Hi, On Thu, May 16, Joao Morais wrote: > > Hi list! The symptom is as follow: when logging Host: header I receive > `myapp.io` while in the same request the sni extension says `anotherapp.com`. > > This happens in a very few requests (about 0.5%) but this is enough to make > some noise - regarding server certificate used in the handshake, and also the > ca-file used in handshakes with client certs. When they differ, the header is > right and the sni is wrong. > > I can confirm that every "myapp.io" or "anotherapp.com" resolves to the same > haproxy cluster. I can also confirm that all agents are browsers (Chrome and > Firefox) running in Linux and, based on the "myapp.io" and "anotherapp.com" > samples I saw together in the logs, the user is using both applications at > the same time, probably from the same instance of the browser.
Do the myapp.io and anotherapp.com share same certificate (ie. certificate has both myapp.io and anotherapp.com SAN) ? AFAIK browser can reuse the same tls connection if the certificate covers both names. When the host/sni differ do you have an earlier connection (for example from same ip/port) using matching sni/host in your logs ? -Jarno -- Jarno Huuskonen
