What Is SSL Passthrough And How Does It Work?

Summarize with:

ChatGPT

Claude

Perplexity

SSL passthrough is where encrypted web traffic flows through a load balancer without being decrypted until it reaches the web server that holds the SSL certificate (Secure Socket Layer). This helps ensure sensitive data is fully protected during transfer. This guide explains what SSL passthrough is, how it works, its benefits and drawbacks, and when it’s the best choice for managing secure connections for your website.

KEY TAKEAWAYS

• SSL Passthrough maintains end-to-end encryption by allowing the backend server to handle decryption, ensuring data stays secure during transfer.
• By routing encrypted data straight to the server, SSL passthrough enhances security and reduces load balancer overhead.
• Using SSL Passthrough provides encryption and a simpler intermediary setup, but it can lead to security blind spots.
• Implementing SSL passthrough involves adding certificates on the backend, configuring ingress resources to route TCP traffic, and enabling proper SSL profiles and ports.
• Use SSL passthrough when you need end-to-end encryption, client certificate control, and regulatory compliance, especially when intermediary decryption would compromise security.

What is SSL Passthrough?

SSL or TLS passthrough is a network configuration where SSL traffic remains encrypted as it passes through intermediaries, such as load balancers or Web Application Firewalls (WAFs).

Load balancers are hardware or software that evenly distribute incoming network traffic across multiple servers in a public or private network to ensure better resource (CPU, RAM) usage, prevent overload on any single server, and improve performance.

The data is only decrypted by the backend server, maintaining end-to-end encryption. This means that sensitive information in the HTTPS connection remains encrypted from the browser to the destination server, where the server’s SSL/TLS (Transport Layer Security) certificate is used to decrypt the data packet, preventing eavesdropping and tampering.

HTTPS (Hypertext Transfer Protocol Secure) is the standard for secure data transfer over the Internet. Your website needs an SSL certificate, also known as a TLS certificate, to encrypt data, authenticate websites, and ensure data is confidential.

Encrypted HTTPS traffic helps protect sensitive data, like login credentials, credit card numbers, or personal details, from eavesdropping, tampering, and Man-in-the-Middle (MITM) attacks.

Without an SSL connection, browsers flag web pages as unsecured and actively warn visitors not to access them. This makes it essential for establishing trust, enhancing user experience, complying with security policies like the General Data Protection Regulation (GDPR), and improving visibility in search engine rankings.

Encrypted HTTPS traffic helps protect sensitive information, such as login credentials, credit card numbers, or personal details, from eavesdropping, tampering, and Man-In-The-Middle (MITM) attacks. Without it in place, data would be vulnerable to interception and exploitation.

How Does SSL Passthrough Work?

As we discussed above, SSL passthrough operates by allowing encrypted HTTPS traffic to pass through load balancing directly to the backend server without decryption. Before we get into how SSL passthrough works, it’s important to understand the mechanics of SSL/TLS connections and how data is securely transmitted.

When a browser (client) sends a request to a web server (origin), it uses SSL/TLS security protocols to establish a secure connection. DNS (Domain Name System) records (A Record or CNAME) resolve the domain name to the public IP address of the load balancer.

This process begins with an SSL/TLS handshake, where the browser verifies the server’s identity using an SSL certificate and exchanges encryption protocols, as well as public and private keys.

The hostname is verified during the SSL handshake to ensure the certificate matches the requested domain, allowing the load balancer to recognize which server the incoming traffic request is intended for.

Once the handshake is completed, all data transmitted is encrypted into packets, making it unreadable to any intermediaries. The load balancer detects the incoming request but does not decrypt or inspect the data packet. Instead, it forwards the encrypted traffic to the designated web server.

These encrypted data packets travel through the network, untouched by the load balancer, and arrive at the backend server, where they are decrypted.

With SSL passthrough, the load balancer operates at Layer 4 (TCP level), forwarding traffic based solely on IP addresses and port, without accessing or modifying the encrypted content, which is done by the server’s SSL certificate and decryption keys.

This ensures end-to-end encryption from the client to the origin, enhancing security and performance by offloading the decryption process to backend servers.

Benefits & Drawbacks of SSL Passthrough

Pros

• The main benefit is end-to-end encryption for sensitive information. By not decrypting traffic at the intermediary level, SSL passthrough ensures that a browser and server establish a direct, fully encrypted SSL/TLS tunnel. This preserves the privacy and integrity of sensitive data throughout its entire journey.

• The intermediary also doesn’t need access to the backend server’s private key or SSL certificate. The backend server is responsible for managing its certificate and handling the TLS handshake with the browser. This simplifies certificate management on the load balancer or WAF (Web Application Firewall), as it doesn’t need to store or renew server SSL configurations or use a self-signed certificate.

• When performing SSL passthrough, many load balancers can forward the original browser’s IP address directly to the server without modification. This is beneficial for logging, analytics, location targeting, and security features that rely on knowing the origin of a request.

Cons

While using passthrough SSL for backend configurations has its benefits, it also includes several possible drawbacks regarding data security and traffic management.

• Security blind spots are the biggest disadvantage. When it comes to network instances, they can’t detect or block cyberattacks, like SQL injection and XSS (Cross-Site Scripting). Similarly, they can’t analyze HTTP request patterns for server-level DDoS (Distributed Denial of Service) attacks.

• Intrusion Detection Systems (IDSs) are also affected. They have a limited ability to identify harmful code or suspicious behavior in encrypted data packets, potentially allowing malware to reach the server without being detected.

• Since the intermediary (load balancer/WAF) can’t decrypt encrypted network traffic, it can’t inspect the actual content of the HTTP request or response. This means you can’t use features such as content-based access rules, HTTP profile redirects, or cookie-based sticky sessions. This can result in users being routed to different servers during their session, potentially causing issues like lost shopping carts and a poor user experience.

How to Implement SSL Passthrough

Implementing SSL passthrough is an advanced process that isn’t recommended for beginners, as it requires setting up your environment properly, from certificate management to secure ports and settings. For reference, we have included a brief overview, but please note that any errors can lead to security vulnerabilities and traffic issues when using load balancing.

Valid SSL certificates and private keys must stay on the backend server, not on the load balancer. If you’re using Kubernetes Ingress, many setups use Nginx Ingress Controllers, a specialized load balancer and reverse proxy that manages external access and acts as the entry point for HTTP and HTTPS traffic.

1. Store your SSL certificate and private key in a Kubernetes secret, often called default-ssl-certificate.
2. Reference it in your ingress controller or backend configuration.
3. The server (e.g., NGINX, Apache) will use this certificate to complete the TLS handshake. This ensures that all HTTPS traffic remains encrypted until it reaches the backend.

To complete the setup:

• Your backend server must have SSL enabled with a proper SSL cert profile.
• Ensure you open port 443 and that it is accepting Transmission Control Protocol (TCP) traffic.
• Configure firewalls and load balancer rules to allow encrypted traffic on port 443 to reach the backend.
• Avoid opening port 80 (HTTP) unless you plan to redirect it to HTTPS.

As you can see, this is best left to the experts. With Hosted.com®, we configure and install your SSL certificate on the server for you, ensuring your site and visitor data is encrypted from day one.

When to Use SSL Passthrough

SSL passthrough is ideal when you need maximum security and to comply with strict data privacy policies. Since the encrypted data is never decrypted until it reaches the backend server, it’s a good choice for businesses that handle extremely sensitive information.

However, if you need to inspect traffic, perform caching, compression, or URL-based routing at the load balancer, SSL passthrough won’t be suitable. These features require SSL offloading instead.

SSL Passthrough vs SSL Offloading

When configuring HTTPS traffic management, it’s essential to understand the difference between SSL passthrough, SSL offloading (termination), and SSL bridging, particularly in terms of security, performance, backend configuration, and data flow.

You now know that with SSL passthrough, encrypted traffic is passed through the load balancer untouched, and the server handles the SSL handshake. No decryption or inspection can happen at the load balancer.

With SSL offloading, the load balancer terminates the SSL session by decrypting the HTTPS traffic. The plain HTTP or re-encrypted traffic is then forwarded to the server. This allows for URL routing, content switching, maintaining cookie sessions, and traffic inspection.

SSL bridging is a hybrid method where the load balancer terminates the SSL session, inspects or processes the HTTP request, then re-encrypts the data before sending it to the server. This method provides partial data inspection while preserving end-to-end encryption.

Choosing between SSL passthrough, offloading, or bridging depends on your requirements. Passthrough ensures the highest level of security, offloading offers simplicity and improved performance, while bridging strikes a balance between the two.

FAQS

Other Blogs of Interest

– What Is An SSL Stripping Attack And How To Prevent It?

– SSL Inspection: How It Works And Why It Matters

– SSL Decryption: Understanding The Process And Its Importance

– SSH vs SSL: Key Differences And When To Use Each

– SSL Connection Error? What It Is And How To Fix It