SSL/TLS termination is the process of decrypting traffic when it enters the network and encrypting traffic when it leaves the network. SSL/TLS termination lets you bring SSL/TLS support to your applications by performing all encryption and decryption at the load balancer. The load balancer removes the encryption before passing the messages to your servers. SSL/TLS termination is also called "SSL/TLS offloading."
Ideally, this happens at the load balancer to avoid burdening backend servers with negotiating TLS session keys—a process which is fairly CPU intensive. Running termination at the server can degrade performance and therefore negatively impact how your web applications handle client requests.
How does SSL/TLS termination work?
When SSL/TLS termination is in place, users attempting to access your website at a standard (HTTP) URL are automatically upgraded to HTTPS. This redirect is important for ensuring stronger security and is specified within your configuration. While unencrypted network traffic passes through HTTP port 80, secure traffic is routed through HTTPS port 443.
The load balancer will decrypt incoming traffic to read each message's headers and contents (determining routing behaviors) before forwarding those requests to active servers. From there, servers send responses back to those clients.
Certificate management also lies at the heart of SSL/TLS termination. Some load balancers let you limit TLS certificate support by carefully selecting preferred encryption ciphers within your configuration. You can choose supported certificate types through mechanisms such as SNI, and even limit which clients can access your application by sharing a certificate they must present. This happens when a connection is made.
While SSL/TLS doesn't require certificates to function properly on its own, certificate validation helps guard against attackers while enabling complete HTTPS functionality.
TLS can also separately secure the connection between the load balancer and server via connection reuse. Since encryption and decryption use minimal CPU versus establishing a new TLS connection, you can secure the connection between the load balancer and servers (and optionally prevent clients from bypassing the load balancers) minus the CPU cost of per-client key negotiation.
What makes SSL/TLS termination useful?
SSL/TLS termination at the load balancer specifically has the following benefits:
Reduced processing strain on servers
Improved application performance and security
Centralized certificate management and consolidation
Freeing up your servers helps them focus on the task of serving requests and responses—boosting overall performance while slashing latency. Plus, it's much easier to dynamically manage certificates at the load balancer through an automated authority, versus at the server pool itself.
Does HAProxy support SSL/TLS termination?
Yes! HAProxy Enterprise, HAProxy Enterprise Kubernetes Ingress Controller, and HAProxy ALOHA support SSL/TLS termination with simplified certificate management. To learn more, check out our guide to using SSL termination.
