Here is my setup -
frontend HTTPS
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl HTTPS1 req.ssl_sni -i app1.domain1.com
acl HTTPS2 req.ssl_sni -i app2.domain1.com
use_backend server1 if HTTPS1
use_backend server2 if HTTPS2
backend server1
mode tcp
option tcplog
server appserver1 x1.x1.x1.x1:443 check
backend server2
mode tcp
option tcplog
server appserver2 x2.x2.x2.x2:443 check
my problem is that both app1.domain1.com and app2.domain1.com share the same SSL cert and it appears that SNI is only triggered once per SSL session so when I open two tabs in the browser, one with app1.domain1.com and another with app2.domain1.com, I get the same application served up in both tabs.
I dont think there any frontend or backend caching issue. I have attempted using ssl_fc_sni instead but that does not work - I get insecure website from the browser and no access to the app. Any way I can get by without using SNI?
3 posts - 2 participants