Little bit of help on tcp-request content reject

Hi,
I’m using a simple HAProxy configuration that allows me to have a single external IP and redirect multiple https connection internally depending on the hostname used by the client. It has worked well for years. I just tested adding a new external hostname to my DNS and realized that my HAProxy is forwarding the connection, even if nothing has been created in the config for it.

Here is snippet of my config:

frontend fe_global
bind :443
mode tcp
option tcplog
acl server1 req.ssl_sni -i server1.mydomain.com
acl server2 req.ssl_sni -i server2.mydomain.com
tcp-request inspect-delay 2s
tcp-request content reject if !server1 !server2
use_backend be_server1 if server1
use_backend be_server2 if server2

backend be_server1
balance source
mode tcp
log global
server server1 1.2.3.4:443 check sni req.ssl_sni

backend be_server2
balance source
mode tcp
log global
server server2 1.2.3.5:443 check sni req.ssl_sni

My thought was that the statement “tcp-request content reject if !server1 !server2” would have blocked anything coming using another hostname not in the config (and I’m pretty sure it used to work!) but that doesn’t seem to be the case.

Tried server3.mydomain.com and it ended connecting to the same backend as server2. In the log, I had this:
Jul 18 10:51:59 hostname haproxy[5469]: w.x.y.z:46656 [18/Jul/2022:10:51:59.206] fe_global fe_global/ -1/-1/8 0 PR 3/3/0/0/0 0/0

I guess I am missing something somewhere?