Send-proxy-v2 / send-proxy-v2-ssl with SNI


I’m trying to setup the following configuration:

client → (SSL + SNI) → HAProxy → (SSL + retain original SNI + proxy protocol) → backend service

I’ve tried with the following configuration:

frontend haproxy
    bind strict-sni ssl crt server.pem
    mode tcp
    use_backend mybackend

backend mybackend
    mode tcp
    server atlasproxy_server snihostname:9001 ssl ca-file ca.pem check-sni snihostname sni str(snihostname) send-proxy-v2-ssl check 

Client connections fail as HAProxy isn’t passing through the SNI to the backend.
If I omit the send-proxy-v2-ssl option, SNI is sent, but then I’m not getting the proxy protocol header on the backend.
How can I set up such configuration?


What’s the backend, how is it configured, and does it support the proxy protocol, version 1 and/or version 2.

You don’t need the proxy protocol to pass the SNI value. You can use SNI to pass the SNI value. I assume you need the proxy protocol for the original IP address, in this case, proxy protocol version 1 is enough, which is more likely supported by your backend server.

1 Like

Thanks! This ended up being a bug in the backend.

1 Like