We are looking for a way to use http2, one proxy with SSL termination and multiple different backends for different subdomains.
I found this explanation of the problem and I am looking for solutions that would work for haproxy. Which would probably work for other proxies as well.
The problem you ran into is caused by "Connection coalescing".
For example, if a browser (Chrome/Firefox) connects to an http2 server "a.example.org" which resolves to 192.168.2.1 and later connects to "b.example.org", it checks 2 things:
1. Do DNS entries match? This will always be the case since our proxy only has one IP.
2. Has a.example.org provided a certificate that also matches b.example.org. (e.g. wildcard or multidomain cert).
If both are the case it will not initiate a second connection but instead reuse the existing connection to host a.example.org.
This is fine in theory but due to the use of sniproxy a.example.org is unable to handle b.example.org because they are in reality, two different hosts.
One way the solve this should be the use of different certs that only cover a single domain (e.g. no wildcard).
I have not tested it but I think it might work.
Is there a way to force our proxy 'haproxy' to check existing connections and confirm that domain, subdomain are correct for the backend that the connection is actually being sent to.
We have tried changing timeout values, using force
option http-server-close
option forceclose
Nothing works the way we would like. Connection to subA.domain.com and then connecting to subB.domain.com fails as they are set up on two different backends. The browser resues the same connection and for two different backends.
Not the answer, just a workaround. Has to disable HTTP2 on web server. Then everything works again. Sometime new standard just breaks old things.