Why They Exist, Why Theyβre Used, and When Each Matters
TLS is not just βturning on HTTPS.β
Where TLS is terminated defines:
- ποΈ Who can see the traffic
- π‘οΈ What security controls are possible
- π How scalable your system is
- π Whether auditors will sign off
Thatβs why multiple TLS termination models exist.
π Why TLS Termination Models Exist
Because no single model can optimize all of these at once:
- π Security
- βοΈ Operability
- π Scalability
- π Traffic visibility
- π° Cost efficiency
Each TLS termination model trades one dimension for another.
Understanding these trade-offs prevents:
- Over-engineered designs
- Weak security assumptions
- βBest-practiceβ architectures that fail in production
1οΈβ£ SSL Passthrough (End-to-End TLS)
The proxy or load balancer does NOT decrypt TLS.
Encrypted traffic is forwarded directly to the backend.
Architecture Diagram
Client
|
| HTTPS (TLS)
v
Load Balancer (Layer 4 β no decryption)
|
| HTTPS (TLS)
v
Backend Application (TLS terminates here)
π― Why It Exists
- Maintain true end-to-end encryption
- Enforce zero-trust networking
- Keep TLS fully owned by the application
π§ͺ Examples
- gRPC services with mTLS
- Banking and healthcare backends
- Kubernetes Ingress with SSL Passthrough enabled
β Why It Matters
- No intermediate system can inspect or modify traffic
- Required for strict compliance environments
β οΈ Trade-offs
- β No path-based routing
- β No WAF, authentication, or rate limiting
- β Certificate management per backend
Best when: Security > operability
Avoid when: Traffic inspection is required
2οΈβ£ SSL Termination / SSL Offloading (Most Common)
TLS is terminated at the proxy or load balancer.
Backend traffic becomes plain HTTP.
Architecture Diagram
Client
|
| HTTPS
v
Load Balancer / Reverse Proxy (TLS ends here)
|
| HTTP
v
Backend Application
π― Why It Exists
- Centralized certificate management
- Simplified backend services
- Enables Layer-7 traffic handling
π§ͺ Examples
- AWS ALB / ELB
- Nginx Ingress Controller
- HAProxy, Envoy
β Why It Matters
TLS must be decrypted to enable:
- Path-based routing (
/api,/auth) - WAF and rate limiting
- Authentication and observability
β οΈ Trade-offs
- β Backend traffic is unencrypted
- β Internal network must be trusted
π‘ This model powers most production SaaS platforms today.
3οΈβ£ SSL Bridging / Re-Encryption (Best of Both, Costs More)
TLS terminates at the proxy, and a new TLS session is created to the backend.
Architecture Diagram
Client
|
| HTTPS
v
Proxy / Load Balancer (TLS #1 terminates)
|
| HTTPS (TLS #2 starts)
v
Backend Application\
π Key Characteristics
- Two TLS sessions
- Proxy can inspect traffic
- Backend still receives encrypted traffic
β Pros
- End-to-end encryption preserved
- Full Layer-7 features at the proxy
- Strong compliance posture
β Cons
- Extra CPU overhead (double TLS)
- Certificates required at both proxy and backend
- Harder debugging and troubleshooting
π§ When to Use
- Regulated environments (PCI-DSS, HIPAA)
- Kubernetes ingress with security mandates
- Zero-trust internal networks
β Common Misconceptions
SSL termination is insecure.
- False, if the internal network is controlled.
SSL passthrough is always better.
- False, if routing or inspection is required.
SSL bridging is free security.
- False β it costs CPU, latency, and operational effort.
π§ Practical Recommendation (No BS)
- Simple public apps / Maximum simplicity β SSL Termination
- Compliance-heavy systems / Security + control β SSL Bridging
- Strict zero-trust / mTLS / Maximum secrecy β SSL Passthrough
If you canβt clearly explain why you chose one,
you probably chose the wrong model.
π Comparison Table
| Feature | SSL Passthrough | SSL Termination | SSL Bridging |
|---|---|---|---|
| TLS decrypted at proxy | β | β | β |
| Backend traffic encrypted | β | β | β |
| HTTP routing / WAF | β | β | β |
| Certificate management | Backend | Centralized | Both |
| Operational complexity | High | Low | High |
| Security level | πππ | ππ | πππ |
π§ Final Takeaway
SSL/TLS termination models exist because:
Security, visibility, scalability, and cost cannot all be optimized at once.
There is no universal best practice β
only context-correct architectural decisions.
Top comments (0)