SSL Termination and Pass Through
In Infrastructure world, we often come across terms like SSL Termination and SSL Pass through. We will take a look at each of these in the below section.
SSL Termination:
SSL Termination is a process wherein the encrypted secure traffic (HTTPS) is consumed by a server, performs decryption and then the server forwards unencrypted request (HTTP) to other servers in the network. The other servers in the network are assumed to be in a secure network and they will not be exposed to the internet.
Generally, a load balancer performs the task of SSL Termination.
SSL Pass Through:
SSL Pass through, in contrary to termination, is a process wherein the encrypted secure traffic (HTTPS) is forwarded as is by the server to other servers in the network.
Load balancers could be configured to use SSL Pass through. In this scenario, the individual servers should be capable of decrypting the SSL request.
SSL Termination vs SSL Pass through:
- When SSL pass through is used, the SSL certificates need to be maintained in individual servers whereas in SSL termination, the certificates need to be maintained in a centralized server (Load Balancer). Maintaining certificates in a centralized place is generally easy to manage. Also, it is easier to apply security patches and easy to manage SSL security at a central place as opposed to performing that in a lot of different servers.
- SSL Pass through is more secure since the traffic is secured end to end, whereas in SSL termination, the insecure traffic after termination could be vulnerable.
- In SSL Termination, it is easier to handle DDOS (Distributed denial of service) attacks over SSL as most modern load balancers provide safety against these attacks.
Reference Implementation:
Servers capable of performing SSL Termination or Pass through:
- Apache HTTP Server
- HAProxy
- Nginx