SSL offloading is delegating the process of encrypting/decrypting data sent over HTTPS or Secure Socket Layer (SSL) protocol from your web server to a separate device. This separate device is specially designed to perform SSL acceleration & termination.
Since this CPU intensive task of encrypting/decrypting data is moved onto a separate device, this allows the web server to dedicate important CPU resources to other application processing tasks, which can really boost performance of your application. This optimization of CPU consumption can help in saving costs by maximizing the utilization of servers and eliminating the need to buy additional hardware.
Below is a pictorial representation of how SSL offloading looks like. (Image taken from internet)
Some benefits of SSL offloading:-
- Improved performance – The biggest performance hit when doing SSL decryption is the initial handshake. To improve performance, the server doing the decryption caches SSL session IDs and manages TLS session tickets. If this is done at the proxy, all requests from the same client can use the cached values. If it’s done on the backend servers, then each time the client’s requests go to a different server the client has to re-authenticate. The use of TLS tickets can help mitigate this issue, but they are not supported by all clients and can be difficult to configure and manage.
- Better utilization of the backend servers – SSL/TLS processing is very CPU intensive, and is becoming more intensive as key sizes increase. Removing this work from the backend servers allows them to focus on what they are most efficient at, delivering content.
- Intelligent routing – By decrypting the traffic, the proxy has access to the request content, such as headers, URI, and so on, and can use this data to route requests.
- Certificate management – Certificates only need to be purchased and installed on the proxy servers and not all backend servers. This saves both time and money.
- Security patches – If vulnerabilities arise in the SSL/TLS stack, the appropriate patches need be applied only to the proxy servers.
Now, SSL offloading can be implemented in two different ways depending upon what level of security you need. Every stage has its own pros & cons.
Option 1:
SSL offload on a separate device like load balancer in front of your web servers and then let them communicate over HTTP. This is shown in the picture above.
Pros, better performance & no overhead of installing and maintaining the certificates on web servers.
Cons, the traffic between LB & Web servers is over HTTP making it vulnerable to packet sniffing sort of attacks. Secure cookies option doesn’t work. I will come back to this again.
Option 2:
SSL offload on your load balancer but re-encrypt the data with a different certificate between LB & Web servers. This makes your communication end to end secure still benefiting the intelligent routing as the data is decrypted once on LB.
Here how it looks like:-
Now, this would look like more of an overhead as we are doing encryption/decryption twice plus maintaining more certificates but no, this approach has better performance then not doing SSL offloading at all. Here is how.
- Use a different certificate between LB & Web servers due two reasons. First, this certificate could be self signed with a long expiry time. This will reduce the overhead of maintaining certificates. Secondly, use a low length private key certificate for this may be 1024 or 2048 bit. A low length key reduces the tasks of encryption/decryption compared to more advanced keys used publicly which are comparatively much large.
- Another thing you can configure here is the right value of Keep-Alive attribute. Please be careful with this setting as Keep-Alive has implications both ways.
And finally, coming back to Secure cookies I mentioned in Option 1. Marking cookies Secure means you are restricting the transmission of cookies over non-SSL traffic. Obviously this is a problem in option 1 as the communication between your LB & web servers is over HTTP hence this doesn't work there. Although that is not end of the world and you can still implement some hacks to get Secure cookies working but worth comparing both options if you require those.
Hence always perform SSL offloading as with the increase in size of certificate keys, the encryption/decryption process is getting more and more CPU intensive and can seriously hit the performance of your web servers.
