SSL Gateway: HTTPS for all

Secure connections to your website

Why SSL Gateway?

SSL Gateway combines security and simplicity. OVH configures and deploys your solution in a few minutes and a matter of clicks. Your certificate is renewed automatically to ensure it is always valid. You don't have to do a thing! OVH's website security expertise guarantees you the best level of security at all times, adapted to your needs and based on the current standards.

Simplicity

OVH takes care of everything: management, deployment, automatic certificate renewal and security updates.

Visibility

HTTPS has become the web standard, it has a positive impact on your SEO, guarantees the authenticity of your site, and inspires visitors' trust in your website.

Security

Get the best security for your website, protect yourself from attacks thanks to OVH anti-DDOS and help build a safer web.

Our SSL Gateway solutions

Free SSL Gateway
For sites with low traffic: blogs, associations, forums

Anti-DDoS
Metrics included (24 hours)
-
-
-
-
-

Free

Activate now

Advanced SSL Gateway
For professional websites with moderate traffic: e‑commerce, SMEs/startups, web agencies

Anti-DDoS
Metrics included (1 month)
Load Balancing
Dedicated IP
EV certificate available as an option
-
-

€20.00
ex. VAT/month

Buy now

Enterprise SSL Gateway
For a high-visibility website: e‑commerce, international optimisation

L7 - anti-DDoS
Metrics (1 year)
Load Balancing
Dedicated IP
EV certificate as an option
CDN
Anycast DNS

€200.00
ex. VAT/month

Coming soon

Features

SSL

Default DV Let's Encrypt certificate
Optional: Sectigo EV certificate (from the Advanced solution upwards)
Up to 1000 domains and sub domains from the Advanced solution upwards

Support

Free solution: OVHcloud Community
Advanced solution: Via email or OVHcloud Community

Anti-DDos

Anti-DDos level: Advanced L4
Attacks blocked:

ICMP Echo Request Flood
IP Packet Fragment Attack
SMURF
IGMP Flood
Ping of Death
TCP SYN Flood
TCP Spoofed SYN Flood
TCP SYN ACK Reflection Flood
TCP ACK Flood
TCP Fragmented Attack

Load Balancing

Free Package: not available
Advanced Package: up to 3 different IPs distributing traffic between your servers

Activate now

Anti-DDoS Pro

Defend yourself from L3-L4 attacks thanks to our anti-ddos solution and our network capacity (10.3 TB). It has already proven itself against SYNFLOOD, REPLAY and several other attacks. Developed internally, the OVH solution is based on FPGA chips specialised in filtering internet traffic, combining speed and real-time response. Our developers are currently working on new security algorithms for this platform.

Management

Take advantage of OVH's know-how to implement your infrastructure: activation is simple, renewal is automatic and there is zero service disruption. Exploit our worldwide network for your international growth thanks to the opportunities offered by Anycast (only with SSL Gateway Enterprise). Our auto-repair mechanisms ensure the availability of your services and our automation process analyses your usage and offers you an upgrade depending on your needs.

Encryption

Our preset configurations can be tailored to your needs and to various web browsers (HSTS, OCSP, ALPN for HTTP2). Our experts work closely with cryptography specialists which is why we are using TLS 1.1 and TLS 1.2 with various security levels, as well as managing your 4096-bit keys on encrypted partitions.

Dedicated Infrastructure

Based on our solid experience with internet traffic, we have selected hardware especially designed for SSL termination, web filtering and fault tolerance. The infrastructure is scalable (multi-master) and redundant: your instances are distributed over several server racks powered by a minimum of 2 electrical outlets and connected to different network components.

Your questions answered

Is the SSL Gateway offer compatible with my domain and subdomains?

Free solution:
You are entitled to the main domain, one www subdomain, and another subdomain of your choice:

Domain: example.com
www subdomain: www.example.com
Subdomain of your choice: blog.example.com

Advanced and Enterprise solutions:
You are free to use any domain or subdomain of your choice, subject to a limit of 1000.

Can I use the SSL Gateway with level 4 domains and higher?

Free solution:
No. Only domains up to level 3 are authorised (www.example.org).

Advanced and Enterprise solutions:
Yes. Level 4 domains and higher (blog.france.example.org) are authorised starting from the “Advanced” solution only.

Do I need a pre-existing domain and subdomain to order the SSL Gateway offer?

The domain must exist because you have to change the A record in your DNS zone within 72 hours of your order, in order to generate your SSL/TLS certificate.

What is an A record?

This record points your domain or subdomain to a server's IPv4 address.

What is an AAAA record?

This record points your domain or subdomain to a server's IPv6 address.

What happens if I make a mistake and place an order for my domain or subdomain, stating an invalid IP address?

You have to wait for your order to expire (72 hrs following creation) and then place a new order.

What is an SSL/TLS certificate?

SSL certificates authenticate web servers and establish secure connections with browsers.

Which type of hosting is the SSL Gateway solution for?

This solution is designed for owners who have a non-secured web hosting plan with OVH or another provider. This solution is not compatible with OVH shared web hosting plans as these are already secure.

How is SSL Gateway installed?

Once the order has been registered, you will get an email explaining how you need to edit your DNS zone, in order to point your domain to the OVH infrastructure.
After these modifications have been made, we can finish installing your service. We will email you again when your service is active.

Is HSTS available with SSL Gateway?

Free solution: No
Advanced and Enterprise solutions: Yes

What is a Cipher?

A Cipher is a cryptographic algorithm used to secure a connection to a website.

Can I choose a particular list of Ciphers?

Free solution: We offer you one level which is a compromise between security and compatibility.
Advanced and Enterprise solutions: Multiple levels of Ciphers are offered depending on whether you want to maximise security or compatibility.

What happens to my website during the SSL Gateway activation phase?

Scenario No. 1 – My website isn't using an SSL/TLS certificate at the time of ordering:
During the entire DNS propagation phase, the SSL Gateway will handle unencrypted traffic (http,80) with zero downtime.
Once the certificate has been installed, you will be able to switch your website's internal links over to HTTPS.

Scenario No.2 – My website is already using an SSL/TLS certificate at the time of ordering:
Encrypted traffic (https,443) will only work after the DNS propagation phase is over and the SSL Gateway certificate has been activated.
While the certificate is being created (usually takes 15 minutes), a details page will be displayed instead of your website.

Where can I manage my service?

In your customer Sunrise control panel section.

What level of guarantee is provided by the SSL Gateway?

We are in the midst of finalising this service offer, and so we cannot provide any level of guarantee yet.
However, we are very confident in our technology, which is currently being used by several millions of websites hosted at OVH.

Free solution: No SLA.
Advanced and Entreprise offers: 99.95% SLA

What happens when I change the A record for my domain or sub-domain in my DNS zone before installing my SSL certificate?

Before sending you the first email asking you to modify your DNS zone, we will preconfigure your service in order to take control of the unencrypted stream of data until your certificate is generated.
You can make changes to your DNS zone with zero downtime on your website, so long as it isn't sending any outgoing https requests to your server.
Once the SSL certificate has been installed, you will be able to start sending https requests again.

Can the SSL Gateway be used to distribute traffic across several servers?

Free solution: No
Advanced solutions: Yes, up to 3 servers.

Can I specify a port for my servers' IPs?

Yes. Each IP can be associated to a specific port.

Can I assign specific IPs for certain domains or subdomains?

No. All your domains and subdomains will point to all IP addresses registered for your servers.

Can I specify an SSL/TLS IP for my servers?

Yes. End-to-end encryption can be achieved by activating this option in your customer control panel.

How is the Let’s Encrypt SSL certificate renewed?

OVH takes care of everything but your domain or subdomain must point to the SSL Gateway's IP address.

If that's not the case and our robots report this 7 days ahead of the SSL certificate's renewal date, an email will be sent to give a 3-day grace period.
If the operation still hasn't been performed after 3 days, the certificate will not be renewed and you will need to generate it again manually in your customer control panel.

Can I have multiple SSL Gateway solutions on a single main domain?

Yes, it is possible with the Advanced offer, so long as the subdomain is different.

How can I migrate my SSL Gateway solution to a superior version?

You can switch directly from the Sunrise section of your OVHcloud Control Panel.

When going from the "Free" to the "Advanced" solution, you will be asked to change an IP in your DNS zone, just like you did during the initial order.
When going from the "Advanced" to the "Enterprise" solution, you do not have to take any additional action.

Can I use IPv6 between the SSL Gateway and my servers?

This function is no longer available. However, IPv6 requests sent to the SSL Gateway are converted and redirected to your servers' IPv4s.

What is Load Balancing?

Only available as part of the Advanced package, the SSL Gateway distributes traffic across your various servers (maximum 3 IPs). The servers must host the same website(s). The load-balancing policy uses a Round-Robin algorithm (equal distribution across each of the target servers).