Hi Stefano
This is not so easy with load balancing, would be interesting to hear how people is doing this.
With AWS this is dead easy :) - can use the ELB to connect the TSL clients on SSL, say port 8883 and terminate this to clear text TCP port say 1883
So the Amazon's ELB takes care of your security side - you just load the certificate on the ELB and run your brokers behind the ELB on clear text, without having to setup the broker with SSL connections ext - Not sure about HAProxy or NGinx but sure other load balancing system should be able to do this as welll - ssl termination
If you do use TLS with clients, you can take adv of the usern+pass in MQTT to do even more security things - one side you keep the man in the middel out with SSL while with user+pass you verify the device to the real deal. THIS also helps keeping your connection from being dropped by somebody trying to hijack your session. What i mean with this is - if you connect with say ID:ABC and I also connect with the same ID:ABC, you will be throw off and I will become device:ABC - with TSL+Usern+Pass you secure the line and keep people from dropping you off
Hope this helps or provide some options
Warm
Izak Smit