Choose backend based on api call responce

I currently have a single docker host with traefik running behind an haproxy instance that routes HTTPS SNI and HTTP hostnames to various destinations, mostly docker.

I’m currently building out a 3 node docker host cluster and want to be able to use the letsencrypt functionality of traefik, which a cursory search indicates this is difficult.

The angle I want to attempt is polling the traefik API on each host for active applications and selecting the backend if it matches the SNI or http host of the incoming connection. Is there a way in httproxy to perform logic on the response of an HTTP check response?

If you have an easy example that’s great, otherwise please point me in the right direction. is this an LUA script? Out of my wheelhouse but can learn

what you want to achieve? route based on different sni names? does each docker host have different sni names / letsencrypt certs (at least domain names)?

Sorry I thought I was more clear, but re-reading my post it’s not.

Here’s a sample state

               /       \
traefik HOST A          traefik HOST B

When an TLS request come into HAProxy, I want to take the SNI value and query Traefik A and B for a list of registered applications. In an example if the SNI is, query both traefik api, and if “” is in the responce array, route the connection to traefik B.

When an HTTP request comes into HAProxy, and matches the .well-known url, also perform the same action. This way a lets-encrypt challange for will be routed to traefik A

Currently I have all the basics working when only HOST A is behind HAPROXY, such as SNI routing, .well-known challange routing, but currently the only routing I do is if the app is docker hosted, select traefik backend, if it’s a VM hosted app, route to the VM’s IP backend

I don’t need a fully formed script/config, I just need to know where to start looking on preforming logic on the connection beyond simple rules

you could use acls like

fontend http
bind ....

capture request header Host len 32
capture request header User-Agent len 64
http-request set-header X-SSL                       %[ssl_fc]
    http-request set-header X-SSL-HOST                  %[ssl_fc_sni]
    http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
    http-request set-header X-SSL-Client-SHA1           %{+Q}[ssl_c_sha1]
    http-request set-header X-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
    http-request set-header X-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
    http-request set-header X-SSL-Issuer                %{+Q}[ssl_c_i_dn]
    http-request set-header X-SSL-Client-Not-Before     %{+Q}[ssl_c_notbefore]
    http-request set-header X-SSL-Client-Not-After      %{+Q}[ssl_c_notafter]

    # http-request add-header X-Forwarded-Proto:\ https
    http-request set-header X-Forwarded-Proto https

use_backend HOST_A if { hdr(host) -i }
use_backend HOST_A if { hdr(host) -i }
use_backend HOST_B if { hdr(host) -i }
use_backend HOST_B if { hdr(host) -i }

# all other "domains" not matching above acls
default_backend HOST_A