Hi, I have a frontend mode http:
use_backend panel-h2-backend if { ssl_fc_sni_reg -i ^app…* }
use_backend stores-h2-backend if { ssl_fc_alpn -i h2 }
default_backend store-backend
It works fine if I have a store called, for example, vanessa.com.br, because panel redirects to app.domain.com (domain is a example for my company’s domain).
But if I have vanessa.domain.com and I access in two tabs vanessa.domain.com and later app.domain.com, app.domain.com redirects to store-backend (correct is redirect to stores-h2-backend). If I wait 5 seconds (timeout from session global, it works, but the clients are not happy to wait this time)
defaults
timeout connect 10s
timeout client 5s
timeout server 10s
Can anyone has some ideas to help me?
Thanks.
Hello,
there is no frontend cache.
However using SNI based routing between backends is problematic for the exact issue you are facing: you have overlapping backend certificates (panel and store SSL certificates have overlapping or same certificate SANs), so the browser is trying to reuse existing SSL sessions which lands the browser in the wrong backend since the SNI routing decision happens only once per SSL session, as SNI is available in the client_hello when the SSL handshake is started).
The fix can be to not use overlapping certificates, or to not use SNI based routing. If you share your entire configuration we can make suggestions. Based on what you actually need, SNI based routing may not even be necessary.
Thank you for your help.
I did using acl:
acl acl_panel_h2 hdr(host) -m reg -i ^app.[^.].com.br$ ^app-[^.].[^.].com.br$ !^api.[^.].com.br$ !^api-[^.].[^.].com.br$
Thanks again 