What Is SSL Passthrough? How Does SSL Passthrough Work?

3 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 5 (3 votes, average: 5.00 out of 5, rated)
Loading...
What is SSL Passthrough

SSL certificates are not an unfamiliar idea in the world of online security. All client-server connections on the web are protected from cybercriminals by the encryption security provided by these SSL/TLS certificates.

In a nutshell, SSL certificates use encryption technology to protect HTTP (hypertext transfer protocol) communication on the web and transform it to HTTPS. Therefore, if the URL starts with HTTPS (hypertext transfer protocol secure), it shows that the online connection is effectively secured.

However, what is SSL Passthrough?

This article discusses SSL Passthrough, how it works, its advantages and disadvantages, how to install SSL Passthrough, what SSL Offloading is, its limitations, and how it differs from SSL Passthrough.

What exactly Is SSL Passthrough?

The Hypertext Transfer Protocol (HTTP) was utilized to control all online traffic when the Internet first started. HTTP was naturally vulnerable due to its lack of encryption. The issue was addressed by initiating HTTPS or Hypertext Transfer Protocol Secure.

All internet traffic is secured using HTTPS and SSL. SSL is still widely used today, as seen by the ideas of SSL passthrough and SSL offloading, even though the more secure Transport Layer Security (TLS) protocol has subsequently replaced it.

SSL Passthrough transfers encrypted HTTPS traffic from clients onto web servers, then back from web servers to clients without the requests being first decrypted at a load balancer/proxy server on their journey to and from the web server.

SSL passthrough is best suited for situations requiring stringent data security because requests are only decrypted on the web server in these instances.

In simple terms, “The process of sending data to a server through a load balancer without initially decrypting it is known as SSL passthrough. In most cases, the load balancer performs the SSL termination procedure or the decryption process before sending the data in the plain format to the web server.”

The communication between the load balancer and the server is less likely to be the target of man-in-the-middle attacks using SSL passthrough since it is secure during every stage the connection is made and is only decrypted after it has reached its destination. Also, load balancers have very little overhead since they don’t decrypt the communication between clients and servers. As a result, load balancers can more precisely direct traffic.

Regarding operational expenses, SSL passthrough is more expensive because it uses CPU cycles. You cannot utilize access rules, redirects, or cookie-based sticky sessions with SSL passthrough since it does not provide a review of requests or enable you to take any action on web traffic.

As a result, only small deployments can profit from SSL passthrough. There may be other options you need to consider if your websites have stricter usage restrictions.

Working Process of SSL Passthrough

The SSL passthrough procedure bypasses the load balancer, which is situated between the server and the client, and instead directs traffic to the web servers for decryption. This prevents the encrypted HTTPS traffic from being decrypted at the load balancer.

How SSL Passthrough Works

Therefore, this data transfer is secure since the network/load balancer cannot identify the contents of the communication.

This secure transmission maintains the traffic/data packets encrypted until it reach its destination, protecting it from hostile hackers.

Advantages of SSL Passthrough

Security: 

SSL communication offers a high level of security since it is completely encrypted from the client to the server. The communication is kept secure and protected from online intruders and cybercriminals since it is not decrypted at the load balancer and is routed directly to the server in the encrypted method.

Confidentiality: 

The web server receives the encrypted data in the same format since it is protected from all decryption levels. This guarantees the privacy and confidentiality of the data.

Integrity: 

This secure data transfer method is beneficial when sending sensitive and essential information.

Quick and Easy: 

Proxy SSL passthrough is the simplest method for configuring SSL in the load balancer.

Provides Minimal Optimization (If necessary): 

If you don’t decrypt the communication in any of the seven layers, implement access controls, block traffic, or utilize session cookies, you can use the SSL Passthrough.

Disadvantages of SSL Passthrough

  • SSL passthrough cannot be used with security technologies that require traffic monitoring.
  • Uses the server’s CPU to execute CPU-intensive encryption and decryption work, which might affect server performance.
  • Malicious code may be present in the communication that goes straight to the backend server. This scenario could be dangerous since the server could’ve been affected by the intruder’s encrypted codes.
  • In the SSL passthrough technique, server switches are not possible.
  • The SSL passthrough procedure does not allow the usage of an HTTP profile.
  • Traffic on layer seven cannot be optimized.

How is SSL Passthrough Configured?

TCP (Transmission Control Protocol) mode and HTTP mode must be configured in the front and back end.

The SSL passthrough uses the TCP mode as a passage to get the encrypted communication to the backend server.

Installation of an SSL certificate on the load balancer is not required for configuring the proxy SSL passthrough. Therefore, the backend server has these SSL/TLS certificates loaded.

The above configuration contains the server to manage SSL connections but leaves off the load balancer.

Configuring the Backend for SSL Passthrough

You will require the following before configuring SSL passthrough on your load balancer:

  • A domain name that you have registered. Any domain name registrar is acceptable.
  • Your domain’s DNS records should point to the load balancer. Use the free DNS hosting service from any provider of your choice.
  • One or more backend Droplets that are executing applications with SSL configuration. Depending on the software you wish to use, there are many ways to create an SSL certificate and set up the backend application to decode HTTPS or HTTP/2 queries.
  • The SSL certificate used by your load balancer must be the same for each Droplet you utilize. You can build an image of the first Droplet to create further instances when your configuration is tested with one backend server. Alternatively, you can replicate the certificate files across servers using scp or rsync.
  • You can add the passthrough forwarding rule to the load balancer once your domain, DNS records, SSL certificate, and backend Droplets are ready.

What is SSL Offloading?

An SSL offloading relieves a web server from data encryption and decryption by moving incoming secured and encrypted traffic from a client to a load balancer.

A load balancer separates the web server and the browser. They employ the SSL security protocol to conduct SSL termination or SSL bridging to take the operational burden off the server’s metaphorical shoulders. The load balancer gets the encrypted data. It eliminates this time-consuming procedure of performing decryption and sending the plaintext to the server.

HTTPS traffic is handled differently by SSL offloading, also known as SSL termination. The load balancers (located between the client and the server) are charged with decrypting the traffic that emerges between these two parties and encrypting it before it is sent from the server to the client during the SSL offloading procedure.

The web servers are relieved (offloaded) of this responsibility when the load balancers encrypt and decrypt the traffic. As a result, they can distribute the web pages more effectively in response to the concerned browsers’ requests. However, there are several substantial drawbacks to the SSL offloading process.

Disadvantages of SSL Offloading

  • When SSL is offloaded, the plain data (unencrypted traffic) that passes through load balancers and gets to the backend servers may make it easier for hackers to carry out man-in-the-middle attacks. They can effectively breach your networks, and they can steal data.
  • The issue is severe when the encryption and decryption keys are made available to the load balancer.
  • This process is restricted when there is susceptible traffic and a need for network security.
  • The internal network can fail to be secure if there is unencrypted traffic between the load balancer and servers.
  • Unsuitable for instances or applications where end-to-end encryption is essential.

SSL Passthrough Vs. SSL Offloading

These digital securities differ slightly even if they share certain characteristics. As follows:

 SSL PassthroughSSL Offloading
1In the SSL passthrough procedure, the encrypted (HTTPS) traffic does not need to be decrypted at the load balancer before it reaches the backend server.    The encrypted traffic is decrypted at the load balancer before being sent to the backend server during the SSL offloading procedure.
2Since the data is sent between the load balancer and the server in HTTPS format, data inspection is not allowed during the SSL passthrough procedure.Since the data is transferred in HTTP format between the load balancer and the server during the SSL offloading process, data inspection is available.
3  All layer seven tasks are prevented by the encryption used in the SSL passthrough mechanism for data.                The data sent to the server is in plain (HTTP) text since layer seven activities can be carried out during the SSL offloading procedure.
4Since encrypted data is exchanged between the load balancer and the server, SSL passthrough is a secure data transmission method. Essential online apps and other data can be stored there.                Since unencrypted data is sent from the load balancer to the server during the SSL offloading procedure, it is susceptible to MIM attacks and hackers. When top security is not necessary, it works well for smaller networks.
5Cookie tenacity is not possible while using SSL passthrough.The SSL offloading procedure can take advantage of cookie tenacity.

Wrap up!

Each approach has distinct use cases, and you should choose the one that best suits your requirements in terms of performance, security, manageability, and compliance with any applicable rules or policies.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.