SSL Gateway: HTTPS for all

Secure connections to your website

Why SSL Gateway?

SSL Gateway combines security and simplicity. OVH configures and deploys your solution in a few minutes and a matter of clicks. Your certificate is renewed automatically to ensure it is always valid. You don't have to do a thing! OVH's website security expertise guarantees you the best level of security at all times, adapted to your needs and based on the current standards.

Simplicity

OVH takes care of everything: management, deployment, automatic certificate renewal and security updates.

Visibility

HTTPS has become the web standard, it has a positive impact on your SEO, guarantees the authenticity of your site, and inspires visitors' trust in your website.

Security

Get the best security for your website, protect yourself from attacks thanks to OVH anti-DDOS and help build a safer web.

Our SSL Gateway product offers

Free SSL Gateway
For sites with low traffic: blogs, associations, forums

  • Anti-DDoS
  • Metrics included (24h)
  • -
  • -
  • -
  • -
  • -


 Free
 

Advanced SSL Gateway
For professional websites with moderate traffic: e‑commerce, SMEs/startups, web agencies

  • Anti-DDoS
  • Metrics included (1 month)
  • Load Balancing
  • Dedicated IP
  • EV certificate available as an option
  • -
  • -


 $30.00
/month

Enterprise SSL Gateway
For a high-visibility website: e‑commerce, international optimisation

  • L7 Anti-DDoS
  • Metrics (1 year)
  • Load Balancing
  • dedicated IP
  • EV certificate in option
  • CDN
  • Anycast DNS


 $300.00
/month

Features

SSL
Default DV Let's Encrypt certificate
Optional: Sectigo EV certificate (from the Advanced solution upwards)
Up to 1000 domains and sub domains from the Advanced solution upwards
Support
Free solution: OVHcloud Community
Advanced solution: Via email or OVHcloud Community
Anti-DDos
Anti-DDos level: Advanced L4
Blocked attack:
  • ICMP Echo Request Flood
  • IP Packet Fragment Attack
  • SMURF
  • IGMP Flood
  • Ping of Death
  • TCP SYN Flood
  • TCP Spoofed SYN Flood
  • TCP SYN ACK Reflection Flood
  • TCP ACK Flood
  • TCP Fragmented Attack
Load Balancing
Free Solution: not available
Advanced solution: up to different IPs so you can distribute traffic among your servers.

Anti-DDoS Pro

Defend yourself from L3-L4 attacks thanks to our anti-ddos solution and our network capacity (10.3 TB). It has already proven itself against SYNFLOOD, REPLAY and several other attacks. Developed internally, the OVH solution is based on FPGA chips specialised in filtering internet traffic, combining speed and real-time response. Our developers are currently working on new security algorithms for this platform.

Management

Take advantage of OVH's expertise when deploying your infrastructure. Activation is simple, renewal is automatic and without any downtime. A global network is at your disposal for your worldwide deployments with anycast (companies only). Our automation process gives you the freedom to scale up your services based on your needs as well as autorepair mechanisms.

Encryption

Our preset configurations can be tailored to your needs and to various web browsers (HSTS, OCSP, ALPN pour HTTP2). Our experts work closely with crytopgraphy specialists and this is why we are using TLS 1.1 and TLS 1.2 with various security levels, as well as managing your 4096-bit keys on encrypted partitions.

Dedicated Infrastructure

Based on its solid experience with internet traffic, OVH has selected hardware especially designed for SSL termination, web filtering and fault tolerance. The infrastructure is scalable (multi-master) and redundant: your instances are distributed over several server racks powered by a minimum of 2 electrical outlets and connected to different network components.

Your questions answered

Is the SSL Gateway offer compatible with my domain and sub-domains?
Free service offer:
You are entitled to the main domain, one www subdomain, and another sub-domain of your choice:
  • Domain: example.com
  • Sub-domain www: www.example.com
  • Sub-domain of your choice: blog.example.com
Advanced and Enterprise offers:
You are free to use any domain or sub-domain of your choice, subject to a limit of 1000.

Can I use the SSL Gateway with level 4 domains and higher?
Free solution:
No. Only domains up to level 3 are authorized (www.example.org).

Advanced and Enterprise offers:
Yes. Level 4 domains and higher (blog.france.example.org) are authorized starting from the “Advanced” offer only.

Do I need a pre-existing domain and sub-domain to order the SSL Gateway offer?
You need a pre-existing domain since you must modify an A record in your DNS zone - within 72 hours of placing your order - in order to validate the creation of your SSL/TLS certificate.

What is an A record?
This record is used to point your domain or sub-domain to the IPv4 address of a server.

What is an AAAA record?
This record is used to point your domain or sub-domain to the IPv6 address of a server.

What happens if I make a mistake and enter an invalid IP address when placing an order for my domain or sub-domain?
You need to wait for your order to expire (72h after its creation) before placing a new order.

What is an SSL/TLS certificate?
An SSL certificate is used to authenticate a web server and to secure communications with web browers.

What type of hosting service is the SSL Gateway offer designed for?
This offer is for people who own a non-secured hosting service, either with OVH or any other provider. This offer is not compatible OVH shared hosting services which are already providing security tools.

What happens during the installation of the SSL Gateway service?
Once the order has been saved, an email will inform you about the modifications you must make to your DNS zone in order to have your domain point to your the OVH infrastructure.
Once the modification has been made, we'll be able to finalize the installation of your service. A new email will inform you that your service has been activated.

Is HSTS available with SSL Gateway?
Free solution: No
Advanced and Enterprise offers: Yes

What is a Cipher?
A Cipher is a cryptographic algorithm used to secure a connection to a website.

Can I choose a particular list of Ciphers?
Free solution: We provide a single level of security, giving you a happy medium between security and compatibility.
Advanced and Enterprise offers: Multiple levels of Ciphers are offered depending on whether you want to maximise security or compatibility.

What happens to my website during the SSL Gateway activation phase?
Scenario No. 1 – My website isn't using any SSL/TLS certificate at the time of ordering:
Uncrypted traffic (http,80) will be taken over by the SSL Gateway with no downtime during the entire DNS propagation phase.
Once the cerficate has been installed, you will be able to switch the internal links of your website over to HTTPS.

Scenario No.2 – My website is already using any SSL/TLS certificate at the time of ordering:
Uncrypted traffic(https,443) will be functional only after the DNS propagation phase is over and the SSL Gateway certificate of the offer has been activated.
During the certificate creation phase (usually 15 minutes), a details page will be displayed instead of your website.

Where can I manage my service?
In your customer Sunrise control panel section.

What is the level of guarantee provided by the SSL Gateway?
We are in the midst of finalizing this service offer, and so we cannot provide any level of guarantee yet.
However, we are very confident in our technology, which is currently being used by several millions of websites hosted at OVH.

Free solution: No SLA.
Advanced and Entreprise offers: 99.95% SLA

What happens when I change the A record for my domain or sub-domain in my DNS zone before installing my SSL certificate?
Before sending you the first email asking you to modify your DNS zone, we will preconfigure your service in order to take control of the unencrypted stream until your certificate is generated.
You can make changes to your DNS zone without fearing any downtime on your website, so long as it doesn't carry out any outgoing https requests to your server.
Once the SSL certificate has been installed, you will be able to start sending https requests again.

Can the SSL Gateway be used to distribute traffic across several servers?
Free solution: No
Advanced service offers: Yes, up to 3 servers.

Can I specify a port for my servers' IPs?
Yes. Each IP can be associated to a specific port.

Puis-je attribuer des IPs spécifiques pour certains domaines ou sous-domaines ?
No. All your domains and sub-domains will necessarily point to all IP addresses registered for your servers.

Can I specify an SSL/TLS IP for my servers?
Yes. End-to-end encryption can be acheived by activating this option in your customer control panel.

How is the Let’s Encrypt SSL certificate renewed?
OVH takes care of everything but your domain or sub-domain must point to the SSL Gateway's IP address.
  • If that's not the case and our robots report this 7 days ahead of the SSL certificate's renewal date, an email will be sent to give a 3-day grace period.
  • If the operation still hasn't been performed after 3 days, the certificate will not be renewed and you will need to generate it again manually in your customer control panel.


Can I have several SSL Gateway offers one a single main domain?
Yes, it is possible with the Advanced offer, so long as the sub-domain is different.

How can I migrate my SSL Gateway offer to a superior version?
Switching can be done directly from the Sunrise sectin of your Control Panel.
  • When going from the "Free" to the "Advanced" offer, you will be requested to change an IP in your DNS zone, just like you did during the initial order.
  • When going from the "Advanced" to the "Enterprise" offer, no additional action will be necessary on your part.


Can I use an IPv6 between SSL Gateway and my servers?
No. This feature isn't available yet. However, IPv6 requests coming to SSL Gateway are converted and redirected to your servers' IPv4 addresses.

What is Load Balancing?
Available only with the Advanced solution , SSL Gateway can distribute traffic through your various servers (maximum 3 IPs). Servers must host the same website(s). The load balancing policy uses a Round-Robin algorithm (fair distribution among all destination servers).