On Fri, 17 May 2019 at 21:44, Aleksandar Lazic <[email protected]> wrote: > > Here you need to use req.ssl_sni as you don't terminate SSL in that > > frontend, and need to look at SNI to be able to route it > > appropriately. That's the use-case for SNI and is fine (unless you > > have overlapping certificates). > > What's the problem with this? > What should be used when I want to use SAN ( Subject Alternative Name) for > routing?
It's not really about SAN, it's just about how routing based on SNI works (and is the reason for the issue in the other thread). SNI is extracted from the first client hello before the TLS session is even established. When you have 2 certificates: one is a wildcard *.example.org one is a specific one like www1.example.org When the browser connects to mail.example.org, haproxy will pick the wildcard certificate. When the browser then opens www1 it already has a TLS session established and got a wildcard certificate which covers www1.example.org also; so it will send the request there. If you made routing decision based on SNI the browser will then be in the wrong backend. That's routing should be based on the host header and not SNI, and if you must use SNI (like in your case, because you are not terminating TLS there), then use single hostname certificates, so browser don't appear in expected backends. The other thread and those linked within will contain more informations about this, but this is the gist of it. Lukas
