SSL Offloading Vs Passthrough


#1

What are your thoughts on which is best? Offloading or Passthrough? Would it be wise to have traffic between the load balancer and servers be unencrypted?


#2

TCP mode is fairly dumb just proxying traffic through without caring about the application data, the only real benefit I can think of is scalability of ssl performance. Scalability on the backend is highly likely to be better as more servers will mean more CPU’s which in turn should offer better TPS. Also if better SSL performance is needed then simply add more servers to the backend.

That said, HTTP mode will offer more flexibility in the form or ACL’s, more persistence options, multiple HTTP pipeline modes and ease of SSL certificate management as it only needs to be managed in one place. I suspect HTTP mode will have other benefits on top of those I’ve mentioned which I’m not thinking of right now as well.

Unless you need lots of SSL performance, beyond what the host running HAproxy can handle I think I’d choose to offload and use HTTP mode. You can also optionally re-encrypt traffic to the backend if required so it’s not a problem if that’s a requirement.