SSL Passthrough

<< Back to Technical Glossary

SSL Passthrough Definition

SSL passthrough happens when an incoming security sockets layer (SSL) request is not decrypted at the load balancer but passed along to a server for decryption.
SSL passthrough is used when web application security is a top concern.

Diagram depicts SSL passthrough allowing incoming security sockets layer (SSL) requests bypassing load balancers and passed along to a server for decryption.

What Is SSL Passthrough?

Secure Socket Layer (SSL), which more recently referred to as TLS (Transport Layer Security) is a security protocol for HTTP traffic on the Internet. SSL encrypts communications between client and server to safely send messages. When a website address says “HTTPS,” the “S” signifies that SSL is being used to encrypt data.

SSL passthrough is the action of passing data through a load balancer to a server without decrypting it. Usually, the decryption or SSL termination happens at the load balancer and data is passed along to a web server as plain HTTP. But SSL passthrough keeps the data encrypted as it travels through the load balancer. The web server does the decryption upon receipt. This process is used when security for data transfers within the local area network is especially important.

SSL passthrough is more costly because it uses more central processing unit (CPU) cycles. It also limits some functions of a load-balancing proxy. Proxy SSL passthrough does not inspect traffic or intercept SSL sessions on network devices before reaching the server since it merely passes along encrypted data. SSL passthrough is best suited for smaller deployments.

How to Configure SSL Passthrough?

Transmission control protocol (TCP) mode versus HTTP mode is required in front and backend configurations. SSL passthrough uses TCP mode to pass encrypted data to servers.

The configuration of proxy SSL passthrough does not require the installation of a SSL certificate on the load balancer. SSL certificates are installed on the backend server because they handle the SSL connection instead of the load balancer.

With SSL passthrough, requests are redirected to another server because the connection remains encrypted.

SSL Passthrough Vs SSL Offloading

SSL passthrough passes HTTPS traffic to a backend server without decrypting the traffic on the load balancer. The data passes through fully encrypted, which precludes any layer 7 actions. Proxy SSL passthrough is the simplest way to configure SSL in a load balancer but is suitable only for smaller deployments.

SSL offloading, also known as SSL termination, decrypts all HTTPS traffic on the load balancer. Layer 7 actions can be carried out and the data proceeds to the backend server as plain HTTP traffic. SSL offloading allows data to be inspected as it passes between the load balancer and server. It also reduces CPU demand on an application server by decrypting data in advance. SSL offloading is vulnerable to attack, however, as the data travels unencrypted between the load balancer and application server.

Does Avi Offer SSL Passthrough?

Yes. Avi fully supports SSL-encrypted HTTPS traffic by providing both SSL passthrough and SSL offloading as options. In general, Avi recommends SSL offloading or SSL termination, using Avi as the endpoint for SSL enables it to maintain full visibility into the traffic and also to apply advanced traffic steering, security, and acceleration features.

For more on the actual implementation of load balancing, security applications and web application firewalls check out our Application Delivery How-To Videos.

For more information see the following ssl passthrough resources: