Avi Enhanced Virtual Hosting incorrectly matches with wildcard domain in EVH rule
search cancel

Avi Enhanced Virtual Hosting incorrectly matches with wildcard domain in EVH rule

book

Article ID: 390141

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

Parent/Child EHV configurations where HTTP request use longest match in wildcard domains may be processed incorrectly.

Documentation: Wildcard SNI Matching for Virtual Hosting

Example configuration:

Child-VS-A

  • wildcard domain: *.example.com

RULE

{
  "host": "*.example.com",
  "rules": [
    {
      "matches": {
        "path": {
          "match_case": "INSENSITIVE",
          "match_criteria": "BEGINS_WITH",
          "match_decoded_string": true,
          "match_str": [
            "/"
          ]
        }
      },
      "name": "Example-Rule"
    }
  ]
}

Child-VS-B

  • wildcard domain: *.test.example.com

RULE

{
  "host": "*.test.example.com",
  "rules": [
    {
      "matches": {
        "path": {
          "match_case": "INSENSITIVE",
          "match_criteria": "BEGINS_WITH",
          "match_decoded_string": true,
          "match_str": [
            "/"
          ]
        }
      },
      "name": "Example-Rule"
    }
  ]
}

 

HTTP request with SNI domain "foo.test.example.com" can be incorrectly sent to Child-VS-A instead of Child-VS-B and not follow the expected longest match domain.

 

Environment

Affects Versions:

22.1.1 - 22.1.6

30.1.x

Cause

This is a day one issue that was identified with the EVH feature.  Virtual service with EVH domain exact match will take more precedence than domain with wildcard.

Resolution

This issue has been address in later GA releases of VMware Avi Load Balancer.  Please upgrade to the fix versions.

AV-201304: Requests are potentially being sent to the EVH virtual service with a wildcard domain instead of being processed by the EVH virtual service with a matching exact domain.

Fix Versions: 22.1.7, 30.2.1, 32.2.2

Powered by Wolken Software