0

I have an HTTP backend server on Google Cloud behind a SSL Proxy Load Balancer.

If a client issues an HTTP request on port 80, the load balancer returns a 404. If possible, I'd like to redirect the port 80 request to port 443.

My first question is: can an SSL Proxy Load Balancer listen on both port 80 and port 443, but only terminate SSL on port 443?

If so, my second question is: can the backend somehow determine whether the load balancer terminated ssl or not?

If I use an HTTP(S) load balancer, all this is trivial and I can just look at the X-Forwarded-Proto, but in this case, we're using a tcp load balancer, without HTTP headers, so I'm wondering if the same thing is possible somehow. The PROXY Protocol does not seem to contain this information.

Perhaps the load balancer can forward traffic from port 80 to port 8080 on the backend and traffic from port 443 to port 8443 on the backend so we know where it came from. Does the SSL Proxy Load Balancer support anything like this?

I can't use an HTTP(S) load balancer in my situation because I need to disallow HTTP/2.

I could also just use a TCP Proxy and handle SSL termination in the backend, but I want to use the Google Managed Certificates.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Jesse Shieh
  • 4,660
  • 5
  • 34
  • 49

1 Answers1

0

My first question is: can an SSL Proxy Load Balancer listen on both port 80 and port 443, but only terminate SSL on port 443?

No. The SSL Proxy Load Balancer does not understand Layer 7 traffic (HTTP/HTTPS).

If you want the load balancer to redirect users to HTTPS then you will need to use an HTTP(S) load balancer or another Layer 7 load balancer.

Since you want to prevent HTTP/2, you will need to create your own load balancer setup.

Perhaps the load balancer can forward traffic from port 80 to port 8080 on the backend and traffic from port 443 to port 8443 on the backend so we know where it came from. Does the SSL Proxy Load Balancer support anything like this?

No. The SSL Proxy Load Balancer supports TLS encrypted traffic and does not support unencrypted traffic. Port 80 (HTTP) is usually unencrypted.

In addition only these TCP ports 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, and 5222 are supported.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thanks John. I suspect this is the right answer, but to clarify, I meant that my backend HTTP server would be responsible for redirecting HTTP to HTTPS so they load balancer wouldn't need to understand layer 7. – Jesse Shieh Mar 23 '20 at 00:14
  • @JesseShieh Your backend server will never get frontend HTTP traffic on port 80 with an SSL Proxy load balancer. Double-check the supported port numbers in my answer - port 80 is not one of them. – John Hanley Mar 23 '20 at 01:42