Configuring dynamic backends based on SNI

Help!
1

Hello,

Is it possible to configure HAProxy to resolve hostnames and forward to a certain IP based on the SNI value? I want to configure something like the following:

Client → HAProxy (resolve SNI value) → Forward to resolved IP

The nginx equivalent configuration would be:

stream {
    resolver 169.254.169.253 ipv6=off;

    server {
        listen 443;
        proxy_pass $ssl_preread_server_name:$server_port;

        ssl_preread on;
    }

}

I have searched the documentation and forums but it seems that the HAProxy configuration requires one to specify a specific backend with either DNS or IP, but this would not work for my use case as I do not know the backend IP and need to resolve the SNI header to get it.

2

It seems here you’re searching for a forward proxy functionality, while HAproxy is designed as a reverse proxy: it’s really based on frontend / backend cooperation.
There is also a listen shortcut allowing to specify frontend and backend in one go, but you still need to define the destination of your requests.

However, HAproxy supports multiple SSL certificates, variables and regexes, so if you want to redirect multiple SNIs using only one frontend and multiple backends, you can. Typical scenario:

www.example1.com \             / container_hostname
www.example2.com  ---> HAproxy ---> IP address 
www.example3.com /             \ domain

If this answer is unsatisfactory, please provide a few examples of what you want to achieve.

3

Hi,

This is not the case, HAProxy would work as a reverse proxy in this instance, but I need it to resolve a DNS name in order to find the backend address.

For what I understand of the configuration documentation, backends can be configured using a static DNS name + a resolver configuration, but what I am looking for is a way to dynamically configure the DNS name that HAProxy will resolve to find the backend IP addresses.

Basically:

Client -> https//proxy.example.com (1.2.3.4) -> HAProxy -> Resolve 'proxy.example.com' (5.6.7.8) -> TCP Forward to 5.6.7.8

That is what the NGINX configuration above reads, HAProxy uses a different resolver than the client.

4

Hi there,

Yes, what you’re aiming to do—dynamically resolving the SNI value to an IP and forwarding traffic accordingly—is conceptually possible, but HAProxy doesn’t natively support real-time DNS resolution based directly on the SNI value during connection handling, unlike NGINX stream blocks where $ssl_preread_server_name can be used with proxy_pass.

HAProxy requires predefined backends with static IPs or resolvable hostnames at configuration time. That means you can’t resolve arbitrary SNI values to IPs dynamically without external logic.

Workarounds include:

  • HAProxy + Lua scripting: You can use Lua to extract the SNI, perform a DNS lookup (e.g., via socket.dns.toip), and redirect traffic accordingly. This allows you to emulate dynamic resolution for SNI values.
  • If you’re trying to build a forward proxy that routes TLS traffic based on SNI, NGINX (stream block) or Envoy are more suitable, as they natively support this behavior.