Balance based on SNI

MasterSlave · January 12, 2018, 9:53pm

Hello all,

I want to to load-balancing with SSL passthrough (mode tcp).

I have multiple backend servers and the load balancing algorithm should choose the server by hashing the provided SSL SNI Hostname.
It is important that requests are always routed to the same backend server and that the server is chosen by examining the SNI Hostname field.

I am looking for something like

backend test1
  mode tcp
  ...
  balance req_ssl_sni # <-- balance by SNI Hostname, but req_ssl_sni is not allowed here
  ...
  server ....
  server ....

Or can I to this in the frontend ?

frontend test1
  mode tcp
  ...
  use_backend server1 if(hash(req_ssl_sni) modulo 2) == 0
  use_backend server2 if(hash(req_ssl_sni) modulo 2) == 0
  ...

(How) can I do this ?

Best regards
MasterSlave

lukastribus · January 13, 2018, 9:49am

No, that’s not supported.

I can certainly see how this would be useful, but we currently only support balancing on http header (and source IP, etc).

Maybe you can do something with LUA.
People already used LUA to select the backend when using HTTP:
https://dx13.co.uk/articles/2016/5/27/selecting-a-haproxy-backend-using-lua.html

And you do have access to TCP options within LUA:
https://www.arpalert.org/src/haproxy-lua-api/1.8dev/index.html#applettcp-class

But I’m unsure whether this can be combined and used to satisfy your use-case.

Topic		Replies	Views
Set SNI based on the Host header on the outgoing TLS connections Help!	6	1970	August 7, 2023
Custom load balancing Help!	2	1851	February 21, 2020
SNI switching with haproxy kubernetes controller Help!	0	445	August 3, 2020
Mixing mode tcp and http - SSL termination and Passthrough Help!	17	38184	December 7, 2023
How to get HAProxy to route TCP based on SNI (using openssl s_client to test)? Help!	2	1690	December 13, 2019

Balance based on SNI

Related topics