Networking Deep Dive
by Sergey Okinchuk
Algorithms and Health ChecksCDNs and Edge Caching
TLS Termination and Offload
Topic 58

TLS Termination and Offload

TLS

TLS termination is the point on the path where HTTPS gets decrypted. Put it at the load balancer or reverse proxy and the backends receive plaintext HTTP — the edge does the certificate handling and the crypto, and your application servers never touch a private key. That centralizes certificates onto one tier and offloads the CPU cost of the TLS handshake from every backend onto the edge. The catch is unavoidable: traffic behind the termination point is cleartext unless you do something about it.

That "something" is the real subject here. There are three ways to handle TLS at the edge — terminate, re-encrypt, and pass-through — and they trade performance, inspection, and visibility against end-to-end encryption. Termination is fastest and most capable but leaves an internal plaintext hop. Pass-through preserves end-to-end secrecy but blinds the edge. Re-encryption sits between them, paying twice the crypto to get both inspection and an encrypted backend leg. The choice is deliberate, and the wrong default leaks plaintext where your threat model said it shouldn't.

Three ways to handle HTTPS at the edge, from most visibility to most secrecy
terminate
decrypt at the edge, plaintext to the backend
re-encrypt
decrypt, inspect, then re-encrypt to the backend
pass-through
forward ciphertext, backend terminates
Most edge visibilityMost end-to-end secrecy

Termination — Decrypt at the Edge

In plain termination the edge holds the certificate for www.example.com, completes the TLS handshake with the client, decrypts the request, and forwards it to the backend over plaintext HTTP. This is the most common setup because it unlocks everything L7 needs — path routing, header rewriting, caching, WAF inspection — all of which require reading the request. It also means one place to install and renew certificates instead of a key on every backend.

The exposure is the internal hop. From the edge to the backend the traffic is cleartext, so anyone who can sniff that network segment reads it. On a trusted, isolated backend network that may be an acceptable tradeoff. In a zero-trust environment — where you assume the internal network is hostile — leaving that hop plaintext is exactly the gap an attacker pivots through, and you need re-encryption instead.

# nginx: terminate TLS at the edge, plaintext to the backend
server {
    listen 443 ssl;
    ssl_certificate     /etc/ssl/example.crt;
    ssl_certificate_key /etc/ssl/example.key;
    location / {
        proxy_pass http://10.0.0.11:8080;   # cleartext hop
    }
}

Re-Encryption — TLS Bridging

Re-encryption (also called TLS bridging) decrypts at the edge, inspects and routes the request, then opens a new TLS connection to the backend and re-encrypts. You get the best of both: the edge can read the request to do L7 routing and inspection, and the hop to the backend is encrypted so no internal segment carries plaintext. This is the standard pattern in zero-trust and regulated environments where every hop must be encrypted but the edge still needs to route on content.

The cost is two TLS handshakes and two rounds of crypto per request — once with the client, once with the backend — roughly doubling the edge's TLS CPU. The backend leg often uses mTLS so the edge and backend authenticate each other, not just encrypt. You pay the performance to close the plaintext gap, which is the right trade whenever the internal network is part of your threat model.

Pass-Through — End-to-End TLS

In pass-through (TLS passthrough) the edge never decrypts. It forwards the encrypted TCP stream to the backend, and the backend terminates TLS itself — the client's TLS session runs end to end to the actual server. The edge sees only ciphertext, so it cannot route on path or headers, cannot cache, and cannot inspect; it can balance only on the connection, at L4. What you get in return is true end-to-end encryption where not even your own edge holds the plaintext.

Choose pass-through when the requirement is that no middle box ever sees the content — strict compliance, client-certificate authentication that must reach the backend, or a service you simply do not want your edge able to read. The constraint is the L7 functionality you give up: if you also needed path-based routing, you cannot have it on encrypted bytes, and you must fall back to SNI for any routing at all.

SNI Routing — Choosing Before Decryption

Server Name Indication is the one piece of the TLS handshake sent in cleartext: the ClientHello carries the hostname the client wants, www.example.com, before any encryption begins. That single field is what lets one IP serve hundreds of HTTPS sites — the edge reads the SNI, picks the matching certificate, and completes the handshake for the right host. Without SNI, one IP could present only one certificate.

SNI is also what makes routing possible in pass-through mode. Because the hostname is visible before decryption, a pass-through balancer can read the SNI and send api.example.com to one backend pool and app.example.com to another — all without ever decrypting the payload. That is the only routing dimension you get without termination: by host, never by path, because the path lives inside the encrypted body.

# HAProxy: route by SNI in pass-through, no decryption
frontend tls_in
    bind *:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend api_pool if { req_ssl_sni -i api.example.com }
    default_backend app_pool
Termination vs Re-Encryption vs Pass-Through

Termination decrypts at the edge and forwards plaintext — fastest, centralizes certs, enables full L7. Choose it when the backend network is trusted and you want routing, caching, and offloaded crypto.

Re-encryption decrypts to inspect, then re-encrypts to the backend — full L7 plus an encrypted internal hop, at twice the crypto cost. Choose it in zero-trust or regulated networks where every hop must be encrypted but the edge still routes on content.

Pass-through never decrypts and routes only by SNI — true end-to-end encryption, no L7 visibility. Choose it when no middle box may see the content, accepting that path routing and caching are off the table.

Common Mistakes
  • Terminating at the edge and leaving the backend hop plaintext in a zero-trust network. Anyone who can sniff the internal segment reads every request — re-encrypt the hop instead of assuming the internal network is safe.
  • Choosing pass-through when you also needed path-based routing. The edge sees only ciphertext, so a rule like "send /api/ to pool B" is impossible — pass-through routes by SNI host only, never by path.
  • Scattering certificates across every backend instead of centralizing them. Cert sprawl means dozens of independent renewal deadlines, and the one you forget expires in production at 2 a.m.
  • Forgetting SNI when serving many certs from one IP. Without reading the SNI host the edge presents a single default certificate, and every other site fails validation with a name-mismatch error.
  • Assuming pass-through hides the destination hostname. SNI is sent in cleartext in the ClientHello, so the hostname is visible on the wire even though the payload is encrypted, unless Encrypted Client Hello is in use.
Best Practices
  • Re-encrypt the backend hop with mTLS in any zero-trust or regulated environment, so terminating at the edge for routing does not leave an internal plaintext segment.
  • Centralize certificates on the termination tier and automate renewal with ACME, so one place owns every cert and nothing expires because a backend was forgotten.
  • Use SNI routing to serve many HTTPS hosts from one IP and to route in pass-through mode, picking the cert and backend from the cleartext hostname before decrypting.
  • Reserve pass-through for traffic that genuinely must stay end-to-end encrypted, accepting the loss of L7 routing, caching, and inspection that comes with never decrypting.
  • Terminate at the edge for offload and L7 features whenever the backend network is trusted and isolated, taking the plaintext internal hop as a deliberate, documented tradeoff.
Comparable conceptsmTLS (the backend leg, Topic 48)Service mesh (sidecar TLS, Topic 73)

Knowledge Check

Your edge terminates TLS for L7 routing, but compliance requires every hop encrypted. Which mode fits?

  • Re-encryption, which decrypts to route then re-encrypts onward
  • Pass-through, so that the edge can still go on routing by URL path
  • Plain termination, since the backend network here is fully internal
  • An L4 balancer, which encrypts every single hop automatically

A pass-through balancer needs to send api.example.com and app.example.com to different backends without decrypting. What makes that possible?

  • SNI, the hostname in the ClientHello sent in cleartext
  • The URL path, which the balancer reads straight from the first packet
  • The Host header, which conveniently travels outside the TLS encryption
  • The destination IP address, which differs between the two hostnames

A backend network in a zero-trust model has the edge terminate TLS and forward plaintext. What is the risk?

  • The internal hop is cleartext, so anyone sniffing it reads every request
  • Certificates must now be installed and rotated on every single backend, multiplying the renewal work
  • The backends are overloaded by doing the entire TLS handshake themselves
  • The edge cannot route by path because the traffic stays encrypted to it

You got correct