Just something I thought the rest of the interwebs might find
useful.
If you can get your users to first connect to an http:// address,
and then have that URL redirect them to https://, you can work
around a lack of SNI support on the client end like so:
# content switching based on host name
use_backend dvs-staging.cytobank.org-http if { hdr(host) -i
dvs-staging.cytobank.org }
backend dvs-staging.cytobank.org-http
cookie SITE insert
server server_1 2607:f700:2bff:bb:225:90ff:fe6c:3308:82 cookie
dvs-staging.cytobank.org check inter 3000 rise 1 fall 1 error-limit 1 on-error
mark-down
[snip]
# content switching based on cookie, having had them set in previous sessions
use_backend dvs-staging.cytobank.org-https-apache if { hdr_sub(cookie)
SITE=dvs-staging.cytobank.org }
# content switching based on SNI
use_backend dvs-staging.cytobank.org-https-apache if { ssl_fc_sni -i
dvs-staging.cytobank.org }
backend dvs-staging.cytobank.org-https-apache
cookie SITE insert
server server_1 2607:f700:2bff:bb:225:90ff:fe6c:3308:83 cookie
dvs-staging.cytobank.org check inter 3000 rise 1 fall 1 error-limit 1 on-error
mark-down
So whenever dvs-staging is reached, the cookie is set, and we fall
back to SNI if we don't have that cookie. If the same user might be
going to more than one host, then you'd want to prefer SNI to the
cookie, but that isn't the case for use, so we prefer the cookie for
speed (I'm assuming a cookie check is faster than SNI, based on zero
research; I could certainly be wrong).
-Robin
