SSL passthrough vs SSL termination + HTTPS

Question

I understand that when configuring an HTTPS load balancer, SSL termination is generally more favored for speed and the ability to inspect the data and perform actions such as add headers, whereas SSL passthrough favors security but uses more processing power. From what I have read, during SSL termination the SSL connection is, as the name implies, terminated when it reaches the load balancer, and typically, from there the load balancer and worker server(s) communicate over plain HTTP. The current configuration I have is like this:

client --https-->x[load balancer]--https-->[server]

Here, the SSL connection is terminated at the load balancer, but from there the load balancer initiates a new HTTPS connection with the destination server.

My question is which solution is faster, SSL passthrough or SSL termination + an additional HTTPS connection?

Note: I am using haproxy + cheap 100Mbps virtual private servers with only 1 vCore per server

Answer 1

Never assume which one is faster. Using a load balancer means offloading some work to an external machine. This is usually faster because it allows more CPU for your application. But if your application is disk bound or idle, a modern CPU with SSL offloading (like AES-NI), could be faster than an old load balancer.

The advice is to always test with your specific traffic patterns. Check the load during the test. Ask yourself, where is the bottleneck? Then optimize if you have time and/or money.

Answer 2

Probably SSL temrination, but this could ultimately vary depending on which software is used on the load balancer, app server, workers, etc. To get an actual answer for the stack you're using you'd need to use a stress tester like locust.io, wrk, loader.io or one of many others.

You'd then test your stack in a 'passthrough' and 'termination' configuration, which would reveal your results.

There are too many unknown variables for a generic answer to this.