🔐 TLS Termination Over CDN / Proxy / Load Balancer
🧭 Problem Statement
You have a public-facing domain (e.g., example.com) and want to enable HTTPS. Instead of connecting users directly to your backend servers, you place a CDN, reverse proxy, or load balancer (LB) in front of your origin infrastructure.
This raises important architectural questions:
Where is the TLS connection terminated? What does the client see and verify? How is traffic secured between the client, proxy, and origin?
This article clarifies the mechanics and trust boundaries when TLS is used with CDNs, proxies, or load balancers.