Re: (possibly off topic) how to handle Chrome on SSL mass hosting ?

2021-02-03 Thread Lukas Tribus 
On Wed, 3 Feb 2021 at 18:47, Илья Шипицин  wrote:
>> while I do not mind to have such optimization, but when 'a.example.com"
>> responds with http2 GOAWAY, that affects also "b.example.com" and "
>> c.example.com". Chrome is not clever enough to open new connections instead
>> of abandoned one.
>
> above approach works for Chrome (and does not work for Safari)
> unfortunately we found Safari is using connection reuse just like Chrome, and 
> Safari does not handle 421 properly

In which exact case is GOAWAY sent to the browser and how does that
impact the browser behavior exactly?

You are probably doing routing based on the host header, not the SNI
value, so you wouldn't have a routing problem. I'm unsure what the
actual problem is that you are trying to solve.



Lukas

Re: (possibly off topic) how to handle Chrome on SSL mass hosting ?

2021-02-03 Thread Илья Шипицин 
вт, 1 дек. 2020 г. в 00:37, Tim Düsterhus :

> Ilya,
>
> Am 30.11.20 um 20:21 schrieb Илья Шипицин:
> > I guess here are people running similar high density SSL hosting, do you
> > have some approaches to please Chrome ? I would be happy if I can tell
> him
> > to open separate connections for the domains that I wish.
> >
>
> Use HTTP 421 Misdirected Request:
>
> >   http-request   set-var(txn.host)hdr(host)
> >   http-request   deny deny_status 400 unless { req.hdr_cnt(host) eq
> 1 }
> >   http-request   deny deny_status 421 unless {
> ssl_fc_sni,strcmp(txn.host) eq 0 }
>


above approach works for Chrome (and does not work for Safari)
unfortunately we found Safari is using connection reuse just like Chrome,
and Safari does not handle 421 properly

look like "something on Safari side"



>
> Or just use a dedicated certificate or IPv6 address per customer.
>
> Best regards
> Tim Düsterhus
>

Re: (possibly off topic) how to handle Chrome on SSL mass hosting ?

2020-11-30 Thread Tim Düsterhus 
Ilya,

Am 30.11.20 um 20:21 schrieb Илья Шипицин:
> I guess here are people running similar high density SSL hosting, do you
> have some approaches to please Chrome ? I would be happy if I can tell him
> to open separate connections for the domains that I wish.
> 

Use HTTP 421 Misdirected Request:

>   http-request   set-var(txn.host)hdr(host)
>   http-request   deny deny_status 400 unless { req.hdr_cnt(host) eq 1 }
>   http-request   deny deny_status 421 unless { 
> ssl_fc_sni,strcmp(txn.host) eq 0 }

Or just use a dedicated certificate or IPv6 address per customer.

Best regards
Tim Düsterhus

(possibly off topic) how to handle Chrome on SSL mass hosting ?

2020-11-30 Thread Илья Шипицин 
Hello,

I'm looking for best practices related to please Chrome on mass SSL hosting.


let us consider 3 websites

a.example.com
b.example.com
c.example.com

they share wildcard *.example.com certificate and they share single IP
address.

in such case Chrome decides to open a single http2 connection instead of 3
separate connections.
while I do not mind to have such optimization, but when 'a.example.com"
responds with http2 GOAWAY, that affects also "b.example.com" and "
c.example.com". Chrome is not clever enough to open new connections instead
of abandoned one.

I guess here are people running similar high density SSL hosting, do you
have some approaches to please Chrome ? I would be happy if I can tell him
to open separate connections for the domains that I wish.

Ilya