On Thu, Jun 24, 2021 at 04:07:33PM +0200, Tim Düsterhus wrote:
> Julien,
>
> On 6/24/21 3:40 PM, Julien Pivotto wrote:
> > > use_backend bob if { hdr(host) -m dom bob.com }
> > > use_backend alice if { hdr(host) -m dom alice.com }
> >
> > Thanks for taking the time to write this report.
> >
> > SNI and host header are indeed different.
> >
> > You should consider using req.ssl_sni instead of hdr(host).
> >
>
> NO! Using req.ssl_sni for request routing is unsafe and it will break more
> setups than it fixes.
>
> Browsers can and will open a single TCP / TLS connection for multiple
> unrelated hosts if the certificate presented on the first connection is
> valid for the other host. This is especially true for HTTP/2.
>
> To prevent the follow-up requests from being routed to the wrong backend you
> must use the 'host' header for routing -- or your certificates need to be
> non-overlapping.
>
> In fact HTTP 421 Misdirected Request was invented for the specific case of a
> web browser reusing an existing TCP connection for an unrelated domain.
FWIW I entirely second all what Tim said.
Willy
