PREREQUISITES: SSL offloading sends the process of encoding and decoding SSL requests to a separate device. Therefore, you must: SSL offloading moves SSL encoding and decoding functions away from busy webservers to specialized devices that are better equipped to handle CPU-intensive SSL calculations. RECOMMENDATION:We recommend usingSSL offloading only in case you have a lot of HTTPS requests. NOTE: If you are using Network Load Balancing, the load balancer can perform this function. For more information, seeLoad balancing. The following chart illustrates a setup with an SSL offloader: Configure Sitefinity CMS to know that SSL requests will be offloaded: IMPORTANT: Your SSL offloading device must be set with the same HTTP header field name and HTTP value as the ones that you have entered in Sitefinity CMS. When the traffic must be encrypted between the reverse proxy and the client, before rerouting, the SSL offloading device must remove or replaceany headers with above field name. Otherwise, a client can imitate the header field name and value with the malicious intent to present encrypted traffic as nonencrypted.
This allows the webservers to dedicate important CPU resources to other application processing tasks, which can improve performance.
The reverse proxy (load balancer) communicates with a webserver usingonly unencrypted HTTP. Therefore, even if the request to the reverse proxy is encrypted HTTPS, you must specify the unencrypted HTTP header field name that will identifythe originating protocol of the HTTP request.
The default value isX-Forwarded-Proto, which is the most commonly used by SSL offloading devices.
The HTTPS header value indicates that the traffic from the client to the reverse proxy is encrypted. If you do not set this value or the abovementioned header, it will indicate that traffic from the client to the reverse proxy is not encrypted.
