition, since it’s a single API request to set up, it might save you a whole lot of time and money.
Option 1: http with SSL settings
The first way to set up https with a Cloud Load Balancer is to set up a normal http load balancer and set some settings in the “Optional Features” section. This, quite clearly, is exposed in the Control Panel. There is even a nice Knowledge Center article that describes the steps and the benefits of setting this up.
That same KC article also points out some of the security concerns. Taking the example in the article, if your servers live in a different datacenter from the load balancer, the load balancer will now be sending decrypted traffic to those servers across the public Internet.
Option 2: https… but a problem
So let’s pretend that we want to continue decrypting SSL traffic at the servers themselves. We know that setting up an http load balancer without the “Optional Features” settings won’t work because we ultimately want https traffic. Hitting the load balancer with https at this point simply doesn’t return anything. So we change the load balancer protocol to https and this appears to work at first: it successfully passes https traffic directly back to a server that is expecting https traffic.
But now we have the opposite problem: when someone tries to reach the server with a regular http request they get stuck at the load balancer because it no longer supports the http protocol. Even if you put an http to https redirect on the server, you never reach the server in the first place, so you never get redirected to https.
https with httpsRedirect
Rather than mess around with adding a second load balancer (and paying for it), sharing virtual IPs, X-Forwarded-Proto header and whatever else, you can just set the “hidden” httpsRedirect option for the https load balancer. I call it hidden because it’s not exposed in the Control Panel, but it’s right here in the API docs:
Setting httpsRedirect to true will accept http requests but redirect them to https. Specifically, it appears to return with a “301 Moved Permanently” response, which redirects to the same location, but with https as the protocol.
So, if you happen to want to continue to decrypt SSL at your servers rather than the load balancers, “httpsRedirect: true” is your friend.
In the future
Because I happen to be in the know of such things, the Control Panel team has an enhancement request open to add this setting as an option to an https protocol load balancer. That enhancement hasn’t been scheduled yet, but I’ll update this post when it becomes available (thereby eliminating the need for most of this article… shucks).