HAProxy community

Http2 reuse problem


#1

hi,

we enabled http2 with

frontend thef
bind *:443 ssl crt /mnt/certs alpn h2,http/1.1

and now facing the problem of https://http2.github.io/http2-spec/#reuse when using wildcard certs on the same ip

We tried

frontend thef
bind *:443 ssl crt /mnt/certs alpn h2,http/1.1
bind *:443 ssl crt /mnt/certs/example.pem

but it seems this just makes a random use of the binds. Is there a way to do it? btw. we have no influence on the apps configuration like httpd.conf

cheers,

mike


#2

Our environment makes it possible for devs to deploy apps with domains with that cert (*.example.com). Now with h2 when you open a.example.com any other domain let’s say b.example.com


#3

… will show the content of a.example.com. We understand the reason but looking for a way to tell haproxy to not use h2 for this specific wildcard cert.

sorry, for splitting that post but i am not allowed to post more then 2 links in one post?!


#4

I assume you are using http mode. In that case, it is only a problem if you are using context switching based on SNI, instead of the Host header.

Use the host header and the problem will be gone.

Provide the full configuration if you want a more specific suggestion.

I bumped your privileges, new users are heavily restricted by default.


#5

it was

frontend marathon_https_in
   bind *:443 ssl crt /mnt/certs alpn h2,http/1.1
   mode http
   errorfile 503 /errorfiles/503.http
   use_backend %[ssl_fc_sni,lower,map(/marathon-lb/domain2backend.map)]

now changed to

frontend marathon_https_in
   bind *:443 ssl crt /mnt/certs alpn h2,http/1.1
   mode http
   errorfile 503 /errorfiles/503.http
   use_backend %[req.hdr(host),lower,map_str(/marathon-lb/domain2backend.map)]

seems to work.

cheers,

mike