powered by Jive Software

Recommended way to authenticate users when using a load balancer

Hi, guys!

I have a question about running Openfire behind a load balancer. AFAIK, there are two ways to connect and authenticate users with XMPP. The “old-style” where TLS is negotiated before connecting the stream and the new way where clients connect via plain TCP and negotiate TLS via the stream.

However, nowadays, it’s too easy to terminate TLS at a load balancer sitting in front the actual services and communicate in plain text after it.

My question is how that translates to XMPP. What works for sure is to configure the load balancer to route the TCP traffic without manipulating it. However, it would be more convenient to terminate TLC before ever reaching Openfire. It would make the certificate management easier.

This naturally doesn’t work with XMPP’s new TLS negotiation schema. Is there anyone who knows how to hand over TLS to a load balancer or if that’s at all recommended by the XMPP/Openfire team? Maybe I can switch to a plain-text authentication schema?

Any thoughts would be appreciated!

I am interested in this topic and a solution as well.

We use nginx before Openfire and afaik we only terminate the HTTPS connections (BOSH). Eventually we have two places to configure certifacates: nginx and Openfire.

Probably there needs to be an XMPP plugin for the loadbalancer, so that it can negotiate TLS, right?!