Hi list! The symptom is as follow: when logging Host: header I receive
`myapp.io` while in the same request the sni extension says `anotherapp.com`.
This happens in a very few requests (about 0.5%) but this is enough to make
some noise - regarding server certificate used in the handshake, and also the
ca-file used in handshakes with client certs. When they differ, the header is
right and the sni is wrong.
I can confirm that every "myapp.io" or "anotherapp.com" resolves to the same
haproxy cluster. I can also confirm that all agents are browsers (Chrome and
Firefox) running in Linux and, based on the "myapp.io" and "anotherapp.com"
samples I saw together in the logs, the user is using both applications at the
same time, probably from the same instance of the browser.
Is there something the browser and/or HAProxy is or isn't doing here in order
to mess host header and sni?
Some config snippets, any change suggestion? (besides upgrade HAProxy)
HAProxy 1.8.19
global
daemon
nbthread 3
cpu-map auto:1/1-3 0-2
stats socket /var/run/haproxy-stats.sock level admin expose-fd listeners
maxconn 12000
hard-stop-after 6m
log 127.0.0.1:5140 format rfc5424 local0
log-tag ingress
lua-load /usr/local/etc/haproxy/lua/send-response.lua
lua-load /usr/local/etc/haproxy/lua/auth-request.lua
ssl-dh-param-file /ingress-controller/ssl/dhparam.pem
ssl-default-bind-ciphers ...
ssl-default-bind-options ssl-max-ver TLSv1.2 ssl-min-ver TLSv1.0
tune.bufsize 65536
defaults
log global
option redispatch
option dontlognull
option http-server-close
option http-keep-alive
timeout http-request 5s
timeout connect 5s
timeout client 300s
timeout client-fin 70s
timeout queue 5s
timeout server 300s
timeout server-fin 70s
timeout tunnel 1h
timeout http-keep-alive 70s
~jm
