id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 1252,Multiplexing different hosts into one HTTP/2 connection leads to 421,Oleg Davydov,,"Quote from https://tools.ietf.org/html/rfc7540: {{{ An origin server might offer a certificate with multiple ""subjectAltName"" attributes or names with wildcards, one of which is valid for the authority in the URI. For example, a certificate with a ""subjectAltName"" of ""*.example.com"" might permit the use of the same connection for requests to URIs starting with ""https://a.example.com/"" and ""https://b.example.com/"" }}} That means that clients (for example, google chrome) reuse connections aggressively: — make a TLS connection to a.example.com — receive certificate to *.example.com — next query, to b.example.com, send to this connection, because a.example.com and b.example.com have the save ip and both are covered with certificate. Nginx will reject second query with 421 Misdirected Request, logging «client attempted to request the server name different from that one was negotiated while reading client request headers», that is misbehavior with RFC7540 (HTTP/2).",defect,closed,minor,,other,1.11.x,invalid,,,Linux server 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux,"nginx version: nginx/1.11.6 built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.2j 26 Sep 2016 TLS SNI support enabled configure arguments: —with-http_ssl_module —user=www-data —group=www-data —with-cc-opt=-O4 —with-http_gzip_static_module —with-http_flv_module —with-http_mp4_module —with-file-aio —prefix=/etc/nginx —sbin-path=/usr/sbin/nginx —conf-path=/etc/nginx/nginx.conf —error-log-path=/var/log/nginx/error.log —http-log-path=/var/log/nginx/access.log —pid-path=/var/run/nginx.pid —http-client-body-temp-path=/tmp/nginx.client_body_temp —http-proxy-temp-path=/tmp/nginx.proxy_temp —with-zlib-asm=pentiumpro —http-fastcgi-temp-path=/tmp/nginx.fastcgi_temp —add-module=/root/ngx_http_bytes_filter_module —with-ld-opt=-static —with-cc-opt='-static -static-libgcc' —with-http_secure_link_module —with-http_addition_module —with-http_realip_module —with-threads —with-debug —with-http_sub_module —add-module=../nginx-rtmp-module —with-stream —with-stream —with-http_v2_module —add-module=../ngx_http_enhanced_memcached_module —with-http_slice_module"