I have a question about running Openfire behind a load balancer. AFAIK, there are two ways to connect and authenticate users with XMPP. The “old-style” where TLS is negotiated before connecting the stream and the new way where clients connect via plain TCP and negotiate TLS via the stream.
However, nowadays, it’s too easy to terminate TLS at a load balancer sitting in front the actual services and communicate in plain text after it.
My question is how that translates to XMPP. What works for sure is to configure the load balancer to route the TCP traffic without manipulating it. However, it would be more convenient to terminate TLC before ever reaching Openfire. It would make the certificate management easier.
This naturally doesn’t work with XMPP’s new TLS negotiation schema. Is there anyone who knows how to hand over TLS to a load balancer or if that’s at all recommended by the XMPP/Openfire team? Maybe I can switch to a plain-text authentication schema?
Any thoughts would be appreciated!