HAProxy community

SNI works somtimes, sometimes is broken


We have the following setup:

Client -> haproxy -> multiple servers running nginx (different certs)

Which in some cases works and in some it does not. I was tracing via tcpdump and sometimes the client doesn´t send the server name in the hello packet. Testing with Chrome and Firefox.

The config is derived from this example:

Adjust the timeout to your needs

timeout client 30s
timeout server 30s
timeout connect 5s

Single VIP

frontend ft_ssl_vip
mode tcp

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

default_backend bk_ssl_default

Using SNI to take routing decision

backend bk_ssl_default
mode tcp

acl application_1 req_ssl_sni -i application1.domain.com
acl application_2 req_ssl_sni -i application2.domain.com

use-server server1 if application_1
use-server server2 if application_2
use-server server3 if !application_1 !application_2

option ssl-hello-chk
server server1 check
server server2 check
server server3 check

Maybe the example is outdated?

haproxy -v
HA-Proxy version 1.6.6 2016/06/26
Copyright 2000-2016 Willy Tarreau willy@haproxy.org


I’m not sure what you are saying. You concluded that the browsers sometimes don’t send SNI, so the configuration doesn’t work.

What exactly is your question?