[Standards] LAST CALL: XEP-0368 (SRV records for XMPP over TLS)
Ruslan N. Marchenko
me at ruff.mobi
Tue Feb 14 21:18:40 UTC 2017
On 14.02.2017 20:36, Evgeny Khramtsov wrote:
> There is yet another use case: letting load balancers (haproxy, nginx,
> etc) support tls themselves and route decrypted traffic to an XMPP
> backend. Currently, haproxy and nginx don't support XMPP STARTTLS
> (although a patch for nginx exists with unknown quality). So this
> removes some burden from server admins.
Correct me if I'm wrong but I think you're speaking about ssl offload,
not load-balancing. Load-balancing of unencrypted traffic always allows
finer precision to persistence and load distribution.
SSL Offload on the other hand decreases security(encryption) domain,
it's not end-to-end anymore, rather end-to-lb. And lb-to-server airgap
allows eavesdropping by any network support personnel.
Of course if we're speaking of nginx/haproxy - management domain would
probably overlap security domain (same person managing network, server,
application, etc.) but then - why to load-balance at all?
More information about the Standards