Load Balancer

Load Balancer

The Ingress Load Balancer gives internet access to your environment’s services via proxied HTTP(S) connections using TLS (1.0 to 1.2) protocol. Each load balancer has a static IP that you can use to set up custom domains.

You can configure your environment's load balancer with a custom domain.

Having a dedicated load balancer provides a myriad of enhanced features, such as port configuration, custom SSL certificates, and a CDN. These features can be configured in a service’s LCP.json file:

  "id": "webserver",
  "loadBalancer": {
    "cdn": true,
    "targetPort": 80,
    "customDomains": ["acme.liferay.cloud"],
    "ssl": {
      "key": "...",
      "crt": "..."


Liferay’s Content Delivery Network (CDN) is a built-in feature of Liferay Cloud. It acts as a proxy between the client and origin servers, caching and serving content from points-of-presence (POPs) closer to users, instead of sending them to back-end servers (instances).

In the event of a DDoS attack for cacheable content, the requests are sent to globally distributed POPs instead of the origin servers, thereby providing a larger set of locations to absorb the attack. Caching your global, static content also greatly enhances delivery speed.

By default, the CDN is enabled in all environments except dev environments. You can enable or disable the CDN for a service (in its LCP.json file) by setting the value of cdn within the loadbalancer object:

    "loadBalancer": {
        "cdn": true

The CDN's status is visible on the Network page.


The CDN is not currently supported for the Dubai/Northern UAE region.

Clearing the CDN Cache

The CDN improves performance by reducing latency for delivering static content to users. However, it is possible that some of this content is delivered to users before the cache is updated, when the content is no longer valid.

If it is necessary to clear the CDN cache to force the content to be retrieved again, then you can manually clear it from the Liferay Cloud console:

  1. Log into the Liferay Cloud console and navigate to the appropriate environment.

  2. Click Network from the menu on the left.

  3. Under the CDN section, click Clear CDN Cache…

    Click the Clear CDN Cache button on the Network page for your environment.

  4. On the Clear CDN cache page, select all the checkboxes to confirm that you understand the consequences of clearing the cache, and that it applies to all services with CDN enabled.

    The Clear CDN cache page.

  5. Click Request Cache Clearance.

The request is sent to clear the cache when you click the button. Allow up to 30 minutes for the cache to be cleared.


Clearing the CDN cache too frequently can negatively impact server performance, because it can cause a short-term spike in requests to your services that the cache would have served otherwise. Limit clearing the cache to exceptional circumstances to mitigate this impact.


You can set which internal port (targetPort) the load balancer’s service endpoint routes to. Liferay Cloud automatically configures the correct port for the services it provides.

"targetPort": 3000

The load balancer shows your port configurations.

Custom SSL

When you specify the load balancer attribute for a service, it adds a service endpoint using the following naming pattern:


Domains created by Liferay Cloud’s infrastructure at .lfr.cloud are covered by a wildcard certificate that is not displayed in the Network page’s SSL certificates section.

For all custom domains added through the console or LCP.json, Liferay Cloud reaches out to Let’s Encrypt for a certificate that renews automatically and covers all custom domains you create.

Adding Custom SSL Certificates

You can also add your own SSL certificate to cover any custom domains you create. You can either use the SSL certificate provided by Let’s Encrypt (for any custom domains added through the Liferay Cloud console), or you can define one or more custom certificates by referencing secret values in your webserver service’s LCP.json file. If certificates exist in both places, then any custom certificates defined in the LCP.json file take precedent.

When creating custom certificates, note that Liferay Cloud only accepts keys and certificates that are in the proper PEM format with Base64 encoding, which must include encapsulation boundaries.

To add a single SSL certificate to the LCP.json file:

  1. Add secret variables to your chosen environment for the certificate’s key and crt values.

  2. In your project repository’s webserver/LCP.json file, add an ssl object inside of the loadbalancer object, with key and crt values that reference the keys for the secrets you added:

    "loadbalancer": {
        "ssl": {
            "key": "@ssl-key-secret",
            "crt": "@ssl-crt-secret"

Using the ssl object in your LCP.json file creates a single custom SSL certificate that maps to all custom domains used in this environment.

Mapping Multiple SSL Certificates to Custom Domains

You can also map different SSL certificates to multiple custom domains by using the certs property instead of the ssl object.

Use the certs property in your web server’s LCP.json file to create a list of certificates that you can use. Group the key and crt values for each certificate together with the custom domains they will map to:

    "loadbalancer": {
        "certs": [
                "customDomains": ["acme.liferay.cloud"],
                "key": "...",
                "crt": "..."
                "customDomains": ["acme2.liferay.cloud"],
                "key": "...",
                "crt": "..."

Mapping multiple SSL certificates to your custom domains requires adding the certs property to the webserver service’s LCP.json file. Adding custom domains through the Liferay Cloud console instead maps all of the custom domains to a single certificate.

Generating an SSL Certificate

When generating a key, you must use either RSA-2048 or ECDSA P-256 encryption algorithms and avoid using passphrase protected keys.

Once custom certificates are made, users are responsible for managing them (e.g., updating them when new custom domains are added, renewing them when they expire).

If it has not already been encoded, then the certificate and key files may both contain text like the following snippet (with either CERTIFICATE or KEY in the begin/end tags, respectively):


To encode the contents of these files and use them, perform the following steps:

  1. Create a new file for both the key and cert contents:

    touch originalkeyfile.key
    touch originalcertfile.crt
  2. Open the key file and copy all of the contents between and including the begin and end key tags, and then copy them into the new file created for it (in this example, originalkeyfile.key). Save the file.

  3. Open the cert file and copy all of the contents between and including the begin and end cert tags, and then copy them into the new file created for it (in this example, originalcertfile.crt). Save the file.

  4. Run the following commands (or use any other preferred encoding method) to convert the files into new files with base64 encoding:

    openssl base64 -in originalkeyfile.key -out base64keyfile.key
    openssl base64 -in originalcertfile.crt -out base64certfile.crt
  5. Copy all of the contents from the new, encoded key file (in this example, base64keyfile.key) and paste them into the key variable in your webserver service’s LCP.json file.

  6. Copy all of the contents from the new, encoded cert file (in this example, base64certfile.crt) and paste them into the crt variable in your webserver service’s LCP.json file.

The key and cert values are now encoded and usable in your web server configuration.


It is possible to include multiple values for the cert by concatenating certificates together into a single string, and then encoding the result in base-64 for the crt field.

The Network page shows any custom certificates, with a maximum of one per service. For more information, see Custom Domains.

Liferay Cloud shows the status of SSL certificates that cover custom domains.

Environment Variables Reference

Name Value Description
cdn false CDN is disabled by default; can be enabled by setting to true
customDomains [“example.com”, “www.example.com”] Name of the custom domain; can list more than one
targetPort 3000 Port number for the load balancer
key SSL certificate’s key in Base64 format. Group this in an ssl object, or a certs object (to list multiple certificates).
crt SSL certificate’s crt in Base64 format. Group this in an ssl object, or a certs object (to list multiple certificates).