Am 16.05.2019 um 16:37 schrieb Joao Morais:
>
> Hi list! The symptom is as follow: when logging Host: header I receive
> `myapp.io` while in the same request the sni extension says `anotherapp.com`.
>
> This happens in a very few requests (about 0.5%) but this is enough to make
> some noise - regarding server certificate used in the handshake, and also the
> ca-file used in handshakes with client certs. When they differ, the header is
> right and the sni is wrong.
>
> I can confirm that every "myapp.io" or "anotherapp.com" resolves to the same
> haproxy cluster. I can also confirm that all agents are browsers (Chrome and
> Firefox) running in Linux and, based on the "myapp.io" and "anotherapp.com"
> samples I saw together in the logs, the user is using both applications at
> the same time, probably from the same instance of the browser.
That's strange.
> Is there something the browser and/or HAProxy is or isn't doing here in order
> to mess host header and sni?
It would help to see some good and some bad log lines with sni information.
> Some config snippets, any change suggestion? (besides upgrade HAProxy)
At least a frontend config from your haproxy config should be added.
Maybe you can add this lines to get some more information's in the logs.
```
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc
%sq/%bq ssl_fc_has_sni '%[ssl_fc_has_sni]' sni:'%[capture.req.hdr(0)]'
ssl_fc_sni '%[ssl_fc_sni]' ssl_fc_protocol '%[ssl_fc_protocol]' ssl_bc
'%[ssl_bc]' ssl_bc_alpn '%[ssl_bc_alpn]' ssl_bc_protocol '%[ssl_bc_protocol]'
ssl_c_i_dn '%[ssl_c_i_dn()]' ssl_c_s_dn '%[ssl_c_s_dn()]' ssl_f_i_dn
'%[ssl_f_i_dn()]' ssl_f_s_dn '%[ssl_f_s_dn]' ssl_fc_cipher '%[ssl_fc_cipher]' "
tcp-request inspect-delay 5s
tcp-request content capture req.ssl_sni len 25
# maybe you can also check if in general the sni field is available
# untested
# tcp-request content accept if ssl_fc_has_sni
tcp-request content accept if { req_ssl_hello_type 1 }
```
> HAProxy 1.8.19
Maybe a update would be good but I don't see in the first view that anyfix will
affect you.
http://www.haproxy.org/bugs/bugs-1.8.19.html
any change to use 1.9 ;-)
> global
> daemon
> nbthread 3
> cpu-map auto:1/1-3 0-2
> stats socket /var/run/haproxy-stats.sock level admin expose-fd listeners
> maxconn 12000
> hard-stop-after 6m
> log 127.0.0.1:5140 format rfc5424 local0
> log-tag ingress
> lua-load /usr/local/etc/haproxy/lua/send-response.lua
> lua-load /usr/local/etc/haproxy/lua/auth-request.lua
> ssl-dh-param-file /ingress-controller/ssl/dhparam.pem
> ssl-default-bind-ciphers ...
> ssl-default-bind-options ssl-max-ver TLSv1.2 ssl-min-ver TLSv1.0
> tune.bufsize 65536
> defaults
> log global
> option redispatch
> option dontlognull
> option http-server-close
> option http-keep-alive
> timeout http-request 5s
> timeout connect 5s
> timeout client 300s
> timeout client-fin 70s
> timeout queue 5s
> timeout server 300s
> timeout server-fin 70s
> timeout tunnel 1h
> timeout http-keep-alive 70s
>
> ~jm
Regards
Aleks
