On Thu, Jun 24, 2021 at 04:07:33PM +0200, Tim Düsterhus wrote: > Julien, > > On 6/24/21 3:40 PM, Julien Pivotto wrote: > > > use_backend bob if { hdr(host) -m dom bob.com } > > > use_backend alice if { hdr(host) -m dom alice.com } > > > > Thanks for taking the time to write this report. > > > > SNI and host header are indeed different. > > > > You should consider using req.ssl_sni instead of hdr(host). > > > > NO! Using req.ssl_sni for request routing is unsafe and it will break more > setups than it fixes. > > Browsers can and will open a single TCP / TLS connection for multiple > unrelated hosts if the certificate presented on the first connection is > valid for the other host. This is especially true for HTTP/2. > > To prevent the follow-up requests from being routed to the wrong backend you > must use the 'host' header for routing -- or your certificates need to be > non-overlapping. > > In fact HTTP 421 Misdirected Request was invented for the specific case of a > web browser reusing an existing TCP connection for an unrelated domain.
FWIW I entirely second all what Tim said. Willy