Ssl_fc_sni rule not working as expected

Help!
1

I have the following config:

...
frontend https_frontend
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1

    use_backend backend_one if { ssl_fc_sni one.website.com }
    use_backend backend_two if { ssl_fc_sni two.website.com }
    use_backend backend_three if { ssl_fc_sni three.website.com }

    default_backend not_found_backend

backend backend_one
    server one localhost:7880 check
backend backend_two
    server two localhost:5349 check
backend backend_three
    server three localhost:3200 check
backend not_found_backend
    http-request deny status 404

Full config file: haproxy - Pastebin.com

When I call one.website.com it should have redirected me to backend_one/one. But instead I am seeing it go to backend_three/three.

Logs

https_frontend~ backend_three/three 0/0/0/2/2 404 263 - - ---- 2/2/0/0/0 0/0 "HEAD https://one.website.com/ HTTP/2.0" hdrs:"host: one.website.com
2

As mentioned in the docs, never use ssl_fc_sni when you already run in HTTP mode, simple use req.hdr(host).

CAUTION! Except under very specific conditions, it is normally not correct to use this field as a substitute for the HTTP “Host” header field. For example, when forwarding an HTTPS connection to a server, the SNI field must be set from the HTTP Host header field using “req.hdr(host)” and not from the front SNI value. The reason is that SNI is solely used to select the certificate the server side will present, and that clients are then allowed to send requests with different Host values as long as they match the names in the certificate. As such, “ssl_fc_sni” should normally not be used as an argument to the “sni” server keyword, unless the backend works in TCP mode.