From cc9433fbd42260832c2b0a6618702cc51323ad89 Mon Sep 17 00:00:00 2001
From: Chance Harrison <7481945+ChanceHarrison@users.noreply.github.com>
Date: Sun, 28 Apr 2024 22:58:00 -0700
Subject: [PATCH] docs(faq): Discuss options for TLS between LB and kanidm

---
 book/src/frequently_asked_questions.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/book/src/frequently_asked_questions.md b/book/src/frequently_asked_questions.md
index 072bb2ec6..e1c9b1fea 100644
--- a/book/src/frequently_asked_questions.md
+++ b/book/src/frequently_asked_questions.md
@@ -37,6 +37,19 @@ practice. This can allow account hijacking, privilege escalation, credential dis
 information leaks and more. The entire path between a client and the server must be protected at all
 times.
 
+There are a variety of ways that you can configure TLS between your load balancer and Kanidm.
+Ultimately, any option that maintains the confidentiality and integrity of the communication will
+suffice. Some options include, but are not limited to:
+
+- Generating a self-signed certificate
+  - Utilize certificate pinning to ensure that the load balancer only trusts connections made with
+  that particular certificate
+- Not terminating TLS / TLS passthrough / TCP proxy
+- Running your own certificate authority (CA)
+
+The "best" option for you will depend on a number of factors, including your threat model and the
+specifc load balancer you are using.
+
 ## OAuth2
 
 [RFC6819 - OAuth2 Threat Model and Security Considerations](https://www.rfc-editor.org/rfc/rfc6819)