Major When OpenID connect is used, and there are multiple OpenID Connect issuers with different subdomains, but using the same IP, APIcast reuses the same HTTPS session, which results in SNI check fail, because the hostname provided via SNI and hostname sent in HTTP Host header are different.
The logs in APIcast look as follows:
2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-one.example.com finished with 1 answers 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-one.example.com:443 established, reused times: 0 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:633: send_request(): GET /auth/realms/realm-name/.well-known/openid-configuration HTTP/1.1 >>> Request successful 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-one.example.com finished with 1 answers 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-one.example.com:443 established, reused times: 1 2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:633: send_request(): GET /auth/realms/realm-name/protocol/openid-connect/certs HTTP/1.1 >>> Request successful 2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-two.example.com finished with 1 answers 2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216 2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216 2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers 2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers 2019/03/29 12:22:35 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil 2019/03/29 12:22:35 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-two.example.com:443 established, reused times: 2 2019/03/29 12:22:35 [debug] 27#27: *2 [lua] http.lua:633: send_request(): GET /auth/realms/realm-name/.well-known/openid-configuration HTTP/1.1 >>> Request successful
Note that in the 3rd request the request to sudomain-two.example.com reuses the connection of sudomain-one.example.com (reused times: 2)
This is reproduced in APIcast v3.3 and v3.4.
