### Summary
Our Kong has several separate services that route to a RedHat kuber…netes re-skin called Openshift Origin (OSO).
The way OSO works, is that edge routes are defined for the separate services hosted on it - that all resolve to the same IP (OSO Router). The way the router determines which pod to send traffic to, is via the HTTP HOST Header.
So:
```
curl https://myapp.oso.company.com - routes to myapp pod
curl https://theirapp.oso.company.com - routes to theirapp pod
```
But
```
nslookup myapp.oso.company.com = 10.0.0.1
nslookup theirapp.oso.company.com = 10.0.0.1
```
so if I wanted to use the IP to make the call, I’d do this:
```
curl https://10.0.0.1/ -H "Host: myapp.oso.company.com"
curl https://10.0.0.1/ -H "Host: theirapp.oso.company.com"
```
The problem is this: **When the proxy for myapp.oso has >5tps, Kong will sometimes send traffic for the theirapp proxy to the myapp.oso upstream**. When we disable ngx upstream keepalives, the issue is resolved.
My theory, is that because Keepalives are maintained as a IP:PORT pair, and we are sending to the same IP:PORT for both myapp and theirapp - Kong is re-using the socket for myapp which was for theirapp's traffic.
There is nothing in the logs, even at the most detailed - when this occurs.
### Steps To Reproduce
1. Create two services on Kubernetes with SSL edge routes and create proxies for them on Kong
2. Send >5tps traffic to one of them
3. Test calls against the other, from the same kong cluster
### Additional Details & Logs
- Kong version: 0.14.1
- Kong debug-level startup logs (`$ kong start --vv`) - DEBUG LOGS DO NOT SHOW ANYTHING
- Kong error logs (`<KONG_PREFIX>/logs/error.log`) - ERROR LOGS DO NOT SHOW ANYTHING
- Kong configuration (the output of a GET request to Kong's Admin
```json
{
"plugins": {
"enabled_in_cluster": [
"acl",
"request-size-limiting",
"oauth2",
"kong-path-based-routing",
"cors",
"kong-oidc-auth",
"rate-limiting",
"kong-upstream-jwt",
"kong-oidc-multi-idp",
"kong-spec-expose",
"jwt",
"request-termination",
"kong-cluster-drain",
"statsd",
"correlation-id",
"kong-splunk-log"
],
"available_on_server": {
"kong-path-based-routing": true,
"kong-spec-expose": true,
"kong-cluster-drain": true,
"correlation-id": true,
"kong-splunk-log": true,
"jwt": true,
"cors": true,
"rate-limiting": true,
"kong-oidc-auth": true,
"kong-upstream-jwt": true,
"request-size-limiting": true,
"request-termination": true,
"kong-oidc-multi-idp": true,
"kong-service-virtualization": true,
"request-transformer": true,
"acl": true,
"statsd": true,
"oauth2": true
}
},
"tagline": "Welcome to kong",
"configuration": {
"plugins": [
"request-transformer",
"kong-service-virtualization",
"kong-cluster-drain",
"kong-upstream-jwt",
"kong-splunk-log",
"kong-spec-expose",
"kong-oidc-auth",
"kong-path-based-routing",
"kong-oidc-multi-idp",
"correlation-id",
"oauth2",
"statsd",
"jwt",
"rate-limiting",
"acl",
"request-size-limiting",
"request-termination",
"cors"
],
"admin_ssl_enabled": false,
"lua_ssl_verify_depth": 3,
"trusted_ips": {
},
"lua_ssl_trusted_certificate": "\/usr\/local\/kong\/ssl\/kongcert.pem",
"loaded_plugins": {
"kong-path-based-routing": true,
"kong-spec-expose": true,
"kong-cluster-drain": true,
"correlation-id": true,
"kong-splunk-log": true,
"jwt": true,
"cors": true,
"kong-oidc-multi-idp": true,
"kong-oidc-auth": true,
"kong-upstream-jwt": true,
"acl": true,
"oauth2": true,
"statsd": true,
"kong-service-virtualization": true,
"request-transformer": true,
"request-size-limiting": true,
"rate-limiting": true,
"request-termination": true
},
"cassandra_username": "xxx",
"admin_ssl_cert_csr_default": "\/usr\/local\/kong\/ssl\/admin-kong-default.csr",
"ssl_cert_key": "\/usr\/local\/kong\/ssl\/kongprivatekey.key",
"dns_resolver": {
},
"pg_user": "kong",
"mem_cache_size": "1024m",
"cassandra_data_centers": [
"dc1:2",
"dc2:3"
],
"nginx_admin_directives": {
},
"cassandra_password": "******",
"custom_plugins": {
},
"pg_host": "127.0.0.1",
"nginx_acc_logs": "\/usr\/local\/kong\/logs\/access.log",
"proxy_listen": [
"0.0.0.0:8000",
"0.0.0.0:8443 ssl http2"
],
"client_ssl_cert_default": "\/usr\/local\/kong\/ssl\/kong-default.crt",
"ssl_cert_key_default": "\/usr\/local\/kong\/ssl\/kong-default.key",
"dns_no_sync": false,
"db_update_propagation": 5,
"nginx_err_logs": "\/usr\/local\/kong\/logs\/error.log",
"cassandra_port": 9042,
"dns_order": [
"LAST",
"SRV",
"A",
"CNAME"
],
"dns_error_ttl": 1,
"headers": [
"latency_tokens"
],
"dns_stale_ttl": 4,
"nginx_optimizations": true,
"database": "cassandra",
"pg_database": "kong",
"nginx_worker_processes": "auto",
"lua_package_cpath": "",
"admin_acc_logs": "\/usr\/local\/kong\/logs\/admin_access.log",
"lua_package_path": ".\/?.lua;.\/?\/init.lua;",
"nginx_pid": "\/usr\/local\/kong\/pids\/nginx.pid",
"upstream_keepalive": 120,
"cassandra_contact_points": [
"xxx",
"xxx",
"xxx",
"xxx",
"xxx",
"xxx"
],
"admin_access_log": "off",
"client_ssl_cert_csr_default": "\/usr\/local\/kong\/ssl\/kong-default.csr",
"proxy_listeners": [
{
"ssl": false,
"ip": "0.0.0.0",
"proxy_protocol": false,
"port": 8000,
"http2": false,
"listener": "0.0.0.0:8000"
},
{
"ssl": true,
"ip": "0.0.0.0",
"proxy_protocol": false,
"port": 8443,
"http2": true,
"listener": "0.0.0.0:8443 ssl http2"
}
],
"proxy_ssl_enabled": true,
"proxy_access_log": "off",
"ssl_cert_csr_default": "\/usr\/local\/kong\/ssl\/kong-default.csr",
"enabled_headers": {
"latency_tokens": true,
"X-Upstream-Status": false,
"X-Proxy-Latency": true,
"server_tokens": false,
"Server": false,
"Via": false,
"X-Upstream-Latency": true
},
"cassandra_ssl": true,
"cassandra_local_datacenter": "ELR",
"db_resurrect_ttl": 30,
"db_update_frequency": 5,
"cassandra_consistency": "LOCAL_QUORUM",
"client_max_body_size": "1000m",
"admin_error_log": "\/dev\/stderr",
"pg_ssl_verify": false,
"dns_not_found_ttl": 30,
"pg_ssl": false,
"cassandra_repl_factor": 1,
"cassandra_lb_policy": "RequestDCAwareRoundRobin",
"cassandra_repl_strategy": "SimpleStrategy",
"nginx_kong_conf": "\/usr\/local\/kong\/nginx-kong.conf",
"error_default_type": "text\/plain",
"nginx_http_directives": {
},
"real_ip_header": "X-Real-IP",
"kong_env": "\/usr\/local\/kong\/.kong_env",
"cassandra_schema_consensus_timeout": 10000,
"dns_hostsfile": "\/etc\/hosts",
"admin_listeners": [
{
"ssl": false,
"ip": "0.0.0.0",
"proxy_protocol": false,
"port": 8001,
"http2": false,
"listener": "0.0.0.0:8001"
}
],
"ssl_ciphers": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
"ssl_cert": "\/usr\/local\/kong\/ssl\/kongcert.crt",
"prefix": "\/usr\/local\/kong",
"admin_ssl_cert_key_default": "\/usr\/local\/kong\/ssl\/admin-kong-default.key",
"cassandra_ssl_verify": true,
"db_cache_ttl": 0,
"ssl_cipher_suite": "modern",
"real_ip_recursive": "off",
"proxy_error_log": "\/dev\/stderr",
"client_ssl_cert_key_default": "\/usr\/local\/kong\/ssl\/kong-default.key",
"nginx_daemon": "off",
"anonymous_reports": false,
"cassandra_timeout": 5000,
"nginx_proxy_directives": {
},
"pg_port": 5432,
"log_level": "notice",
"client_body_buffer_size": "20m",
"client_ssl": false,
"lua_socket_pool_size": 30,
"admin_ssl_cert_default": "\/usr\/local\/kong\/ssl\/admin-kong-default.crt",
"cassandra_keyspace": "kong_stage",
"ssl_cert_default": "\/usr\/local\/kong\/ssl\/kong-default.crt",
"nginx_conf": "\/usr\/local\/kong\/nginx.conf",
"admin_listen": [
"0.0.0.0:8001"
]
},
"version": "0.14.1",
"node_id": "3a7824e4-2971-4daa-9351-c05293b26f04",
"lua_version": "LuaJIT 2.1.0-beta3",
"prng_seeds": {
"pid: 30": 121842322351,
"pid: 37": 205914716415,
"pid: 36": 619910823160,
"pid: 35": 158818822910,
"pid: 33": 106581771972,
"pid: 34": 119182521233,
"pid: 31": 230127232253,
"pid: 32": 194211052318
},
"timers": {
"pending": 4,
"running": 0
},
"hostname": "kong-186-txzsv"
}
```
- Operating system: Alpine Linux kong-186-txzsv 3.10.0-693.el7.x86_64