What is SSL offloading, SSL Pass through and SSL Bridging? Which is recommmended to use with SapphireIMS?

Platform Load balancer and Reverse Proxy
1

SSL Offloading - In this method the client traffic to load balancer is sent as encrypted. Instead of the server decrypting and re-encrypting the traffic load balancer would handle that part. So the client traffic is decrypted by the load balancer and the decrypted traffic is sent to the back-end server. The return communication from the back-end server to client(browser) is encrypted by the load balancer and sent back to the client(browser). Thus sparing the server additional load of encryption and decryption. All the server resources can now be fully utilized to serve the application content or any other purpose they are built to do.
Note-

  1. The communication between the load balancer and back-end server is in clear text, plain HTTP.
  2. Servers are setup to listen on insecure ports ex Port 80.
  3. Since the load balancer decrypts the HTTP traffic it has now the ability to read the content (header, cookies etc.) and all the persistence options can be applied. (Source address, Destination address, Cookies)
  4. This is possible only on layer 7

SSL Pass through - As the name suggests the load balancer will just pass the traffic from client to servers absolving itself from any SSL related workload. Instead of forwarding SSL handshakes and connections to the servers directly it will just pass the client traffic to the servers. Usually this setup is used if the applications being served are anti SSL proxy or cannot consume decrypted traffic.
Note -

  1. Since it’s just pass through load balancer cannot read the headers which introduces limitations on persistence. Only non SSL information in the packet can be used to maintain persistence like source ip address, destination ip address.
  2. This option is possible only at layer 4

SSL Full Proxy or SSL Bridging - This method goes by a few names such as SSL Re-Encryption, SSL Bridging and SSL Terminations. In this method the load balancer will re-encrypt the traffic before sending it to the back-end servers. Client(browser) sends encrypted traffic to LB , LB then decrypts it and before send it to the back-end servers or pool members re-encrypts it again. This method is generally used to satisfy the requirement of traffic to be encrypted between the LB and back-end Servers as well. This requirement might be put in place for additional security or prevent intrusion from within the network. When this method is used the servers will also have to decrypt and encrypt the traffic.

Note –

  1. The communication between the server LB and server is secure.
  2. Servers are setup to listen on secure ports ex Port 443.
  3. Since the LB initially decrypts the HTTP traffic it still has the ability to read the content (header, cookies etc.) and all the persistence options can be applied same as SSL Offloading. (Source address, Destination address, Cookies, SSL)
  4. This is possible only on layer 7

SapphireIMS typically recommends SSL offloading option to use. If because of security compliance, it is required to have SSL on back-end servers, SSL bridging can be used.