Recommended way to authenticate users when using a load balancer

Hi, guys!

I have a question about running Openfire behind a load balancer. AFAIK, there are two ways to connect and authenticate users with XMPP. The “old-style” where TLS is negotiated before connecting the stream and the new way where clients connect via plain TCP and negotiate TLS via the stream.

However, nowadays, it’s too easy to terminate TLS at a load balancer sitting in front the actual services and communicate in plain text after it.

My question is how that translates to XMPP. What works for sure is to configure the load balancer to route the TCP traffic without manipulating it. However, it would be more convenient to terminate TLC before ever reaching Openfire. It would make the certificate management easier.

This naturally doesn’t work with XMPP’s new TLS negotiation schema. Is there anyone who knows how to hand over TLS to a load balancer or if that’s at all recommended by the XMPP/Openfire team? Maybe I can switch to a plain-text authentication schema?

Any thoughts would be appreciated!

I am interested in this topic and a solution as well.

We use nginx before Openfire and afaik we only terminate the HTTPS connections (BOSH). Eventually we have two places to configure certifacates: nginx and Openfire.

Probably there needs to be an XMPP plugin for the loadbalancer, so that it can negotiate TLS, right?!

I know that this is a fairly old topic, but as it might pop up in search queries, I wanted to comment regardless.

While I was working on load balancing documentation for Openfire, I came across a third-party proxy implementation that seems to support at least partially what you’re after. Check out GitHub - moparisthebest/xmpp-proxy: XMPP reverse proxy and outgoing proxy for details.