Performance question: ssl_fc_sni vs map files

scarecrow · June 25, 2025, 4:11pm

Hello to everyone,

I’m seeking advice on the most performant approach for routing SSL traffic based on SNI to hundreds of backends that are updated daily for security reasons, generating new backend names each time via the Data Plane API.

Currently I’m using a single frontend with use_backend %[ssl_fc_sni] to route traffic directly to backends named after their respective SNI values.

My configuration looks like this:

frontend ssl_frontend
    bind *:443
    mode tcp
    use_backend %[ssl_fc_sni]

backend example.com
    mode tcp
    server srv1 192.168.1.10:443 check

backend app2.example.com
    mode tcp
    server srv1 192.168.1.11:443 check

backend app1.example.com
    mode tcp
    server srv1 192.168.1.12:443 check

# ... hundreds more backends

HAProxy Version: 3.0.6

This approach works well functionally, but I’m wondering about performance implications at scale.
I’m considering whether using a map file to translate SNI values to backend names would be more efficient, using Lua scripting for custom routing logic, or if there are other recommended high-performance solutions for this use case.
Maintainability is important alongside performance.

Is there a significant performance difference between direct SNI routing and map files for this scale?

Any insights on performance and recommended approaches for large-scale SNI routing would be greatly appreciated.

Thanks in advance!

lukastribus · June 25, 2025, 8:51pm

Both direct statement and map files will work just fine performance wise.
The more common deployment in such a case is certainly a map file, and that is what I’d suggest you use.

Map files are designed to work with tens or hundreds of thousands of entries, if not millions.

Don’t use LUA for requirements that can easily be solved with basic haproxy features. Don’t reinvent the wheel.

scarecrow · June 26, 2025, 3:44pm

Thanks for your response.

I should have mentioned that server IPs also change daily along with backend names.

Given this, would you still recommend map files?

With direct statements using use_backend %[ssl_fc_sni], I can update everything in one place via the Data Plane API. Using map files would require maintaining both the map file and the backend definitions separately - essentially two moving parts instead of one.

It seems like direct statements would be better for my use case. What do you think?

lukastribus · June 26, 2025, 4:39pm

If you prefer direct statements that’s fine, I don’t think you will have performance issues, especially if you only have a few hundred statements.

Topic		Replies	Views
How to get HAProxy to route TCP based on SNI (using openssl s_client to test)? Help!	2	1887	December 13, 2019
Use mapping for req.ssl_sni instead of req.hdr(host)? Help!	3	9130	December 21, 2023
Use tcp backend based on map and ssl_c_s_dn Help!	3	1081	October 30, 2020
TCP frontend verify SNI, then redirect HTTP and HTTPS traffic Help!	0	723	December 5, 2023
Balance based on SNI Help!	1	895	January 13, 2018

Performance question: ssl_fc_sni vs map files

Related topics