Load Balancing Tutorial

How to enable SSL everywhere – the easy button

Staying up to date on new and changing cybersecurity threats pose an enormous challenge for enterprises due to the speed at which these ever-more sophisticated cyberattacks evolve and the increasing frequency at which they occur. SSL encryption is essential for protecting data communication, even if it doesn’t handle sensitive information like credit cards. It provides privacy, critical security, and data integrity for both your applications and users’ personal information. When installed on a server, it enables secure connections from a server to a browser. SSL was mostly used to secure sensitive data transfers like credit card transactions, authentication logins, and other confidential data communications. But here are five reasons why SSL should be the norm for any application.

1. SSL Protects Data

The core function of an SSL certificate is to protect server-client communication. On installing SSL, every bit of information is encrypted. In layman’s terms, the data is locked and can only be unlocked by the intended recipient (browser or server) as no one else can have the key to open it.

2. SSL Affirms Your Identity

The second primary task of an SSL certificate is to provide authentication to an application. Identity verification is one of the most important aspects as far as web security is concerned. Depending on the type of certificate, the CA verifies the identity of you and your organization. Once you have proven your identity, your website gets trust indicators vouching for your integrity.

3. SSL Helps You Satisfy PCI/DSS Requirements

If you accept online payments, you must know a thing or two about PCI/DSS requirements. To receive online payments, your website must be PCI compliant. Having an SSL certificate installed is one of the 12 primary requirements set by the payment card industry (PCI).

4. SSL Improves Customer Trust

SSL certificates are vital from a customer trust point of view. The easy to identify signs inform the users that the data they send will be secured. And if you’ve installed an OV or EV SSL, they can see your organization’s details. Once they know that you’re a legitimate entity, they’re far more likely to do business with you or even revisit your site.

5. SSL Boots Search Engine Ranking

Google made changes to its algorithm in order to give the upper hand to HTTPS-enabled websites. This has been evident in various studies conducted by SEO experts around the world. To give a safer web browsing experience Google made SSL mandatory in 2018. Google has decided to flag websites which do not have an SSL/TLS Certificate installed. If anyone fails to comply with this rule, all the popular web browsers used around the globe like Google Chrome & Firefox Mozilla will at a minimum give a warning message of ‘Not Secure’ or block them form loading altogether.

SSL Deployment Models

Avi fully supports termination of SSL- and TLS-encrypted HTTPS traffic. Using Avi as the endpoint for SSL enables you to maintain full visibility into the traffic and to apply advanced traffic steering, security, and acceleration features. Avi supports the following SSL deployment models:

None: SSL traffic is handled as pass-through (layer 4), flowing through Avi Service Engines without terminating the encrypted traffic.

Client-side: Traffic from the client to Avi Service Engines is encrypted, with unencrypted HTTP to the back-end servers.

Server-side: Traffic from the client to Avi Service Engines is unencrypted HTTP, with encrypted HTTPS to the back-end servers.

Both: Traffic from clients to Avi Service Engines is encrypted and terminated at the Avi Service Engines, which then re-encrypts traffic to the back-end server.

Intercept: Terminate client SSL traffic, send it unencrypted over the wire for taps to intercept, then encrypt to the destination server.

How to Enable SSL

The following videos as part of the Application Delivery How-to Video series will show you how to set up a secure virtual service for an HTTP app and how to enable all SSL features using Avi SSL everywhere. Together they provide the recommended security for HTTP traffic.

How to Set Up a Secure Virtual Service for an HTTP App?

Learn how to mitigate man-in-the-middle attacks or secure cookies or redirect HTTP traffic to HTTPS in application delivery in these demo videos.

SSL Everywhere

Avi offers six SSL configuration options which provide a simple interface to enabling common HTTPS-related functionalities.

HTTP to HTTPS Redirect

For a single virtual service configured with both an HTTP service port (SSL disabled) and an HTTPS service port (SSL enabled), this feature will automatically redirect clients from the insecure HTTP port to the secure HTTPS port.

Secure Cookies

Enabling secure cookies will mark any server cookies with the Secure flag, which tells clients to send only this cookie to the virtual service over HTTPS.

HTTP Strict Transport Security (HSTS)

Strict Transport Security uses a header to inform client browsers that this site should be accessed only over SSL/TLS. This feature is intended to mitigate man-in-the-middle attacks that can force a client’s secure SSL/TLS session to connect through insecure HTTP.

HTTP-Only Cookies

This marks server cookies as HTTP-Only, which means the cookies cannot be viewed or used by third parties, including JavaScript or other web sites.

Rewrite Server Redirects to HTTPS

If the server returns a redirect with HTTP in the location header, this feature will rewrite it to HTTPS.

X-Forwarded-Proto

Enabling this option makes Avi insert the X-Forwarded-Proto header into HTTP requests sent to the server, which informs the server whether the client connected to Avi over HTTP or HTTPS.

How to Secure Applications with SSL Everywhere?

For more technical information, visit our Create a Virtual Service and SSL Everywhere documentation, and download the SSL Everywhere Solution Brief.

For more videos on different topics, visit our Application Delivery How-To Videos Series.

Application Delivery How-To Videos Series: Load Balancing

Application Delivery How-To Videos Series: App Security / WAF

Application Delivery How-To Videos Series: Troubleshooting