A server admin who is setting up a load balancer asked me if I wanted to:
- Host SSL certs directly on web servers
- or, Proxy SSL from the load balancer
I've only done the former implementation. Can someone compare these?
If I have a web application that requires HTTPS for certain page, will it be impacted by this choice?
Best Answer
Your web server has to do all the SSL/TLS processing. It means more load on the web server, but you have full control over the certificates and end-to-end security.
Your web server can serve everything as normal web pages, offloading the SSL/TLS processing. Considerably lower load on the web server, but you don't control the certificates yourself any more and break end-to-end security.
In the end it comes down to if you trust the security of the load balancer and the network between load balancer and web server. If not, don't bother. Note that if you are running credit card transactions or something similar there are a some rather strict rules about when you may send the data unencrypted from SSL/TLS offloading to your server. Moving the certificate is not really a security advantage (somebody breaking into your web server is going to get all the data, regardless of if they can steal your certs or not).
Do you have such an overhead from SSL/TLS that you really need to offload it to external hardware?
Typically you can setup the offloading system to only provide SSL/TLS security where it is really needed.