[Standards] LAST CALL: XEP-0368 (SRV records for XMPP over TLS)

Ruslan N. Marchenko me at ruff.mobi
Tue Feb 14 21:18:40 UTC 2017


On 14.02.2017 20:36, Evgeny Khramtsov wrote:
> There is yet another use case: letting load balancers (haproxy, nginx,
> etc) support tls themselves and route decrypted traffic to an XMPP
> backend. Currently, haproxy and nginx don't support XMPP STARTTLS
> (although a patch for nginx exists with unknown quality). So this
> removes some burden from server admins.
>
Correct me if I'm wrong but I think you're speaking about ssl offload, 
not load-balancing. Load-balancing of unencrypted traffic always allows 
finer precision to persistence and load distribution.
SSL Offload on the other hand decreases security(encryption) domain, 
it's not end-to-end anymore, rather end-to-lb. And lb-to-server airgap 
allows eavesdropping by any network support personnel.
Of course if we're speaking of nginx/haproxy - management domain would 
probably overlap security domain (same person managing network, server, 
application, etc.) but then - why to load-balance at all?

--RR


More information about the Standards mailing list