We’re using x.509 client certificates to authenticate to the emqx. This page in the docs recommends terminating the SSL at the LB. Sounds great. We already do that for a number of other services that are behind an ELB in AWS. However in the case of EMQX we’re using x.509 certificates for authentication, and I don’t see how we can terminate the SSL connection at the LB and still be authenticated by EMQX.
Perhaps I’m missing something?
UPDATE: from this AWS Document it reads:
Network Load Balancers do not support TLS renegotiation or mutual TLS authentication (mTLS). For mTLS support, create a TCP listener instead of a TLS listener. The load balancer passes the request through as is, so you can implement mTLS on the target.
So it seems to me then that the guidance in the EMQX documentation to terminate the SSL at the LB only applies if you’re not doing certificate authentication.