Jarno, Joao, Am 16.05.19 um 17:49 schrieb Jarno Huuskonen: > Do the myapp.io and anotherapp.com share same certificate (ie. > certificate has both myapp.io and anotherapp.com SAN) ? > > AFAIK browser can reuse the same tls connection if the certificate > covers both names. When the host/sni differ do you have an earlier > connection (for example from same ip/port) using matching sni/host in your > logs ? >
This is correct to the best of my knowledge. Especially when HTTP/2 is used. @Joao See this mailing list thread, it might be of interest to you: https://www.mail-archive.com/[email protected]/msg29926.html Also, specifically this email: https://www.mail-archive.com/[email protected]/msg29789.html With HAProxy 1.9 you should be able to use the strcmp converter I contributed like this: http-request set-var(txn.host) hdr(host) # Check whether the client is attempting domain fronting. acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 http-response deny deny_status 421 unless ssl_sni_http_host_match This sends the proper HTTP/2 status code 421, indicating that the browser should use a new connection. But please make sure to actually test this to ensure nothing legitimate breaks. Best regards Tim Düsterhus
