On 2018-12-22, Aham Brahmasmi <aham.brahma...@gmx.com> wrote: >> On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote: >> > Hi, >> > >> > > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote: >> > > > Hello, >> > > > Does anyone know how to get this working with multiple letsencrypt >> > > > certs? >> > > > >> > > >> > > You need individual IP:port settings for each of the certs. Also don't >> > > forward to different hosts based on match rules unless you really know >> > > what you are doing. The backend system is only evaluated at the start of >> > > the connection and so keepalive sessions will not route correctly. >> > > >> > > -- >> > > :wq Claudio >> > >> > Would having a single SAN certificate help in this case [1]? >> > >> >> Yes and no. It would make listening on one port possible but it does not >> solve the issue of 'match forward to' being sticky for a connection. >> >> -- >> :wq Claudio > > Danke Claudio for your response. > > Would it be possible for you to please elaborate on the 'match forward > to' being sticky for a connection? I presume that there is some problem > which might occur due to this.
A request comes in with some Host geader, relayd decides the destination based on this and proxies the request. Client does keepalive and holds on to the connection for use with another request to the same destination IP. Client then sends a second request - different Host: header on the same IP. relayd already picked a backend with the first request and sends it there rather than doing a fresh lookup based on the second Host header.
