Before talking about the comparison, let’s know about what they are.
‘SSL passthrough’ passes encrypted HTTPS traffics directly to the backend servers without decrypting the traffics on the load balancer (the proxy server). So any nodes (either network or proxy server instances) can’t read the contents in the traffic and pass through them all the way to the destination.
SSL termination (a.k.a. SSL Offloading) decrypts all HTTPS traffics when it arrives at the load balancer (or Proxy server), and the data is sent to the destination server as plain HTTP traffic. When the traffic is decrypted, it usually reaches the company (or virtual/private network) and the traffic will be sent to the private network. (like internal end-point, private IP addresses)
SSL bridging is for checking the data to ensure that there is no malware in the traffic. Hackers envelop the hacking tools or malware software/codes into the encrypted traffic. Once the traffic gets to the server, the malware is exposed in the server and starts to breach the server. So SSL Bridging will offload the traffic and protect the backend server from being compromised.
- The traffic may have hacking codes in the traffic and will be directly passed to the backend server. (Attacker encrypted communications)
- Flip-flopping between different servers in a server group is impossible
SSL Termination (offloading)
- The network stream is decrypted, the security scanner will find it as hostile entities. Of course, it is vulnerable to data theft, man-in-the-middle attacks. You may already have internal theft to try man-in-the-middle invading the internal network.
- The private key to decrypt/encrypt traffic needs to be shared with network instances. (e.g. load balancer)
- Once HTTP traffics is exposed, you must ensure all middle nodes (network instances) are well managed. (Confirm the owner of them are yourself)
- SSL bridging will encrypt again when the load balancer sends the traffic to the backend, it will be double the cost as it will encrypt it again, and the application server needs to decrypt. (Comparing to SSL offloading)
- You will start heavily relying on the load balancer to encrypt/decrypt the traffic, and other network instances (Firewall, proxy, etc.) will have false-positive and drop the important traffic without letting you know.
When do we need to use which one? (Advantages)
You can use the Passthrough if you don’t decrypt the traffic in any 7 layers, no access rules, no blocking, no cookie on the session. But if you need to decrypt the traffic to see what inside for any purpose, it needs to be offloaded once. In certain cases, the contents in the traffic are not very important then we want to load less burden to the application server by terminating the SSL and send HTTP traffic to the server from the load balancer. But SSL offloading is the most unrecommended way to ship the traffic, so we can add another step of encrypting the traffic back once it is offloaded and confirmed no (e.g.) security issue, called SSL bridging.