HAProxy v.1.5.18, 1.7.11, listening on a single IP address with a wildcard SSL certificate, I need to specify several backends with SNI lookup. There's a ton of config-files that all say req_ssl_sni -i hostname.example.com as ACL to use when redirecting to a certain backend. My best attempt was querying req_ssl_sni -m found and finding out SNI is inaccessible in the frontend. How to make SNI lookup work with a single HTTPS certificate?
haproxy.cfg required is following:
frontend https
bind *:443 ssl interface eth1 crt /etc/haproxy/allstar.company.com.pem
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl to_webcam req.ssl_sni -i webcam.company.com
acl to_jira req.ssl_sni -i jira.company.com
use_backend webcam if to_webcam
use_backend jira if to_jira
default_backend no_sni
backend webcam
acl webcam_auth (hidden)
http-request auth realm webcam if !webcam_auth
server ws01 10.x.x.x:8080
backend no_sni
acl webcam_auth2 (hidden)
http-request auth realm webcam-no-sni if !webcam_auth2
server ws01 10.x.x.x:8080
backend drop403
http-request deny
backend jira
server jira-test 10.x.x.y:8080
Global and defaults are unaltered. With this config the only backend I'm hitting is no-sni that asks for HTTP auth. WTF?!
Just in case someone would stumble. This site said literally: "All you need to do to enable SNI is to be give HAProxy multiple SSL certificates". Thus, in order to have SNI headers enabled in the frontend one needs to have several PEM files with different certificates. We here have a single PEM file with a wildcard certificate, so SNI ends up disabled in haproxy. Therefore, the filtering and ACL redirection should be done via
hdr(host)ACLs, as if your backend is plain HTTP.