We have the following setup:
Client -> haproxy -> multiple servers running nginx (different certs)
Which in some cases works and in some it does not. I was tracing via tcpdump and sometimes the client doesn´t send the server name in the hello packet. Testing with Chrome and Firefox.
The config is derived from this example:
(http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/)
Adjust the timeout to your needs
defaults
timeout client 30s
timeout server 30s
timeout connect 5s
Single VIP
frontend ft_ssl_vip
bind 10.0.0.10:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend bk_ssl_default
Using SNI to take routing decision
backend bk_ssl_default
mode tcp
acl application_1 req_ssl_sni -i application1.domain.com
acl application_2 req_ssl_sni -i application2.domain.com
use-server server1 if application_1
use-server server2 if application_2
use-server server3 if !application_1 !application_2
option ssl-hello-chk
server server1 10.0.0.11:443 check
server server2 10.0.0.12:443 check
server server3 10.0.0.13:443 check
Maybe the example is outdated?
haproxy -v
HA-Proxy version 1.6.6 2016/06/26
Copyright 2000-2016 Willy Tarreau willy@haproxy.org