Why Architecture Matters
Termination vs. Passthrough

Q: How do I get SSL Passthrough to work for my QuotaGuard Shield Static IP proxy?

QuotaGuard Shield is available on Heroku, Direct site, AWS, or Azure. Note that you do not have to upload your certificates to QuotaGuard when using QuotaGuard Shield.

Q: Why does QuotaGuard Static use SSL Termination and not SSL Passthrough?

QuotaGuard Static uses SSL Termination for performance and speed optimization, which is an important use-case for many customers.

Q: Is QuotaGuard Shield HIPAA and PCI compliant?

QuotaGuard Shield is designed for HIPAA, Financial, and Personally Identifiable Information (PII) compliance requirements.

Q: Does Shield encrypt my proxy authentication credentials?

Yes, Shield encrypts proxy authentication credentials using HTTPS and Secure SOCKS, ensuring they are not transmitted in the clear.

Q: Do I need to share my private SSL keys with Shield?

No, sharing private SSL keys is not permitted with Shield. Shield uses SNI (Server Name Indication) and does not require access to your private keys.

Q: Does Shield protect my infrastructure metadata?

Yes, Shield protects sensitive infrastructure metadata, preventing exposure of your source/destination hostnames, open ports, and running services.

All other public/private proxies decrypt your traffic at the proxy to know where to route your traffic.

Learn how Shield’s Passthrough architecture guarantees your data remains opaque from end-to-end.

SSL Termination vs SSL Passthrough

QG Shield safeguards three pieces of sensitive information that other Static IP services leave vulnerable

Diagram illustrating QG Static Inbound Requests flow over HTTP/HTTPS, showing service/app inbound request passing through HTTPS to a trusted IP on QG static proxy server, then HTTPS inbound to an allow list, with details on HTTPS encryption options and explanation of SSL termination/offloading process.

SSL and TLS

Secure Socket Layer (SSL), also known as TLS (Transport Layer Security), is the most common security protocol for HTTP traffic traversing on the Internet.

SSL/TLS encrypts the communications between a client and a server that allows for secure bi-directional message exchanges.

QG Static: SSL Termination / SSL Offloading

QuotaGuard Static uses SSL Termination for routing requests between endpoints. SSL termination (a.k.a. SSL Offloading ) decrypts all HTTPS traffic when it reaches the QuotaGuard proxy server.

At this point, routing is executed and the data proceeds to the destination server as plain HTTP traffic. If your QuotaGuard implementation uses a HTTPS URL for the forwarding URL (as most customers do), then the data between QuotaGuard and the final destination is encrypted as well.

However, QuotaGuard does have to decrypt the data, using your security keys, to determine the next hop and then re-encrypt the data before it is sent to the next point.

QG Shield: SSL Passthrough

QuotaGuard Shield uses SSL Passthrough for routing requests between endpoints.

SSL passthrough passes encrypted HTTPS traffic all the way to the backend server without decrypting the traffic on the proxy.

Therefore, traffic passes through the proxy encrypted and the destination server (web application server, database server, etc.) does the decryption process to read the data.

FAQs

Common questions about encryption, compliance, and security specifics.

How do I get SSL Passthrough to work for my QuotaGuard Shield Static IP proxy?

To get SSL Passthrough to work with QuotaGuard Shield, do the following :

1. Sign up for QuotaGuard Shield either at Heroku, our Direct site, on AWS, or Azure.

2. Use the QuotaGuard wizard to configure your domain name and forwarding URL.

3. Change your DNS to point to the CNAME record we provide in your account.

4. Allow up to an hour for the DNS settings to propagate and you’re done.

Note that you do not have to upload your certificates to QuotaGuard when using QuotaGuard Shield.

Why does QuotaGuard Static use SSL Termination and not SSL Passthrough?

QuotaGuard Static uses SSL Termination because it is generally faster and allows for actions to be performed based on the data (an important use-case for many customers).

If there are no concerns regarding the compromise of data passing from the proxy to the destination server, SSL Termination is likely a better solution because it is faster.

Is QuotaGuard Shield HIPAA and PCI compliant?

‍Yes.

Shield was explicitly developed for healthcare and FinTech customers who required a solution for routing HIPAA, Financial, and Personally Identifiable Information (PII).

Because Shield uses SSL Passthrough to guarantee full, end-to-end encryption without ever decrypting your traffic, it meets the strict security requirements for these regulated industries.

Does Shield encrypt my proxy authentication credentials?

Yes.

With many standard HTTP/SOCKS proxies, your username, password, host, and port are sent "in the clear" between your source and the proxy.

Shield’s outbound service uses HTTPS and Secure SOCKS to encrypt your credentials as well, ensuring they are never exposed during the connection, unlike standard proxies where credentials can be vulnerable.

Do I need to share my private SSL keys with Shield?

No.

To maximize security, you are not permitted to share your SSL certificates or private keys with QuotaGuard when using QG Shield.

By using Server Name Indication (SNI) to route your traffic, we eliminate the need to store your keys.

This prevents your data from being exposed even if our network were compromised, as we simply do not possess the keys required to decrypt and steal your traffic.

Does Shield protect my infrastructure metadata?

Yes.

Beyond just encrypting your data, Shield protects your network topology. It ensures you never expose your source/destination hostnames, open ports, or running services to the public internet.

This prevents malicious actors from mapping out your corporate network to find vulnerabilities, safeguarding your "Sensitive Infrastructure Metadata" alongside your actual application data

Still have questions?

We don’t outsource Support to non-Engineers.

Reach out directly to the Engineers who built Shield to discuss your specific architecture, integration challenges, or compliance constraints here 👇

Contact

🚀 Ready to Get Started? Choose Your QuotaGuard Path

QuotaGuard STATIC

Why: You need a rock-solid, fixed IP for general API access, AI workflows, or standard third-party integrations.

Best For: Developers, startups, and general application connectivity.

Key Feature: SOCKS5 support for secure database access.

QuotaGuard SHIELD

Why: You handle HIPAA, PCI, or sensitive PII data and require End-to-End Encryption (E2EE) for full compliance.

Best For: Regulated industries, financial services, and healthcare.

Key Feature: SSL Passthrough and key isolation.

Quotaguard has amazing customer service. Some of the best I've interacted with for B2B companies.

Whenever there are snags or setup issues, their support answers emails quickly and hops on zooms to debug with us.

Even with very little notice, they'll hop on zooms to debug. That is absolutely incredible.

Gary L.

CEO

Saas Ai Webflow Website Datalog Template

Before I found QuotaGuard, I had tried to use Fixie Socks.

However, I couldn't get it to work even after downloading a separate library that they recommend (fixie-wrench). So I was relieved to find QuotaGuard.

The QuotaGuard team clearly cares about their product and their customers. I enjoyed my interactions with them, and their product seems reliable so far.

Overall a solid choice for Heroku/MongoDB Atlas builds.

Gayle M.

Software Engineer- Health, Wellness and Fitness

Reliability Engineered for the Modern Cloud

For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

Get the fixed identity and security your application needs today.

Start Free Trial Talk to an Engineer