我们正在寻找一种使用 http2 的方法,一个带有 SSL 终止的代理和用于不同子域的多个不同的后端。
我发现对这个问题的解释我正在寻找适用于 haproxy 的解决方案。 这可能也适用于其他代理。
The problem you ran into is caused by "Connection coalescing".
For example, if a browser (Chrome/Firefox) connects to an http2 server "a.example.org" which resolves to 192.168.2.1 and later connects to "b.example.org", it checks 2 things:
1. Do DNS entries match? This will always be the case since our proxy only has one IP.
2. Has a.example.org provided a certificate that also matches b.example.org. (e.g. wildcard or multidomain cert).
If both are the case it will not initiate a second connection but instead reuse the existing connection to host a.example.org.
This is fine in theory but due to the use of sniproxy a.example.org is unable to handle b.example.org because they are in reality, two different hosts.
One way the solve this should be the use of different certs that only cover a single domain (e.g. no wildcard).
I have not tested it but I think it might work.
有没有办法强制我们的代理“haproxy”检查现有连接并确认域,子域对于实际发送连接的后端是正确的。
我们尝试过改变超时值,使用强制
option http-server-close
option forceclose
一切都不如我们所愿。连接到 subA.domain.com 并连接到 subB.domain.com 失败,因为它们是在两个不同的后端上设置的。浏览器重新使用相同的连接,但用于两个不同的后端。
答案1
这不是答案,只是一种解决方法。必须在 Web 服务器上禁用 HTTP2。然后一切又恢复正常。有时新标准会破坏旧的东西。