I have basic haproxy knowledge and know how to handle the selection of tcp backends depending on the SNI server name.
The relevant lines are
acl is_myhost req.ssl_sni -i my.host.com
acl is_otherhost req.ssl_sni -i other.host.com
use_backend mybackend if is_myhost
use_backend otherbackend if is_otherhost
Now I'd like to change them to something that allows me to chose the back end also depending on the source ip but I don't know the exact syntax for below pseudo configuration or whether this is possible at all
acl is_myhost_for_specif req.ssl_sni -i my.host.com <and source ip = 1.2.3.4>
acl is_myhost_for_others req.ssl_sni -i my.host.com <and source ip != 1.2.3.4>
acl is_otherhost req.ssl_sni -i other.host.com
use_backend mybackend1 if is_myhost_for_specific
use_backend mybackend2 if is_myhost_for_others
use_backend otherbackend if is_otherhost
Your pseudo-code for ACLs is incorrect, because ACL declaration has no syntax for AND/OR logic. Move that to a place, where you use ACL, like in example below.
For source IP there is
src(https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.3-src), e.g.:Please note that the syntax for matching two conditions in an if statement is not
use_backend mybackend if condition1 and condition2but just
use_backend mybackend if condition1 condition2Order of
use_backendis important, so IPs fromtest_networkgo tomybackend1and others go tomybackend2if SNI matches. Declaringtest_networkACL twice here means "src_ip matches 192.168.10.0/24 OR 192.168.20.0/24"