1. Home
  2. Balancer
  3. Re-Encrypting to SSL in the Snapt One load balancer

Re-Encrypting to SSL in the Snapt One load balancer

In addition to SSL Offloading, the Load Balancer offers SSL re-encryption.

Re-encryption allows you to decrypt, make Layer 7 (application level) alterations or decisions such as applying ACL’s (X-Forward-For headers, etc), and then encrypt again prior to sending everything off to your HTTPS servers.

How to Re-Encrypt SSL

When working with re-encryption and SSL in general, always make sure that you are dealing with port 443 types of traffic.

Step 1: Terminate SSL

In order to be able to re-encrypt, make sure that you are terminating SSL on your Group, Frontend or Backend.

Navigate accordingly to:

Balancer > Group Management
Balancer > Frontend Management
Balancer > Backend Management

Under the View Group/Frontend/Backend tab, click on the Edit button for the Group, Frontend or Backend you want to edit.

Note: If you are using a Group, we advise using the wizard, or manually creating a Frontend and Backend pair for SSL termination, instead.

Under the SSL Options sub-tab, set SSL Termination to On.

Select the Bind for SSL Termination.

Click the Save button.

You should be able to see a lock icon on your Group, Frontend or Backend listing, to show that the SSL Termination has been enabled for that particular Group, Frontend or Backend.

Step 2: Re-Encrypt SSL

Now you will re-encrypt SSL at a Server level for the Group, Frontend or Backend you have enabled SSL Termination for.

Navigate accordingly to:

Balancer > Group Management
Balancer > Frontend Management
Balancer > Backend Management

Under the View Group/Frontend/Backend tab, click on the Servers button for the Group, Frontend or Backend you want to edit. Notice that they will need to have the lock icon showing that SSL termination has been enabled.

For each individual Server that you want to enable re-encryption for, click on the Edit this server settings button.

Under the Standard Options sub-tab, set Re-encypt [SSL] to On.

Optionally you can set the Server side SNI (Server Name Indication) to On, which evaluates the sample fetch expression, converts it to a string and uses the result as the hostname sent in the SNI TLS extension to the server. If you are not sure about that is, you can just safely leave it Off.

Click the Save button.

Find Out More

Read Hardening Your SSL Installation for general tips about SSL.

Updated on November 27, 2019


Was this article helpful?

Related Articles