What is the Difference Between SSL Termination and SSL Passthrough (a.k.a. SSL Offloading)
With the introduction of QuotaGuard Shield on Heroku and on our Direct Service, we’ve had a few questions about the differences between QuotaGuard Static, which uses SSL Termination, and QuotaGuard Shield, which uses SSL Passthrough.
Please use this handy little cheat sheet to learn the differences between the two types of security methods when using our QuotaGuard proxies for your traffic.
SSL and TLS
Secure Socket Layer (SSL), more recently known as TLS (Transport Layer Security), is the most common security protocol for HTTP traffic that is traversing on the Internet.
SSL/TLS encrypts the communications between a client and a server that allows for secure bi-directional message exchanges.
You can see SSL in action when you look at your website address bar and see the closed lock symbol. Also, when the URL of a website address says “HTTPS,” the “S” indicates that SSL is being used to secure the connection and encrypt the data. Google has been pushing website operators to use SSL for all their websites, even websites that are non-financial or have no sensitive material, to make the web more secure for everyone, so you will likely see this lock symbol on most sites today.
QuotaGuard Static : SSL Termination / SSL Offloading
QuotaGuard Static uses SSL Termination for routing requests between endpoints.
SSL termination (a.k.a. SSL Offloading ) decrypts all HTTPS traffic when it reaches the QuotaGuard proxy server. At this point, routing is executed and the data proceeds to the destination server as plain HTTP traffic.
If your QuotaGuard implementation uses a HTTPS URL for the forwarding URL (as most customers do), then the data between QuotaGuard and the final destination is encrypted as well. However, QuotaGuard does have to decrypt the data, using your security keys, to determine the next hop and then re-encrypt the data before it is sent to the next point.
QuotaGuard Shield : SSL Passthrough
QuotaGuard Shield uses SSL Passthrough for routing requests between endpoints.
SSL passthrough passes encrypted HTTPS traffic all the way to the backend server without decrypting the traffic on the proxy.
Therefore, traffic passes through the proxy encrypted and the destination server (web application server, database server, etc.) does the decryption process to read the data.
How do I get SSL Passthrough to work for my QuotaGuard Shield Static IP proxy?
To get SSL Passthrough to work with QuotaGuard Shield, do the following :
- Sign up for QuotaGuard Shield either at Heroku or on our Direct site.
- Use the QuotaGuard wizard to configure your domain name and forwarding URL.
- Change your DNS to point to the CNAME record we provide in your account.
- Allow up to an hour for the DNS settings to propagate and you’re done.
Note that you do not have to upload your certificates to QuotaGuard when using QuotaGuard Shield.
Why does QuotaGuard Static use SSL Termination and not SSL Passthrough?
QuotaGuard Static uses SSL Termination because it is generally faster and allow for actions to be performed based on the data.
If there are no concerns regarding the compromise of data passing from the proxy to the destination server, SSL Termination is likely a better solution.