hi,
we enabled http2 with
frontend thef
bind *:443 ssl crt /mnt/certs alpn h2,http/1.1
and now facing the problem of https://http2.github.io/http2-spec/#reuse when using wildcard certs on the same ip
We tried
frontend thef
bind *:443 ssl crt /mnt/certs alpn h2,http/1.1
bind *:443 ssl crt /mnt/certs/example.pem
but it seems this just makes a random use of the binds. Is there a way to do it? btw. we have no influence on the apps configuration like httpd.conf
cheers,
mike
Our environment makes it possible for devs to deploy apps with domains with that cert (*.example.com). Now with h2 when you open a.example.com any other domain let’s say b.example.com…
… will show the content of a.example.com. We understand the reason but looking for a way to tell haproxy to not use h2 for this specific wildcard cert.
sorry, for splitting that post but i am not allowed to post more then 2 links in one post?!
I assume you are using http mode. In that case, it is only a problem if you are using context switching based on SNI, instead of the Host header.
Use the host header and the problem will be gone.
Provide the full configuration if you want a more specific suggestion.
I bumped your privileges, new users are heavily restricted by default.
it was
frontend marathon_https_in
bind *:443 ssl crt /mnt/certs alpn h2,http/1.1
mode http
errorfile 503 /errorfiles/503.http
use_backend %[ssl_fc_sni,lower,map(/marathon-lb/domain2backend.map)]
now changed to
frontend marathon_https_in
bind *:443 ssl crt /mnt/certs alpn h2,http/1.1
mode http
errorfile 503 /errorfiles/503.http
use_backend %[req.hdr(host),lower,map_str(/marathon-lb/domain2backend.map)]
seems to work.
cheers,
mike