ACL HTTP always returns false


I’m having an issue using the HTTP pre-defined ACL within a use_backend statement. If I say, for example

frontend ssl-firehose bind :443 ssl crt /etc/letsencrypt/certs/chained.cert.pem no-sslv3 alpn http/1.1 # delay for inspection a maximum of 5 seconds before passing it along. tcp-request inspect-delay 5s # since SNI is used as the sole means of determining the client's # target domain, it is required. tcp-request content reject unless { ssl_fc_has_sni } # check to see if this is one of our proxied hosts. acl allowed_host ssl_fc_sni -i tcp-request content reject unless allowed_host # try to identify SSH payloads by the first 7 bytes. acl ssh_v2_sig req.payload(0,7) -m bin 5353482d322e30 use_backend ssh_be if !HTTP || ssh_v2_sig use_backend http_be

inside of a frontend, using the ssl option to the bind command, this check is always false and the SSH server’s version string appears in the browser. I’ve added tcp-request inspect-delay 5s to the frontend, which is in TCP mode, but that doesn’t seem to make a difference. Any ideas?