I provide a web-based set of services to multiple customers that they sell on to their customers. The service is provided via a URL that has my company domain and a set path for all my customers and then parameters that identify the specific customer, the specific service element, language, etc, so a single landing page can be displayed in a bespoke way. Several of the customers have asked if I can provide the functionality via their domain name (a Vanity URL).
It's seems relatively easy to set up virtual hostnames and listeners on a Public Load Balancer that would be sat behind a WAF. It also seems relatively easy to import/upload their SSL certificate for HTTPS connection and termination at the Load Balancer. Several blog posts about both.
My problem comes on the internal side of the Load Balancer. I need to have encryption on the internal side through to the web servers (company policy and security standards), without changing the URL that the end customer (the customer's customer) sees in their browser.
My understanding is that the change of SSL certificate (customers to mine) would be reflected in a change of URL visible in the address bar of the browser.
It is also my understanding that the Load Balancers are not capable of passing through HTTPS for termination at the back-end web server, so I would need to terminate the SSL certificate at both the Load Balancer and the back-end web servers, correct? Terminating the SSL certificate on the back-end webservers would require (basically) a site per customer, correct?
With the impending decreases in SSL certificate and domain validation lifetimes, the management of certificates is going to become a nightmare and with the potential for 100+ customers wanting to use their own domain name in the URL, it would be even worse.
Am I missing alternative solutions? If so, please suggest them.
Also, I need to be able to capture the source IP for all connections.