HAproxy not routing to backend if different domain is used

I have a number of backend servers as well as different domain names available.
Let’s say for my frontend I have three backends configured:
server1 domain1.com
server2 two.domain1.com
server3 three.domain1.com
When I have it setup like this, everything works.
However if I change server3 to go to domain2.com instead (of three.domain1.com) it then decides to serve up the default 503 error for haproxy. (I’ve also setup a specific error page for server3 backend, and it still serves up the default backend 503 error instead).

DNS all setup correctly, I can verify that the correct IP gets resolved and returned for both me the client and router/haproxy.

What am I missing? Why is haproxy not serving up server3 when I try to go to domain2.com?
I’ve looked through the logging and not seeing any sort of error or info as to why/how it’s serving up which backend per URL/domain request it receives.

One thing that may be messing with it is the certificate config, but I’d hope to at least get a certificate error if that were the case (and still return the desired server3 backend). No cert error though.

HAproxy version: 2.2.29-c5b927c
pfsense 2.7.0 Release.

# Automaticaly generated, dont edit manually.
# Generated on: 2023-08-06 13:27
	maxconn			50000
	log			/var/run/log	local0	info
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend frontend
	bind			<redacted>:443 name <redacted>:443   ssl crt-list /var/etc/haproxy/frontend.crt_list  
	bind			<redacted>:80 name <redacted>:80   
	mode			http
	log			global
	option			log-separate-errors
	option			http-keep-alive
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_frontend_503_Error1
	acl			server1	var(txn.txnhost) -m str -i <redacted>.com
	acl			server2	var(txn.txnhost) -m str -i <redacted>.<redacted>.com
	acl			server3	var(txn.txnhost) -m str -i <redactedTwo>.com
	acl			server4	var(txn.txnhost) -m str -i <redacted>.<redacted>.com
	acl			aclcrt_frontend	var(txn.txnhost) -m reg -i ^CloudFlare Origin Certificate(:([0-9]){1,5})?$
	acl			aclcrt_frontend	var(txn.txnhost) -m reg -i ^([^\.]*)\.<redacted>\.com(:([0-9]){1,5})?$
	acl			aclcrt_frontend	var(txn.txnhost) -m reg -i ^<redacted>\.com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend server1_ipvANY  if  server1 aclcrt_frontend
	use_backend server2_ipvANY  if  server2 aclcrt_frontend
	use_backend server3_ipvANY  if  server3 aclcrt_frontend
	use_backend server4_ipvANY  if  server4 aclcrt_frontend

backend server1_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			server1 <redacted>:443 id 103 ssl  verify none 

backend server2_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			server2 <redacted>:80 id 101  

backend server3_ipvANY
	mode			http
	id			104
	log			global
	errorfile			503 /var/etc/haproxy/errorfile_server3_ipvANY_503_Error2
	timeout connect		30000
	timeout server		30000
	retries			3
	server			server3 <redacted>:80 id 105  

backend server4_ipvANY
	mode			http
	id			107
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			server4 <redacted>:80 id 101  

You have combined multiple ACLs and you want to know why the following statement:

use_backend server3_ipvANY  if  server3 aclcrt_frontend

does not work when the hostname is domain2.com.

First of all, drop the aclcrt_frontend ACL statement. If it works, then know that is that parts that needs checking.

So I just need to make it read:
use_backend server3_ipvANY if server3
instead? Since this is the pfsense version of haproxy I can’t edit the file directly.

Would I need to add an SNI filter? As well as setup additional certificates? Wish I could find a similar example / setup to compare to.

I don’t know what you need and what the pfsense UI is forcing into the configuration here.

To route based on the Host header, you need one single line:

use_backend <backend> if hdr(host) www.example.org

That’s it.

Pfsense has lots of abstractions that will complicate your configuration by an order of magnitude.