Configuring dynamic backends based on SNI

Help!
1

Hello,

Is it possible to configure HAProxy to resolve hostnames and forward to a certain IP based on the SNI value? I want to configure something like the following:

Client → HAProxy (resolve SNI value) → Forward to resolved IP

The nginx equivalent configuration would be:

stream {
    resolver 169.254.169.253 ipv6=off;

    server {
        listen 443;
        proxy_pass $ssl_preread_server_name:$server_port;

        ssl_preread on;
    }

}

I have searched the documentation and forums but it seems that the HAProxy configuration requires one to specify a specific backend with either DNS or IP, but this would not work for my use case as I do not know the backend IP and need to resolve the SNI header to get it.

2

It seems here you’re searching for a forward proxy functionality, while HAproxy is designed as a reverse proxy: it’s really based on frontend / backend cooperation.
There is also a listen shortcut allowing to specify frontend and backend in one go, but you still need to define the destination of your requests.

However, HAproxy supports multiple SSL certificates, variables and regexes, so if you want to redirect multiple SNIs using only one frontend and multiple backends, you can. Typical scenario:

www.example1.com \             / container_hostname
www.example2.com  ---> HAproxy ---> IP address 
www.example3.com /             \ domain

If this answer is unsatisfactory, please provide a few examples of what you want to achieve.

3

Hi,

This is not the case, HAProxy would work as a reverse proxy in this instance, but I need it to resolve a DNS name in order to find the backend address.

For what I understand of the configuration documentation, backends can be configured using a static DNS name + a resolver configuration, but what I am looking for is a way to dynamically configure the DNS name that HAProxy will resolve to find the backend IP addresses.

Basically:

Client -> https//proxy.example.com (1.2.3.4) -> HAProxy -> Resolve 'proxy.example.com' (5.6.7.8) -> TCP Forward to 5.6.7.8

That is what the NGINX configuration above reads, HAProxy uses a different resolver than the client.