Incosistent forwarding of HTTP/2 connections with layered virtual
Hi,
I'm using a layered virtual configuration:
- Tier1: Virtual applying SNI-Routing (only SSL persistence profile and LTM policy as described in https://www.devcentral.f5.com/kb/technicalarticles/sni-routing-with-big-ip/282018)
- Tier2: Virtual applies SSL termination and delivering the actual application, with the required profiles, iRules, .... If the required, an additional LTM policy is applied for URI-based routing and forwards to Tier3 VS.
- Tier3 (optional, if required): Virtual delivers specific applications, like microservices, usually no monolithical apps.
This configuration is very robust and I'm working with it successfully since years. Important: The tier1 uses one single IP address and a single port. So all tier2 and tier3 virtuals MUST be externally available through the same IP address and port.
Now I have to publish the first HTTP/2 applications over this concept and see strange behavior of the BIG-IP.
- User requests www.example.com. IP and port point to tier1 virtual.
- Tier1 LTM policy forwards the requests, based on the SNI, to tier2 virtuals "vs-int_www.example.com".
- Within www.example.com there are references to piwik.example.com, which is another tier2 virtual, behind my tier1 virtual.
- User requests piwik.example.com. IP and port point to tier1 virtual.
- Tier1 LTM policy forwards the requests to "vs-int_www.example.com" instead of "vs-int_piwik.example.com". Probably not based on SNI, but on the existing TCP connection.
I'm afraid, that this bahvior is a result of HTTP/2, especially because of the persistent TCP connection. I assume that, because the connection ID (gathered from browser devtools) for requests to www.example.com and piwik.example.com is identical. From the perspective of the browser I wouldn't expect such a behavior, because the target hostname differs.
I didn't configure HTTP/2 in full-proxy mode, as described in several articles. I've just enabled it on the client-side.
I would be very happy for any input on that. Thanks in advance!