Routing based on certificate name/alias

Yenya · March 16, 2026, 4:30pm

Hi all,

is it possible to use conditional rules/routing based on which certificate was actually used in this connection?

Let’s say I have a bunch of certificates, each certificate with more than one subjectAltName (e.g. one certificate for example.org and www.example.org, and another one for example.com and examp.le). I don’t want to repeat all these alt names in haproxy config once more in the following style:

crt-store
        load crt "example.com-key-cert.pem" ocsp-update on alias "example_com"
        load crt "example.org-key-cert.pem" ocsp-update on alias "example_org"

frontend fe
        bind *:443 ssl default_crt "@/example_com" crt "@/example_org"
        use_backend example_org if { req.ssl_sni -i "example.org" }
        use_backend example_org if { req.ssl_sni -i "www.example.org" }
        use_backend example_com if { req.ssl_sni -i "example.com" }
        use_backend example_com if { req.ssl_sni -i "examp.le" }

Is it possible to do this with only two use_backend statements which would query the certificate alias (@/...) from the crt-store section instead of every subjectAltName of all certificates?

Thanks!

-Yenya

lukastribus · March 17, 2026, 10:33pm

Perhaps ssl_f_s_dn(CN) :

However this will break when Common Names vanish completely, which is already “NOT RECOMMENDED” and is already gone from LE profiles tlsserver and shortlived.

Perhaps it would be better to match the domain generically, for example with -m dom (just matching the root domain name.

Please use the host header hdr(host) instead of req.ssl_sni, the latter can be confusing.

So for example:

use_backend example_org if { hdr(host) -m dom -i "example.org" }

Yenya · March 18, 2026, 7:45am

@lukastribus:

In the above example, I used ssl_fc_sni instead of req.ssl_sni, which probably works only in mode tcp and not mode http.
ok, ssl_f_s_dn is close to what I am looking for, thanks. I did not know about CommonName being deprecated, though. Interesting.
the Host: header can work, but it still requires repeating all the host names in the configuration (or to use a map). Does the hdr(host) directive work even for HTTP/1.0 requests with full URL (i.e. GET https://examp.le/file.txt HTTP/1.0 without the Host: header)?
as for the Don’t Repeat Yourself principle – it seems that haproxy can use all certificates from a given directory using the bind ... crt that_directory/ directive. Is it possible to use all certificates from the crt-store section the same way? I tried things like crt "@/*", but this does not work, and I did not find something like that in the docs.

Thanks!

-Yenya

lukastribus · March 18, 2026, 12:09pm

It works in HTTP mode too, but it is very wrong to use it, because it makes you think you are accessing the domain that is in the browser address bar, when this is not really the case. That is why you should always use the Host header instead. The documentation explains why: if you certificate matches more than one domain (via SAN or wildcards), you just get the domain name that was used during the TLS handshake, and not what the actual request is for.

The -m dom domain match should make sure that a request against www3.example.org matches a pattern of example.org. Isn’t that what you wanted?

If you just want one use_backend rule in your configuration, then you can use dynamic backend selection accessing whatever strings you like, rewriting them before matching, etc. You can even use LUA scripting.

For example to remove www:

use_backend %[hdr(host),lower,regsub('www.', '')]

If a client doesn’t send a Host header, anything based on the Host header will not work, but the same goes for SNI: if the client doesn’t send SNI, you cannot content switch based on it.

A HTTP/1.0 client likely doesn’t send SNI, so either way you cannot use any content switching rules.

lukastribus · March 18, 2026, 12:28pm

For example, the following would extract only the base domain (example.org) from the Host header, and use that:

use_backend %[hdr(host),host_only,lower,field(-1,'.',2)]

Yenya · March 19, 2026, 6:45am

Thanks for the configuration hints, I will definitely use this somewhere. But in this particular case, consider the example.com and examp.le pair from the first post, which are not in a domain-subdomain relation. Yes, I have certificates/hostname sets which I want to handle in the same way, but which do not have a similar domain name. This is why I wanted to do the configuration per certificate subjectAltName list.

So, it is at least possible to use bind for all the certificates in crt-store somehow?

lukastribus · March 19, 2026, 8:11am

It is not possible, no.

crt-store and crt-list are designed for people that want to specify and configure every single certificate, that doesn’t seem to be your case at all.

What is blocking you from simply pointing crt to a directory?

Yenya · March 19, 2026, 10:22am

I have a directory for certificates, but there are many more unrelated certificates (used by other Haproxy instances, for example).

My current solution is to generate this part of the Haproxy config (crt-store, bind directive, and crt/host/whatever to backend mapping) using ansible/jinja2 template. So I am OK now, I just wonder whether there is more simple or shorter solution.

Thanks!

-Yenya

kaspergrubbe · April 1, 2026, 6:30pm

Hi Lukas,

The subject in this thread matches a setup I am trying to build, perhaps I can bring some perspective and a use-case to this request.

The ideal setup is a bit like this:

global 
  crt-store static_certs 
    load crt /usr/local/etc/haproxy/certs/ 

  crt-store dynamic_certs 
    load crt /usr/local/etc/haproxy/dynamic-certs/ 

bind *:8889 
  accept-proxy ssl crt @static_certs crt @dynamic_certs alpn h2,http/1.1

  acl host_legrub_net hdr(host) -m str -i legrub.net www.legrub.net
  acl host_dynamic_cert hdr(host) -i "@dynamic_certs/*"

  use_backend be_legrub_net if host_legrub_net
  use_backend be_dynamic_customer if host_dynamic_cert

The use-case is that I have some static certs, and then I have a directory of my customers certificates which I want to go to a specific backend.

It feels like Haproxy should know about the SANs in the parsed crt-store already, or know which crt-store was used for a request, and that I should be able to use a rule for routing.

Someone recommended me to use a list of domains like so:

acl host_dynamic_cert hdr(host) -f /usr/local/etc/haproxy/dynamic-certs/domain-list.txt
use_backend be_dynamic_customer if host_dynamic_cert

Which is also doable, but it could be one less moving part to worry about

Edit: I’ve added a feature request for this here: ACL-matching based on source `crt-store` for routing · Issue #3318 · haproxy/haproxy · GitHub

lukastribus · April 1, 2026, 7:08pm

I would suggest you file a feature request at:

lukastribus · April 2, 2026, 7:45am

@Yenya you should probably add your use case as well:

github.com/haproxy/haproxy

ACL-matching based on source `crt-store` for routing

opened 10:44PM - 01 Apr 26 UTC

kaspergrubbe

type: feature

### Your Feature Request Hello 👋 ! I'd like to have the ability to match which… `crt-store` was used to serve a TLS connection, so that it can be referenced in ACL rules for traffic routing decisions. Currently, when multiple `crt-store` blocks are defined (e.g. one for static certificates and one for dynamically provisioned customer certificates), there is no built-in way to route traffic based on which store served the certificate for a given request. HAProxy already parses the certificates in each store (including their SANs), so it would be natural to expose either: 1. A fetch/sample that returns the name of the `crt-store` used for the current connection, allowing ACLs like: `acl host_dynamic_cert ssl_fc_crt_store dynamic_certs` 2. Or alternatively, a way to match the SNI/host against the SANs of all certificates within a named `crt-store`, like: `acl host_dynamic_cert hdr(host) -i "@dynamic_certs/*"` This would allow to do routing without requiring a separately maintained domain list file that must stay in sync with the certificates on disk. ### What are you trying to do? I want to serve TLS for two distinct groups of domains from a single bind: a set of static certificates for my own domains, and a directory of dynamically provisioned certificates for my customers. Depending on which group a request belongs to, I need to route it to a different backend. ``` global crt-store static_certs load crt /usr/local/etc/haproxy/certs/ crt-store dynamic_certs load crt /usr/local/etc/haproxy/dynamic-certs/ ``` After this feature is implemented, I would be able to define two `crt-store` blocks and write an ACL that routes traffic to `be_dynamic_customer`: ``` bind *:8889 accept-proxy ssl crt @static_certs crt @dynamic_certs alpn h2,http/1.1 acl host_dynamic_cert hdr(host) -i "@dynamic_certs/*" use_backend be_dynamic_customer if host_dynamic_cert ``` I've been suggested a workaround to keep a list of domains and do this: ``` acl host_dynamic_cert hdr(host) -f /usr/local/etc/haproxy/dynamic-certs/domain-list.txt use_backend be_dynamic_customer if host_dynamic_cert ``` ### Output of `haproxy -vv` ```plain haproxy -vv HAProxy version 3.3.6-1c05c79a5 2026/03/19 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2027. Known bugs: http://www.haproxy.org/bugs/bugs-3.3.6.html Running on: Darwin 25.3.0 Darwin Kernel Version 25.3.0: Wed Jan 28 20:51:28 PST 2026; root:xnu-12377.91.3~2/RELEASE_ARM64_T6041 arm64 Build options : TARGET = osx CC = cc CFLAGS = -O2 -g -fwrapv OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 DEBUG = Feature list : -51DEGREES -ACCEPT4 -BACKTRACE -CLOSEFROM +CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ECH -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE -KTLS -LIBATOMIC +LIBCRYPT -LINUX_CAP -LINUX_SPLICE -LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL -PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION -QUIC -QUIC_OPENSSL_COMPAT -RT -SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -TFO +THREAD -THREAD_DUMP +TPROXY -WURFL +ZLIB +ACME Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=12). Built with SSL library version : OpenSSL 3.6.1 27 Jan 2026 Running on SSL library version : OpenSSL 3.6.1 27 Jan 2026 SSL library supports TLS extensions : yes SSL library supports SNI : yes SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 OpenSSL providers loaded : default Built with the Prometheus exporter as a service Built with zlib version : 1.2.12 Running on zlib version : 1.2.12 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with transparent proxy support using: Built with PCRE2 version : 10.47 2025-10-21 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with clang compiler version 17.0.0 (clang-1700.6.4.2) Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG <default> : mode=HTTP side=FE|BE mux=H1 flags=HTX fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG spop : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG <default> : mode=SPOP side=BE mux=SPOP flags=HOL_RISK|NO_UPG none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG <default> : mode=TCP side=FE|BE mux=PASS flags= Available services : prometheus-exporter Available filters : [BWLIM] bwlim-in [BWLIM] bwlim-out [CACHE] cache [COMP] compression [FCGI] fcgi-app [SPOE] spoe [TRACE] trace ```

Yenya · April 2, 2026, 8:34am

My use case added. Thanks!

Topic		Replies	Views
Certificate selection - multiple certificates with overlapping domains in SAN Help!	5	616	May 19, 2024
How to deliver certificate randomly to browser, according to the backend IP/server picked by HAProxy? Help!	7	675	April 6, 2021
Can we set one haproxy to deal with multi domains requests ？ Help!	2	388	June 20, 2023
SNI routing to servers - only ever sent to first server Help!	3	3896	May 26, 2017
Match server based on correct certificate? Help!	7	350	April 25, 2023

Routing based on certificate name/alias

Related topics