Issue with sni routing

i am connecting from website and using fetch to make query to but for some weird reason req.ssl_sni -i doesnt seem to be respected therefore the connection fails.
but when i check logs, i see this. ssl_fc_has_sni '1' sni:'-' ssl_fc_sni '' ssl_fc_protocol 'TLSv1.3'.
why is sni empty ? also why is ssl_fc_sni using the not the where the request is being made from ?
HAProxy version 2.4.22

frontend front
    bind *:443 ssl crt /etc/ssl/ssl.pem
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    tcp-request content capture req.ssl_sni len 25
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl is_subdomain req.ssl_sni -i
    acl is_main_domain req.ssl_sni -i
    use_backend example_server if is_subdomain
    use_backend example_server if is_main_domain

backend example_server
    mode tcp
    server server1 check

Do not use SNI here.

Remove everything SNI related, enable HTTP mode and access the Host header.

Neither the SNI value nor the Host header contains a protocol prefix like https://.

thats correct but i face a problem when using http mode. when using tools such as postman i am able to insert origin and this manipulates the hdr(Origin). basically i only want the api to be accessed from and decline from anywhere else. how can i achieve this ?

Everything can be manipulated, including the Host header and the SNI value.

If you want to allow a specific hostname only, use the appropiate ACL’s.

thanks for the hint. can you show me an example of an appropriate ACL i can use for this case ?

http-request deny unless { hdr(host) -i }
1 Like