The first thing you need to fix is the req.ssl_sni ACL. It cannot reliably work without waiting for the client hello:
As per
this should be:
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend %[req.ssl_sni,lower,map(/etc/haproxy/maps/hosts.map,webservers)]
Regarding the performance issue: this like comes from the lack of global maxconn setting or too low maxconn server settings.
If you have a frontend with maxconn 5000 and another total 5000 of maxconn on the server lines, you need at least a global maxconn 10000.
global
maxconn 10000
So you need to consider all 3:
- global maxconn (per process maxconn counting both frontend and backend connections)
- frontend maxconn
- per server maxconn