search

mesosphere / marathon-lb

Marathon-lb is a service discovery & load balancing tool for DC/OS
Apache License 2.0
449 stars 300 forks source link

SNI and routing #401

Open vixns opened 7 years ago

vixns commented 7 years ago

I have 503 responses with NOSRV in haproxy logs, all about SNI and crawlers.

It seems some crawlers are still wrong with SNI http://searchengineland.com/drop-bing-moving-https-sni-caused-224105 https://www.ssllabs.com/ssltest/clients.html

Haproxy author does not recommends to use SNI for routing http://marc.info/?l=haproxy&m=144490809910124&w=2

Changing HAPROXY_HTTPS_FRONTEND_ACL to

acl host_{cleanedUpHostname} hdr(host) -i {hostname}
use_backend {backend} if host_{cleanedUpHostname}

Fix this for standard cases ( no map, no path, no auth ).

When using acme certs, you often rely on SNI for certificate validation, so I don't know if we should ignore outdated crawlers/clients and accept this "503 noise" in the logs, or follow haproxy's author advice and only rely on the host header for routing.

IMO, we should use the host header.

geekifier commented 7 years ago

Is there any way to disable the SNI routing behavior when using maps? I believe we are seeing a problem based on this behavior when using an AWS ELB in HTTPS mode in front of Marathon-LB.