SSL termination

When a client sends a request to the server on a secure website, the request is encrypted for security purposes. This process prevents attackers from stealing or tampering with data exchanged between a web browser and the server.

Since the data is now encrypted, there should be a way of decrypting it so that the server can access the data sent to it. The process of decrypting the encrypted traffic is what is referred to as SSL termination or SSL offloading.

Decrypting the traffic is usually computationally expensive, and as such, instead of relying on the server to decrypt the traffic, SSL termination is usually done on an external application such as a load balancer. This allows the server not to be overloaded and in return be able to do its major function (serve a lot of requests).

How can we secure data between LB and server?

Once SSL termination is complete, it is important to note that data is now transferred plain-text between the device used for SSL termination (load balancer) and the server.

However, it is possible to re-encrypt the traffic before sending to the servers. Most cloud providers provide automatic encryption between the load balancer and the application.

Here is a useful StackExchange resource with some details about re-encryption between load balancer and server.

Should SSL be terminated at a load balancer?

Some other useful articles for further reading:

Encryption from the load balancer to the backends | Load Balancing | Google Cloud

NGINX SSL Termination

Data protection in Elastic Load Balancing

Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment

End of blog.