Tags

  • AWS (8)
  • Apigee (3)
  • ArchLinux (5)
  • Array (6)
  • Backtracking (6)
  • BinarySearch (6)
  • C++ (19)
  • CI&CD (3)
  • Calculus (2)
  • Database (1)
  • DesignPattern (43)
  • DisasterRecovery (1)
  • Docker (8)
  • DynamicProgramming (20)
  • FileSystem (11)
  • Frontend (2)
  • FunctionalProgramming (1)
  • GCP (1)
  • Gentoo (6)
  • Git (16)
  • Golang (1)
  • Graph (10)
  • GraphQL (1)
  • Hardware (1)
  • Hash (1)
  • Kafka (1)
  • LinkedList (13)
  • Linux (27)
  • Lodash (2)
  • MacOS (3)
  • Makefile (1)
  • Map (5)
  • Miscellaneous (1)
  • MySQL (21)
  • Neovim (11)
  • Network (72)
  • Nginx (6)
  • Node.js (33)
  • OpenGL (6)
  • PriorityQueue (1)
  • ProgrammingLanguage (9)
  • Python (10)
  • RealAnalysis (20)
  • Recursion (3)
  • Redis (1)
  • RegularExpression (1)
  • Ruby (19)
  • SQLite (1)
  • Sentry (3)
  • Set (4)
  • Shell (4)
  • SoftwareEngineering (12)
  • Sorting (2)
  • Stack (4)
  • String (2)
  • SystemDesign (13)
  • Terraform (2)
  • Tree (24)
  • Trie (2)
  • TwoPointers (16)
  • TypeScript (3)
  • Ubuntu (4)

    • Home

    TLS/SSL Offloading

    Published Jan 17, 2025 [  Network  ]

    TLS offloading (also called SSL offloading) is the process of moving the computational work of encrypting and decrypting TLS (Transport Layer Security) traffic from the main web server to a separate device or service, such as a load balancer, reverse proxy, or dedicated TLS terminator.

    Why TLS Offloading?

    TLS encryption is CPU-intensive, especially under high traffic. Offloading helps:

    • Reduce load on the application server
    • Improve performance and response times
    • Centralize certificate management

    How It Works

    1. Client connects to the public endpoint (e.g. a load balancer) using HTTPS/TLS.
    2. The load balancer terminates the TLS session—decrypting the request.
    3. The request is forwarded in plaintext (HTTP) or re-encrypted (HTTPS) to the internal server.
    4. The server processes the request and returns the response.
    5. The load balancer re-encrypts the response (if needed) and sends it back to the client.

    Common Use Cases

    • Cloud services (e.g., AWS Elastic Load Balancer, Azure Application Gateway)
    • Hardware appliances (e.g., F5, Citrix ADC)
    • Reverse proxies (e.g., NGINX, HAProxy, Envoy)

    Variants

    • TLS Termination: TLS ends at the proxy/load balancer; backend gets plain HTTP.
    • TLS Passthrough: TLS traffic is not decrypted until it reaches the backend.
    • TLS Bridging: Decrypt TLS at the edge, inspect/modify, then re-encrypt and forward.