Balance based on SNI


#1

Hello all,

I want to to load-balancing with SSL passthrough (mode tcp).

I have multiple backend servers and the load balancing algorithm should choose the server by hashing the provided SSL SNI Hostname.
It is important that requests are always routed to the same backend server and that the server is chosen by examining the SNI Hostname field.

I am looking for something like

backend test1
  mode tcp
  ...
  balance req_ssl_sni # <-- balance by SNI Hostname, but req_ssl_sni is not allowed here
  ...
  server ....
  server ....

Or can I to this in the frontend ?

frontend test1
  mode tcp
  ...
  use_backend server1 if(hash(req_ssl_sni) modulo 2) == 0
  use_backend server2 if(hash(req_ssl_sni) modulo 2) == 0
  ...

(How) can I do this ?

Best regards
MasterSlave


#2

No, that’s not supported.

I can certainly see how this would be useful, but we currently only support balancing on http header (and source IP, etc).

Maybe you can do something with LUA.
People already used LUA to select the backend when using HTTP:
https://dx13.co.uk/articles/2016/5/27/selecting-a-haproxy-backend-using-lua.html

And you do have access to TCP options within LUA:
https://www.arpalert.org/src/haproxy-lua-api/1.8dev/index.html#applettcp-class

But I’m unsure whether this can be combined and used to satisfy your use-case.