On 14.02.2017 20:36, Evgeny Khramtsov wrote:
There is yet another use case: letting load balancers (haproxy, nginx,
etc) support tls themselves and route decrypted traffic to an XMPP
backend. Currently, haproxy and nginx don't support XMPP STARTTLS
(although a patch for nginx exists with unknown quality). So this
removes some burden from server admins.
Correct me if I'm wrong but I think you're speaking about ssl offload,
not load-balancing. Load-balancing of unencrypted traffic always allows
finer precision to persistence and load distribution.
SSL Offload on the other hand decreases security(encryption) domain,
it's not end-to-end anymore, rather end-to-lb. And lb-to-server airgap
allows eavesdropping by any network support personnel.
Of course if we're speaking of nginx/haproxy - management domain would
probably overlap security domain (same person managing network, server,
application, etc.) but then - why to load-balance at all?
--RR
_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: [email protected]
_______________________________________________
