Disable HTTP2 connection coalescing for different virtual hosts/domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
I just found out the hard way that HTTP2 has a great new feature that intentionally misdirects requests to the wrong domain. I'm using Apache on Ubuntu 20.04 with Virtual Hosts, a single shared IPv4 address (what else can you do these days), HTTP2 and HTTPS. Some of these domains use the same wildcard certificate for the main domain and subdomains. Some of these virtual hosts also use a reverse proxy to a backend application server.
When I open both these sites after another in Firefox, I always get the same content, even redirecting the second called domain back to the first. So that HTTP2 connection coalescing thing is clearly a critical bug in the spec or somewhere else that is expected to be worked around by each and every webserver admin. How sad. They did say they wanted to make it quicker. No word on safer or more reliable. Every optimisation is a tradeoff, this time it broke things.
How should I do this now? I have the option to disable HTTP2 and deny the progress. It immediately resolves the issue. Or I could somehow somewhere make Apache respond with that 421 status code that teaches the browsers that this feature is bad and they should not use it. How could this be done? I wasn't able to find any resources about that. All sites' config files look similar to this: 


Listen [...IPv6...]:80
<VirtualHost ...SharedIPv4...:80 [...IPv6...]:80>
	ServerName example.com
	ServerAlias www.example.com
	DocumentRoot /var/www/example/path
	RewriteEngine on

	# Redirection
	RewriteRule ^/(.*) https://example.com/$1 [L,R=301]
	<Directory "/var/www/example/path">
		Options +IncludesNOEXEC
	</Directory>

	# CGI/PHP (optional)
	SuexecUserGroup example webusers
	FcgidWrapper /var/www/php-bin/example/php-fcgi .php
	AddHandler fcgid-script .php

	# ASP.NET app (optional)
	ProxyPass "/" "http://127.0.0.1:7001/"; retry=5
	ProxyPassReverse "/" "http://127.0.0.1:7001/";
	ProxyPreserveHost on
	RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
	RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
	RewriteRule .* ws://127.0.0.1:7001%{REQUEST_URI} [P]

	RequestHeader set X-Forwarded-Proto "http"
</VirtualHost>

Listen [...IPv6...]:443
<VirtualHost ...SharedIPv4...:443 [...IPv6...]:443>
	ServerName example.com
	ServerAlias www.example.com
	DocumentRoot /var/www/example/path
	RewriteEngine on

	# Redirection
	RewriteCond %{HTTP_HOST} !^example\.com(:443)?$ [NC]
	RewriteCond %{HTTP_HOST} !=""
	RewriteRule ^/(.*) https://example.com/$1 [L,R=301]
	<Directory "/var/www/example/path">
		Options +IncludesNOEXEC
	</Directory>

	# CGI/PHP (optional)
	SuexecUserGroup example webusers
	FcgidWrapper /var/www/php-bin/example/php-fcgi .php
	AddHandler fcgid-script .php

	# ASP.NET app (optional)
	ProxyPass "/" "http://127.0.0.1:7001/"; retry=5
	ProxyPassReverse "/" "http://127.0.0.1:7001/";
	ProxyPreserveHost on
	RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
	RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
	RewriteRule .* ws://127.0.0.1:7001%{REQUEST_URI} [P]

	RequestHeader set X-Forwarded-Proto "https"

	SSLEngine on
	SSLCertificateFile /etc/ssl/private/example.com
	SSLCertificateKeyFile /etc/ssl/private/example.com
</VirtualHost>


-Yves

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux