Match against req.ssl_sni AND dst_port

use_backend _recir_test if { req.ssl_sni -i } { dst_port 443 }
use_backend _recir_test1 if { req.ssl_sni -i } { dst_port 8443 }

Why is this not working? It looks like the AND condition on the port is matched against something that does not exist, and I am redirected to some later configured 443 backend.
If I remove the { dst_port 443 }, I am getting the correct backend, but of course never the test1

It has been asked before, but not really answered.


Some clients may add port numbers to the SNI value.

So could have a SNI value of instead of

I suggest you check what SNI value your test client is actually sending.

I seem to have some results (and errors in multiple sections), can it be that such redirects are not updated when reloading? After I changed gw to gtw. I seem to have better results.

    177 backend _recir_gtw
    178   server loopback-for-tls abns@gtw

Next to this I also have still some acl that is blocking, while I am definitely having the correct ip configured.

    296   acl net_office src x.x.x.x
    297   #http-request silent-drop if !net_office
    298   http-request deny if !net_office

I should be able to create as many net_office acl’s as I like not?

A reload means that the old process is not killed. If the old process continues the serve requests there may be unwanted interaction between the old and the new process. Abstract namespace sockets although very convenient is not very widely used, so there maybe caveats.


It looks like that when I add to “server loopback-for-tls” the “send-proxy-v2” it starts to work. I think this backend I am using is not supporting the protocol so I thought I could leave it out.