GH GambleHub

SSL termination and balancers

Brief summary

SSL/TLS termination removes crypto load from applications and opens the way to L7 routing, WAF, rate-limit, mTLS, canary releases. Key solutions: where to end TLS (edge/ingress/inside mesh), how to balance (L4 vs L7), which cipher profiles to use, how to update certificates without downtime, and how to keep p95 latency and errors in SLO.

Where to end TLS

Edge (CDN/Anycast/WAF): minimal user latency, global protection, cache/bot control. Further - re-encrypt to the backend.
On ingress L7 (Nginx/Envoy/HAProxy/ALB): fine URI/header routing, mTLS, JWT validation.
End-to-end TLS (passthrough L4): when end-to-end mTLS is needed before pod/service (e.g. strict compliance zone).
Service Mesh (Envoy/Istio/Linkerd): Automated intra-cluster mTLS, policy and telemetry.

Practice: more often - edge terminate → re-encrypt to ingress; for PII/payments - mTLS before service.

L4 vs L7 balancing

L4 (TCP/UDP): minimum delay, simple health-checks (port/TCP), passthrough TLS. Suitable for gRPC on TLS when there is a shortage of L7 features.
L7 (HTTP/HTTPS/HTTP3): host/path/header/cookie routing, WAF, rate-limits, canary releases, sticky sessions, retrays/timeouts.

TLS: versions, keys, ciphers

Versions: TLS 1. 3 everywhere, TLS 1. 2 as a fallback. Disable 1. 0/1. 1.
Keys/serts: ECDSA (P-256) - faster than RSA; you can double-stack (ECDSA + RSA) for antiquity.
ALPN: `h2` и `http/1. 1`; for HTTP/3 - 'h3' (QUIC/UDP).
OCSP Stapling: include; HSTS on public domains.
Key pools: stored in KMS/HSM; automatic renewal (ACME/trust tree).
0-RTT (TLS 1. 3): include point (GET/idempotent), take into account the risk of replay.

Basic cipher profile (TLS 1. 2): `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305`

TLS performance

Resumption: session tickets/IDs - reduce handshake cost.
ECDSA + ChaCha20 help on mobile/non-AES-NI.
OCSP Stapling + short chains reduce p95.
HTTP/2/3: multiplexing, fewer connections → less than p95.
Offload: pin CPU cores for crypto, enable reuseport, tune socket buffers.

Safety

mTLS: require client-cert for admin/API statements; CRL/OCSP for revocation.
SNI/ECH: SNI - standard; ECH (Encr. ClientHello) hides the domain (if the edge provider supports it).
Strict Transport Security (HSTS): production domains, with caution at the start.
TLS between hops: re-encrypt to service, even inside DC (Zero-Trust).
Rate-limit/gray-oxen: on L7 protect api from bots/brute-force.

Observability and SLO

SLO (examples)

p95 TLS-handshake ≤ 80-120 ms (global), p95 TTFB ≤ 200-300 ms.
TLS (handshake/peer-verify) errors ≤ 0. 1%.
The proportion of resumes ≥ 70% for repeat visits.

Metrics

`handshake_time`, `tls_version`, `alpn`, `cert_expiry_days`, `ocsp_staple_status`.
L7: `p50/p95/p99`, `5xx`, `429`, `upstream_rq_time`, `retry_budget`.
Capacity: active connections, CPS (connections per second), RPS.

Typical configs

Nginx (L7 terminate + HTTP/2 + OCSP stapling)

nginx server {
listen 443 ssl http2 reuseport;
server_name api.example.com;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:...:ECDHE-RSA-CHACHA20-POLY1305';
ssl_ecdh_curve X25519:P-256;
ssl_certificate   /etc/ssl/cert.pem;    # полная цепочка ssl_certificate_key /etc/ssl/key.pem;
ssl_stapling on; ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass https://upstream_pool;
}
}

upstream upstream_pool {
zone backends 64k;
server 10.0.1.10:8443 max_fails=3 fail_timeout=10s;
server 10.0.1.11:8443 max_fails=3 fail_timeout=10s;
keepalive 256;
}

HAProxy (L7 terminate + stickiness + mTLS to backend)

haproxy frontend fe_https bind:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 mode http http-response set-header Strict-Transport-Security max-age=31536000 default_backend be_api

backend be_api mode http balance roundrobin cookie SRV insert indirect nocache option httpchk GET /healthz server s1 10.0.1.10:8443 check ssl verify required ca-file /etc/haproxy/ca.pem server s2 10.0.1.11:8443 check ssl verify required ca-file /etc/haproxy/ca.pem

Envoy (L7 terminate + mTLS from customer + canary)

yaml static_resources:
listeners:
- name: https address: { socket_address: { address: 0.0.0.0, port_value: 443 } }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress route_config:
virtual_hosts:
- name: api domains: ["api.example.com"]
routes:
- match: { prefix: "/" }
route:
weighted_clusters:
clusters:
- name: api-stable weight: 95
- name: api-canary weight: 5 http_filters:
- name: envoy.filters.http.router transport_socket:
name: envoy.transport_sockets.tls typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/tls/cert.pem" }
private_key:   { filename: "/etc/tls/key.pem" }
validation_context:       # mTLS (опционально)
trusted_ca: { filename: "/etc/tls/ca.pem" }
require_client_certificate: true

AWS ALB/NLB (concept)

ALB (L7 terminate): HTTPS listener 443 (TLS 1. 2/1. 3), target group HTTPs:8443, health-check `/healthz`, stickiness (cookie).
NLB (L4 passthrough): TLS listener 443, TCP health-checks, end-to-end SNI to pod.
CloudFront/Cloudflare: TLS edge + WAF + Bot management; origin — HTTPS only.

Updating certificates without downtime

ACME (Let's Encrypt/Private CA) with automatic update and hot reboot (Nginx 'reload', Envoy SDS).
Dual certificates (ECDSA + RSA) for migrations.
Chain monitoring: checking intermediate CAs; OCSP stapling after rotation.
Alerts: 'cert _ expiry _ days <21' and 'ocsp _ status! = good'.

Health-checks and routing

L4: TCP connect, TLS handshake.
L7: HTTP 200/JSON token version, gRPC health.
Politicians: failover, weighted, latency, consistent-hash (cookie/IP) for sticky.
Retrays/timeouts: balance between persistence and duplicate requests (idempotency!).

Kubernetes-patterns

Ingress Controller (Nginx/Envoy/HAProxy): ingress termination, 'ExternalDNS' for DNS records, 'cert-manager' for ACME.
Gateway API: declarative TLSRoute/HTTPRoute with canaries.
Service Mesh: automatic mTLS pod↔pod, policies at 'PeerAuthentication '/' DestinationRule' level.

Safety checklist

  • TLS 1. 3 included; 1. 0/1. 1 are off.
  • Modern ciphers; ECDSA serts where support allows.
  • OCSP stapling, complete chains, HSTS.
  • mTLS for admins/interconnects; revocation of client serts.
  • Rate-limit/bot filters at the edge; protection against slowloris/oversized headers.
  • Re-encrypt to backends (Zero-Trust).
  • Secrets/keys in KMS/HSM; rotation and issuance audit.

Observability and alerts

Метрики: TLS handshakes/sec, failure rate, session resumption rate, OCSP, p95/99, open conns, CPS, RPS.
Logs: SNI/ALPN/TLS version, cipher, client certificate (for mTLS), upstream codes, latency breakdown.
Alerts: growth '5xx/525', fall resumption, 'cert _ expiry _ days', 'ocsp _ failed', excess p95, spikes' 429 '.

Common mistakes

Terminating at the edge and plain HTTP inward without protection.
Excessively long CA chains → the growth of p95 handshake.
No OCSP stapling → blocking on clients/browsers.
Sticky sessions without taking into account failover → "sticking" on a degraded node.
0-RTT enabled for modifying requests → risk of resubmission.
Lack of hot-reload serts → second drops during rotation.

Specificity for iGaming/fintech

Peaks (tournaments/matches): warming up TLS sessions (pre-connect), short chains, high proportion of resumption, HTTP/2/3 for fronts.
Payment gateways/PSP: mTLS, strict ciphers/versions, pinned CA, individual domains/ALB with strict rules.
Antifraud/bot filters: L7-rate-limit by IP/ASN/device-fingerprint, canary gray oxen (challenge/captcha) on a separate domain.
Regulatory: HSTS, audited TLS logs, version reports, recall of client serts for incidents.

Mini playbooks

Canary release via L7 balancer

1. Add an 'api-canary' cluster weighing 5%; 2) watch for p95/errors; 3) 5→25→50→100%; 4) auto-shortening during degradation.

Emergency certificate rotation

1. Download the new cert/key; 2) 'reload' without dropping connections (SDS/hot swap); 3) OCSP check; 4) dashboard p95 handshake.

Turning on the HTTP/3

1. Open the UDP/443; 2) add ALPN 'h3'; 3) individual QUIC loss/RTT metrics; 4) A/B by customer share.

Result

Effective SSL termination is a modern TLS profile, the right termination location, smart L7 routing, observability and strong security (mTLS, HSTS, re-encrypt). Lock everything into IaC, automate rotations, measure p95/errors and use canaries - this way the front will survive the peaks and be predictably fast and safe.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.