Can I sampe data in ACL and use it - in an Action?

Can i sample (store in an variable) more specifically: ssl_fc_sni and then use that in an dynamic action?

Yes, ssl_fc_sni is a sample fetch, that’s means you can use it, in ACL’s and elsewhere.

You most likely DON’T WANT to use it, because you should look at the Host header instead in almost every single case; but that’s another story:

Thanks @lukastribus - I need to use ssl_fc_sni since there is not always a host header available (this is DDP traffic), that part is working fine - in production since a year back

  • it’s how a make a dynamic reference to a backend that I can’t seem to figure out.

any examples of a dynamic addressing to a backend would be appreciated ! - Thanks in advance.

Dynamic backend reference via a map file would probably look like this:

use_backend %[ssl_fc_sni,lower,map_dom(/etc/haproxy/]

Thx, i would like to avoid map, since then I still need to restart HA for every added server/change, that’s one of the things i want to avoid, since it interrupts production. i want to use it directly/dynamic in use_backend

Not true, via the admin socket you can update maps or acl at runtime, no reloads are involved with that.

I don’t know what that means specifically, you will have to elaborate.

Interesting ! – I will investigate (I’am on pfSense integrated HA 1.8.25 so

that feature might not exist to me yet but def. something I will look into.

This is supported since at least haproxy 1.6 so 1.8.25 is fine.

this is what i want to acheive in a “one-liner”


subdom1 IF ssl_fc_sni -i []
subdom2 IF ssl_fc_sni -i []
subdom3 IF ssl_fc_sni -i []
…this is repeated >100 times.

subdom1 USE backend bk_subdom1
subdom2 USE backend bk_subdom2
subdom3 USE backend bk_subdom3
… repeat…
default use bk_default


ACL IF ssl_fc subdomX (or something generic just to kick-off an action)

subdomX USE bk_%[ssl_fc_sni]
default use bk_default

however i have not been able to get something like this to work.

Did you try the suggestion in post 4, and if yes, how does the configuration look like exactly (not pseudo-config) and what is the content of the map file?

Waiting for weekend to test that, don’t have the balls to test in production :blush:

1 Like

tried the mapfile scenario and it gives same result (503) as trying to do it inline.

use_backend %[ssl_fc_sni,lower,map(/custom/haproxy/]

I verified I do have correct ssl_fc_sni “at hand” by adding it in to the header.