Julien, On 6/24/21 3:40 PM, Julien Pivotto wrote:
use_backend bob if { hdr(host) -m dom bob.com } use_backend alice if { hdr(host) -m dom alice.com }Thanks for taking the time to write this report. SNI and host header are indeed different. You should consider using req.ssl_sni instead of hdr(host).
NO! Using req.ssl_sni for request routing is unsafe and it will break more setups than it fixes.
Browsers can and will open a single TCP / TLS connection for multiple unrelated hosts if the certificate presented on the first connection is valid for the other host. This is especially true for HTTP/2.
To prevent the follow-up requests from being routed to the wrong backend you must use the 'host' header for routing -- or your certificates need to be non-overlapping.
In fact HTTP 421 Misdirected Request was invented for the specific case of a web browser reusing an existing TCP connection for an unrelated domain.
Best regards Tim Düsterhus
