Routing based on certificate name/alias

Yenya · March 16, 2026, 4:30pm

Hi all,

is it possible to use conditional rules/routing based on which certificate was actually used in this connection?

Let’s say I have a bunch of certificates, each certificate with more than one subjectAltName (e.g. one certificate for example.org and www.example.org, and another one for example.com and examp.le). I don’t want to repeat all these alt names in haproxy config once more in the following style:

crt-store
        load crt "example.com-key-cert.pem" ocsp-update on alias "example_com"
        load crt "example.org-key-cert.pem" ocsp-update on alias "example_org"

frontend fe
        bind *:443 ssl default_crt "@/example_com" crt "@/example_org"
        use_backend example_org if { req.ssl_sni -i "example.org" }
        use_backend example_org if { req.ssl_sni -i "www.example.org" }
        use_backend example_com if { req.ssl_sni -i "example.com" }
        use_backend example_com if { req.ssl_sni -i "examp.le" }

Is it possible to do this with only two use_backend statements which would query the certificate alias (@/...) from the crt-store section instead of every subjectAltName of all certificates?

Thanks!

-Yenya

Topic		Replies	Views
Match server based on correct certificate? Help!	7	348	April 25, 2023
Certificate selection - multiple certificates with overlapping domains in SAN Help!	5	603	May 19, 2024
How to deliver certificate randomly to browser, according to the backend IP/server picked by HAProxy? Help!	7	675	April 6, 2021
Restrict access to some part of the site with certificate Help!	3	1757	March 11, 2020
Check Certificate in Backend possible Help!	4	1251	June 22, 2017

Routing based on certificate name/alias

Related topics