Those ACL would access HTTP headers. This is possible when a) the content is not encrypted or it is decrypted by haproxy and b) when the frontend is in http mode (this implies decryption).
In this case though the entire HTTP transaction is encrypted and you cannot access it.
What you can do is parse the SNI value in the SSL client_hello.
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend abc.com if { req.ssl_sni -i abc.com }
Two important notes:
- you need to wait for the complete SSL client_hello to be in the buffers (first to lines)
- this will not work for overlapping certificates (one certificate that covers both acl’ed as well as fallback domains, because the SNI decision will be made once per SSL session (during handshake based on the client_hello packet) and the browser will reuse an existing SSL session for different domains, when the certificate allows that