Deprecation of SNI routes with HTTP backends

Reviewed on 14 November 2024

This page documents the deprecation of SNI routes with HTTP backends on Scaleway Load Balancers

We removed the ability to create SNI based routes to HTTP backends in Scaleway Load Balancer. This feature was deprecated on March 1st 2023, and removed on June 1st 2023.

SNI routes are still available and supported for TCP backends.
SNI routes with HTTP backends are no longer available.
SNI routes to an HTTP backend were automatically converted to new HTTP Host header-based routes.

Why did we deprecate this feature?

SNI routes were originally introduced to enable routing with TCP backends when connections were encrypted with TLS. This enabled the forwarding of traffic to different backend server pools based on the “host” the client wanted to connect to.

Since HTTPS relies on TLS, this feature also worked with HTTP backends, providing the SNI closely matched the HTTP Host header value. But with newer HTTP versions such as HTTP/2, clients started establishing long-living connections and connection reuse, which frequently happened with newer HTTP versions such as HTTP/2. SNI is only sent when initiating the TCP connection to the host (in our case, the Load Balancer). This is the moment when we identify the backend we need to forward the traffic to. As long as the TCP connection to the Load Balancer remains open, the SNI is not sent again and all subsequent requests will then follow the route that was established when the connection was initiated.

While this proves to be efficient since it avoids all the overhead related to TCP and TLS handshakes, it can be a problem when a client reuses the connection to send requests to a different host resolving to the same IP address. With the Load Balancer being a reverse proxy, this happens frequently. In such cases, the SNI (for the new host) is not sent again since the connection to the Load Balancer is already established, and the request gets forwarded to the original host based on the original SNI. This results in a request which arrives at a backend server that doesn’t know how to process it.

When using HTTP protocol to the backend servers, the best solution is then to terminate TLS at the Load Balancer, decrypt traffic, look at the HTTP host header value to select the appropriate backend, and then forward the request to selected backend with or without encryption based on your use case. Since the protocol to the backend is HTTP, the Load Balancer has access to all the HTTP protocol metadata. There is then no point to limiting it to TCP/TLS layer metadata.

This is why we decided to remove the ability to create SNI based routes when the backend protocol is HTTP, and are now instead proposing HTTP Host header routes.

See the console screenshots below as examples:

Backend lbb-hungry-napier uses TCP protocol, and supports SNI routes:

Backend lbb-king-volhard uses HTTP protocol, and supports HTTP Host header routes:

What was the impact?

There was no impact on your applications or services using Scaleway Load Balancer, since HTTP Host header routes provided more accurate routing than SNI with HTTP backends.

Sample configurations

Find below some sample configurations for HTTP Host header routes to HTTP backends. These can be used to guide you in creating HTTP Host header routes if you were previously used to SNI routes:

Route creation

You are sending a POST request to /lb/v1/zones/{zone}/routes

Old payload code (assuming your backend protocol is HTTP):

{
  "frontend_id": "your-frontend-id",
  "backend_id": "your-backend-http-id",
  "match": {
    "sni": "www.company.com",
  },
}

Replacement payload code:

{
  "frontend_id": "your-frontend-id",
  "backend_id": "your-backend-http-id",
  "match": {
    "host_header": "www.company.com",
  },
}

Route update:

You are sending a PUT request to /lb/v1/zones/{zone}/routes/{route_id}:

Old payload code (assuming your backend protocol is HTTP):

{
  "match": {
    "sni": "www.company.com",
  },
}

Replacement payload code:

{
  "match": {
    "host_header": "www.company.com",
  },
}

Route creation

Assuming you are creating a route to an HTTP backend and you used the following command:

scw lb route create frontend-id=<your-frontend-id> backend-id=<your-http-backend-id> match.sni="www.company.com" zone=<your-lb-zone>

…you should replace that command with the following one:

scw lb route create frontend-id=<your-frontend-id> backend-id=<your-http-backend-id> match.host-header="www.company.com" zone=<your-lb-zone>

Route update:

Assuming you are updating a route to an HTTP backend and you used the following command:

scw lb route update route-id=<your-route-id> match.sni="www.company.com" zone=<your-lb-zone>

…you should replace that command with the following one:

scw lb route update route-id=<your-route-id> match.host-header="www.company.com" zone=<your-lb-zone>

Assuming you are managing a route resource to a backend using HTTP protocol with the following resource definition:

resource "scaleway_lb_route" "rt01" {
  frontend_id = <your-frontend-id>
  backend_id  = <your-http-backend-id>
  match_sni   = "www.company.com"
}

…you should declare your resource in the following way:

resource "scaleway_lb_route" "rt01" {
  frontend_id = <your-frontend-id>
  backend_id  = <your-http-backend-id>
 match_host_header   = "www.company.com"
}