newcohospitality.com

Understanding HTTP, HTTPS, SSL Passthrough, and SSL Termination

Written on

Overview of HTTP and SSL concepts

In this article, we will delve into the definitions and significance of HTTP, HTTPS, SSL Passthrough, and SSL Termination. These concepts are crucial for programmers as they lay the groundwork for client-server communication.

What is the HTTP Protocol?

Diagram of HTTP protocol steps

HTTP, or Hypertext Transfer Protocol, is the standard used for transmitting information in a client-server framework. Operating at layer 7 of the OSI model, it utilizes port 80. When you access a web browser, you are indirectly engaging with HTTP(s), which functions as an application protocol over the foundational TCP/IP of the internet. Introduced in 1997, HTTP 1.1 and the subsequent HTTP/2 in 2015 are both currently in use.

This protocol enables the exchange of various resources—ranging from text and images to videos—between clients and servers. Web browsers and mobile applications act as HTTP clients that send requests to a server's URL, which is then resolved to an IP address through DNS. On the server side, an HTTP daemon continuously processes incoming requests and sends responses back to the clients.

HTTP Requests and Responses

The communication between a client and server is termed a message, which can either be a request or a response.

HTTP Requests

An HTTP request is initiated by the client and contains the following components:

  • The HTTP version used: either HTTP or HTTP/2.
  • A URL: which directs to the desired resource online.
  • An HTTP method: specifying the action to be taken (such as GET, PUT, POST, DELETE, etc.).
  • HTTP request headers: containing details like browser type and the nature of the data being requested.
  • An HTTP body (optional): which may include additional information, such as user credentials for account creation. This body is often referred to as the payload.

HTTP Responses

The HTTP response is the information relayed by the server back to the client following a request. It typically includes:

  • HTTP status code: indicating the result of the request, with codes signifying success (200) or various errors (e.g., 400, 401, 404, 500).
  • HTTP response headers: providing information about the server and the resources requested.
  • An HTTP body (optional): if successful, this includes the requested data, formatted as HTML for rendering by the client browser. In the context of REST APIs, the response may include a JSON payload.

What is HTTPS?

HTTPS, short for Hypertext Transfer Protocol Secure, is an enhanced version of HTTP that ensures secure data transmission between clients and servers, utilizing port 443. By encrypting data, HTTPS is critical for safeguarding sensitive information like bank details and personal identification numbers during transmission.

Web browsers flag sites that do not use HTTPS as insecure, alerting users to potential risks.

Importance of HTTPS

SSL / TLS

SSL, or Secure Socket Layer, employs encryption to secure data transmission. Its successor, Transport Layer Security (TLS), functions similarly but is a more advanced version. Although SSL and TLS are often used interchangeably, TLS is the current standard.

HTTP + TLS = HTTPS

When a URL displays "HTTPS," it signifies the use of TLS for securing the connection and encrypting data. Google advocates for all websites to adopt TLS for a safer web experience.

Websites requiring user authentication must implement HTTPS, with a padlock icon in the URL indicating a secure connection. This visual cue helps users recognize secure sites.

Visual representation of SSL in action

What is an SSL Handshake?

The establishment of an HTTPS connection involves an SSL handshake conducted over TCP. During this handshake, the client and server share essential information necessary for creating a secure connection.

There are two types of SSL handshakes:

  1. One-way SSL: Only the client authenticates the server's identity, commonly used in client-server communication (e.g., web browsers).
  2. Two-way SSL (Mutual SSL): Both the client and server verify each other's identities, typically employed in server-to-server interactions.
Diagram of SSL Handshake process

The above diagram illustrates the steps involved in client-server communication utilizing HTTPS. The handshake process includes:

  1. The client sends a “client hello” message outlining supported encryption algorithms. If none are supported by the server, it will respond with a failure alert and terminate the connection.
  2. The server replies with a “server hello,” indicating which algorithm it supports. The server also sends its SSL certificate, which contains the public key, hostname, expiration dates, etc. The client must validate this certificate.
  3. After validation, the client generates a session key, encrypts it with the server's public key, and sends it to the server. The server then decrypts the session key using its private key.
  4. Now both client and server possess the same session key, allowing secure bi-directional data transmission.

What is SSL Passthrough?

SSL Passthrough concept

SSL passthrough refers to the process of sending encrypted HTTPS traffic directly to the backend server without decrypting it at an intermediary such as a proxy or load balancer. Only the destination server performs decryption. This method is commonly used when few servers are behind a load balancer and is essential for web application security.

However, SSL passthrough can be resource-intensive, consuming significant CPU cycles on backend servers, and may limit some functionalities of the load-balancing proxy since it merely forwards traffic to the backend.

What Is SSL Termination / SSL Offloading?

SSL Termination process

SSL termination involves decrypting SSL-encrypted traffic at a reverse proxy server, such as a load balancer. This approach accelerates the decryption process and lessens the workload on backend servers, allowing them to focus on application tasks and enhancing overall performance. The security certificate can be stored and managed centrally at the load balancer, alleviating the administrative burden associated with deploying certificates on each backend server.

This method is akin to managing authentication and authorization for every request through an API Gateway, enabling microservices to concentrate on other application functions.

In this article, we explored the fundamentals of HTTP, requests, and responses, followed by an in-depth examination of HTTPS communication steps between client and server. Lastly, we discussed SSL Offloading and SSL Termination.

Thank you for reading! I hope you found this article informative. Be sure to check out my subsequent articles for insights on Proxy Servers and the HTTP/2 protocol.

Do you know about Websockets and what they are used for?

Hello everyone! It's been a while since my last article, but I'm back with something intriguing...

Everything you need to know about Proxy Servers - Computer Networking

Hello everyone! In this article, we will delve into Proxy Servers, discussing their various types and functions.

Everything you need to know about HTTP/2 Protocol

Hello everyone! In this article, we will explore HTTP/2, its features, terminologies, and advantages.

If you wish to stay updated with my latest posts, please follow me on Medium and subscribe for email alerts.

If you are considering a Medium membership, please use my referral link.