In this article, let us see what is HTTP, HTTPS, SSL Passthrough, and SSL Termination. This is a very important topic for all programmers as it covers the basics of a client-server communication
HTTP, which stands for Hypertext Transfer Protocol, is a standard for passing information in a client-server architecture. The HTTP operates in layer 7 of the OSI model and uses port 80. When you open a web browser, you are using HTTP(s) indirectly. It is an application protocol that runs on top of the TCP/IP that forms the foundation of the internet. HTTP 1.1 was introduced in 1997 and HTTP/2 was published in 2015. Both the versions are active now.
This protocol facilitates the exchange of resources between client and server and the resources can be anything like text, image, video, etc. The web browser / mobile apps are the HTTP clients that sends HTTP request to the server’s URL address which in turn converts to an IP after the DNS resolution. In the web server, an HTTP daemon process keeps running to handle the HTTP requests as they arrive. This will process the request and provides the response to the clients.
The interaction between client and server is called a message and it can be a request or response.
The HTTP request is sent by the client to the server with the desired information and it will contain the following
- The version of HTTP followed. HTTP or HTTP/2
- A URL. This points to the resource on the web.
- An HTTP method. This indicates the specific action to be performed (GET, PUT, POST, Delete, etc)
- HTTP request headers. This includes data such as what type of browser is being used and what data they request is seeking from the server.
- An HTTP body. This is optional information that is sent by the client like details of a user to create the user in the system. The login user and password will be encoded and sent in the HTTP body which is also called a payload
The HTTP response is the data sent by the server to the client upon a Client’s request and it will contain the following information.
- HTTP status code: This indicates the status of the request sent by the server to the client. Responses may indicate success or error and every error have different error codes like 400, 401, 404, 500, etc. The success code is 200
- HTTP response headers: This sends information about the server and requested resources.
- An HTTP body (optional). If a request is successful, this contains the requested data in the form of HTML code, which is translated into a web page by the client browser. In the case of REST APIs, the response will contain a JSON payload for the client to render the data in the front end
HTTPS, abbreviated as Hypertext transfer protocol secure, is the latest version of HTTP which provides additional security to the data transfer between Client and Server and uses port 443. HTTPS is encrypted in order to increase the security of data and it is very important when sensitive information like bank accounts, passwords, social security numbers, etc are transmitted over the network.
A website that does not use HTTPS is shown as insecure by the browsers to warn users
SSL is called a Secure Socket Layer which uses encryption to protect the transfer of data and information. Transport Layer Security (TLS) is the latest version of SSL which works the same way as SSL and it is an improved version of SSL. Both the terms SSL and TLS are used interchangeably but it is the TLS that is used now.
HTTP + TLS = HTTPS
When the URL of a website address says “HTTPS,” it means TLS. The word “S” indicates that SSL is being used to secure the connection and encrypt the data. Google has been pushing all websites to use TLS to make the web more secure for everyone.
The websites that have authentication and require the user to enter credentials must have HTTPS implemented. The padlock in front of the website URL shows that the website uses HTTPS and they are secure. This will help users to identify that the site is secured.
The browser and the server will create an HTTPS connection using an SSL handshake and it happens through the TCP connection. During the SSL Handshake, the server and client will exchange important information required to establish a secure HTTPS connection.
There are two types of SSL handshakes described a
- One-way SSL
In One-way SSL, only the client validates the identity of the server and this is used in client-server communication (eg: browser)
2. Two-way SSL (Mutual SSL)
In Two-way SSL, both the client and the server validate the identity of each other and this is used in server-to-server communication as both parties need to verify the identity of each other.
The above diagram shows the steps that take place during a client server communication using the HTTPS protocol.
The client (browser) establishes a handshake with the server through a TCP connection.
1. The client sends a “client hello” to the server. This message contains the list of encryption algorithms supported by the client. If there are no supported algorithms by the server, the server will send a failure alert and close the connection.
2. The server responds with a “server hello” so that the client knows which algorithm is supported by the server.
The server will send the SSL certificate to the client and the certificate contains the public key, hostname, expiry dates, etc. The client would validate the SSL certificate from the server
3. After validating the SSL certificate from the server, the client generates a session key and encrypts the session key using its public key. The client then sends the encrypted session key to the server. The server will decrypt the session key with the private key.
4. Now the client and the server hold the same session key (symmetric encryption), the encrypted data would be transmitted in a secure bi-directional channel.
SSL passthrough sends the encrypted HTTPS traffic all the way to the backend server without decrypting the traffic on the proxy or a load balancer. Hence, only the destination does the decryption of the data. This is used in scenarios where there are only a few servers behind a load balancer. SSL passthrough is widely used for web application security
SSL passthrough is an expensive operation it uses more central processing unit (CPU) cycles on the backend servers. It also limits some functions of a load-balancing proxy as it just passes the traffic to the backend server.
SSL termination is a process by which SSL-encrypted data traffic is offloaded or decrypted at a reverse proxy server like a load balancer. This process speeds up the decryption process and reduces the burden on the backend servers. The decryption burden on the load balancer enables the server to spend processing power on application tasks to improve performance. Then the security certificate can be added only to the load balancer and maintained in a single place. This removes a lot of overhead for a microservices architecture, which has a lot of backend servers. Imagine installing security certificates on every server and decrypting the data in those machines!!!!
This process is similar to the Authentication and Authorization of every request done at the API Gateway and allows the microservices to focus on other application work.
In this article, we saw what is HTTP, the Request and Response. The we saw what is HTTPS and went in-depth about the steps that happen in a HTTPS communication between client and server. Finally we saw what is SSL Offloading and SSL Termination
Hope you have enjoyed this article and thanks for reading!!!
I work as a freelance Architect at Ontoborn, who are experts in putting together a team needed for building your product. This article was originally published on my personal blog.