TLS termination
The point in your infrastructure where the TLS handshake completes and the data is decrypted. Usually at the edge or load balancer, not the app servers.
TLS termination is the point in your request path where the encrypted TLS connection gets decrypted into plain HTTP. After termination, traffic between your edge and your app servers might be plain HTTP (internal network) or re-encrypted TLS (zero-trust setups).
browser ───TLS───► edge ───HTTP/TLS───► app server
▲
termination here
Where to terminate
At the load balancer / edge. Most common. ALB, Caddy, nginx, Cloudflare all do TLS termination. Pros: certs live in one place, app servers don't need to know about TLS. Cons: traffic between edge and app is unencrypted (mitigated if it's a private VPC).
At each app server. "TLS passthrough." Edge just routes by SNI; each app server does its own handshake. Pros: end-to-end encryption. Cons: every app server needs the cert; harder to rotate.
At a sidecar. Service mesh pattern. Envoy or Linkerd sidecar terminates TLS on behalf of the app process. Pros: app doesn't touch TLS. Cons: complexity.
Why this matters for SaaS custom domains
The TLS termination point is where customer certs live. If you terminate at a CDN (Cloudflare, Fastly), they hold the certs. If you terminate at your own edge, you do.
For a custom-domain SaaS, the termination point also runs the SNI lookup: "request came in for acme.com, which cert do I serve?" That lookup needs to be fast (sub-millisecond) because it happens on every connection.
Inside the AWS world
- ALB. Terminates TLS, supports up to 25 certs per listener natively (more via SNI). Common for small-scale custom domains.
- CloudFront + AWS Certificate Manager. Anycast edge with custom certs. Better for global SaaS.
- API Gateway. Has its own cert management for custom domains.