Am 17.05.2019 um 22:19 schrieb Lukas Tribus: > On Fri, 17 May 2019 at 21:44, Aleksandar Lazic <[email protected]> wrote: >> > Here you need to use req.ssl_sni as you don't terminate SSL in that >> > frontend, and need to look at SNI to be able to route it >> > appropriately. That's the use-case for SNI and is fine (unless you >> > have overlapping certificates). >> >> What's the problem with this? >> What should be used when I want to use SAN ( Subject Alternative Name) for >> routing? > > It's not really about SAN, it's just about how routing based on SNI > works (and is the reason for the issue in the other thread). SNI is > extracted from the first client hello before the TLS session is even > established. > > When you have 2 certificates: > one is a wildcard *.example.org > one is a specific one like www1.example.org > > When the browser connects to mail.example.org, haproxy will pick the > wildcard certificate. When the browser then opens www1 it already has > a TLS session established and got a wildcard certificate which covers > www1.example.org also; so it will send the request there. If you made > routing decision based on SNI the browser will then be in the wrong > backend. > > That's routing should be based on the host header and not SNI, and if > you must use SNI (like in your case, because you are not terminating > TLS there), then use single hostname certificates, so browser don't > appear in expected backends. > > > The other thread and those linked within will contain more > informations about this, but this is the gist of it.
Thank you very much for your detailed explanation > Lukas Aleks
