Issue with sni routing

i am connecting from website test.com and using fetch to make query to api.test.com. but for some weird reason req.ssl_sni -i https://test.com doesnt seem to be respected therefore the connection fails.
but when i check logs, i see this. ssl_fc_has_sni '1' sni:'-' ssl_fc_sni 'api.test.com' ssl_fc_protocol 'TLSv1.3'.
why is sni empty ? also why is ssl_fc_sni using the api.test.com not the test.com where the request is being made from ?
HAProxy version 2.4.22

frontend front
    bind *:443 ssl crt /etc/ssl/ssl.pem
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    tcp-request content capture req.ssl_sni len 25
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl is_subdomain req.ssl_sni -i https://www.test.com
    acl is_main_domain req.ssl_sni -i https://test.com
    use_backend example_server if is_subdomain
    use_backend example_server if is_main_domain

backend example_server
    mode tcp
    server server1 127.0.0.1:8084 check

Do not use SNI here.

Remove everything SNI related, enable HTTP mode and access the Host header.

Neither the SNI value nor the Host header contains a protocol prefix like https://.

thats correct but i face a problem when using http mode. when using tools such as postman i am able to insert origin and this manipulates the hdr(Origin). basically i only want the api to be accessed from test.com and decline from anywhere else. how can i achieve this ?

Screenshot 2023-10-23 at 14.17.401280×338 6.96 KB

Everything can be manipulated, including the Host header and the SNI value.

If you want to allow a specific hostname only, use the appropiate ACL’s.

thanks for the hint. can you show me an example of an appropriate ACL i can use for this case ?

http-request deny unless { hdr(host) -i www.test.com }