We manage a number of sites with secure content. Installing SSL certificates and keys on multiple servers becomes a time consuming annoyance.

To ease this pain we've made use of a SSL decryption module added into our load balancers. Using the module means we can install the SSL certificate on the load balancer and it decrypts SSL traffic and then passes around internally using standard HTTP. This reduces the decryption load on the individual web servers leaving the dedicated module on the load balancer to handle all SSL.

This does however raise the problem that if internal servers see just HTTP traffic how do they know some traffic should be secure? This is important so that our application can work securely for areas of the site like credit card payment. We could check ports, but checking ports isn't ideal. The answer is simple. All you need is a request header set in your Apache config and you're away:

For our Ruby on Rails applications:

RequestHeader set X_FORWARDED_PROTO "https"

For our ColdFusion applications:

RequestHeader set HTTPS "on"

This means with simple header checks we can switch the behaviour of the application easily.

Orginally published at dev.venntro.com