Re: (possibly off topic) how to handle Chrome on SSL mass hosting ?
On Wed, 3 Feb 2021 at 18:47, Илья Шипицин wrote: >> while I do not mind to have such optimization, but when 'a.example.com" >> responds with http2 GOAWAY, that affects also "b.example.com" and " >> c.example.com". Chrome is not clever enough to open new connections instead >> of abandoned one. > > above approach works for Chrome (and does not work for Safari) > unfortunately we found Safari is using connection reuse just like Chrome, and > Safari does not handle 421 properly In which exact case is GOAWAY sent to the browser and how does that impact the browser behavior exactly? You are probably doing routing based on the host header, not the SNI value, so you wouldn't have a routing problem. I'm unsure what the actual problem is that you are trying to solve. Lukas
Re: (possibly off topic) how to handle Chrome on SSL mass hosting ?
вт, 1 дек. 2020 г. в 00:37, Tim Düsterhus : > Ilya, > > Am 30.11.20 um 20:21 schrieb Илья Шипицин: > > I guess here are people running similar high density SSL hosting, do you > > have some approaches to please Chrome ? I would be happy if I can tell > him > > to open separate connections for the domains that I wish. > > > > Use HTTP 421 Misdirected Request: > > > http-request set-var(txn.host)hdr(host) > > http-request deny deny_status 400 unless { req.hdr_cnt(host) eq > 1 } > > http-request deny deny_status 421 unless { > ssl_fc_sni,strcmp(txn.host) eq 0 } > above approach works for Chrome (and does not work for Safari) unfortunately we found Safari is using connection reuse just like Chrome, and Safari does not handle 421 properly look like "something on Safari side" > > Or just use a dedicated certificate or IPv6 address per customer. > > Best regards > Tim Düsterhus >
Re: (possibly off topic) how to handle Chrome on SSL mass hosting ?
Ilya, Am 30.11.20 um 20:21 schrieb Илья Шипицин: > I guess here are people running similar high density SSL hosting, do you > have some approaches to please Chrome ? I would be happy if I can tell him > to open separate connections for the domains that I wish. > Use HTTP 421 Misdirected Request: > http-request set-var(txn.host)hdr(host) > http-request deny deny_status 400 unless { req.hdr_cnt(host) eq 1 } > http-request deny deny_status 421 unless { > ssl_fc_sni,strcmp(txn.host) eq 0 } Or just use a dedicated certificate or IPv6 address per customer. Best regards Tim Düsterhus
(possibly off topic) how to handle Chrome on SSL mass hosting ?
Hello, I'm looking for best practices related to please Chrome on mass SSL hosting. let us consider 3 websites a.example.com b.example.com c.example.com they share wildcard *.example.com certificate and they share single IP address. in such case Chrome decides to open a single http2 connection instead of 3 separate connections. while I do not mind to have such optimization, but when 'a.example.com" responds with http2 GOAWAY, that affects also "b.example.com" and " c.example.com". Chrome is not clever enough to open new connections instead of abandoned one. I guess here are people running similar high density SSL hosting, do you have some approaches to please Chrome ? I would be happy if I can tell him to open separate connections for the domains that I wish. Ilya