Hell Chris,
2017-12-11 20:04 GMT+01:00 Christian Bönning <christian.boenn...@noerdisch.de>: > Hi, > > I recently switched from nginx to haproxy 1.8 for SSL termination and load > balancing in front of my application but saw an odd behaviour with "alpn > h2,http/1.1" enabled on my frontend. > > I'm running a single haproxy instance in front of my applications switching > between them based on "ssl_fc_sni" or HTTP host. > [...] > use_backend backend_app_jira if { ssl_fc_sni -i jira.example.com || hdr(host) > -i jira.example.com } > use_backend backend_app_confluence if { ssl_fc_sni -i confluence.example.com > || hdr(host) -i confluence.example.com } That's whats wrong. You can't route based on ssl_fc_sni or HTTP Host. This will lead to the this exact behavior. You have to route based on HTTP Host header *only*. The SNI value will be "jira.example.com" for the entire H2 (or H1) session, even when you request something on confluence - that is if your certificate handles both domains. SNI is for certificate selection only, you need to look at host header (*only*), for deciding with backend to choose for a specific HTTP transaction. The difference between h2 and http/1.1 is that h2 keeps the SSL session alive for a longer time (timeout server or timeout client) than http/1.1 (timeout http-keep-alive). You browser may also not reuse the SSL session for a different domain in http/1.1, while it does soin h2. So that's why you may see different behavior in h2, depending on your browser. Regards, Lukas